Skip to content

v1.10.0
Compare
Choose a tag to compare
@jetstack-release-bot jetstack-release-bot released this 17 Oct 13:07
v1.10.0
This tag was signed with the committer’s verified signature.
jahrlin Joakim Ahrlin
GPG key ID: 7188166DEC3D3F26
Learn about vigilant mode.
da32651
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.

Changes since v1.9.1

Breaking Changes (You MUST read this before you upgrade!)

Container Name Changes

This change is only relevant if you install cert-manager using Helm or the static manifest files. v1.10.0 changes the names of containers in pods created by cert-manager.

The names are changed to better reflect what they do; for example, the container in the controller pod had its name changed from cert-manager to cert-manager-controller,
and the webhook pod had its container name changed from cert-manager to cert-manager-webhook.

This change could cause a break if you:

  1. Use Helm or the static manifests, and
  2. Have scripts, tools or tasks which rely on the names of the cert-manager containers being static

If both of these are true, you may need to update your automation before you upgrade.

On OpenShift the cert-manager Pods may fail until you modify Security Context Constraints

In cert-manager 1.10 the secure computing (seccomp) profile for all the Pods is set to RuntimeDefault. (See #5259.) The securityContext fields of the Pod are set as follows:

...
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
  seccompProfile:
    type: RuntimeDefault
    ...

On some versions and configurations of OpenShift this can cause the Pod to be rejected by the Security Context Constraints admission webhook.
Read full release notes to learn if this might affect you and how to fix it.

Feature

  • Add issuer_name, issuer_kind and issuer_group labels to certificate_expiration_timestamp_seconds, certmanager_certificate_renewal_timestamp_seconds and certmanager_certificate_ready_status metrics (#5461, @dkulchinsky)
  • Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
  • CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL)
  • CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed experimental.cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request.
    CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL)
  • Upgraded Gateway API to v0.5.0 (#5376, @inteon)
  • Add caBundleSecretRef to the Vault Issuer to allow referencing the Vault CA Bundle with a Secret. Cannot be used in conjunction with the in-line caBundle field. (#5387, @Tolsto)
  • The feature to create certificate requests with the name being a function of certificate name and revision has been introduced under the feature flag "StableCertificateRequestName" and it is disabled by default. This helps to prevent the error "multiple CertificateRequests were found for the 'next' revision...". (#5487, @sathyanarays)
  • Helm: Added a new parameter commonLabels which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)

Bug or Regression

  • CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5323, @JoshVanL)
  • DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5339, @JoshVanL)
  • Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer)
    Breaking: this might require changes for OpenShift deployments. Read full release notes to learn more.
  • Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
  • cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)

Other

  • Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
  • Bump cert-manager's version of Go to 1.19 (#5466, @lucacome)
  • Remove .bazel and .bzl files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish)
  • Updates Kubernetes libraries to v0.25.2. (#5456, @lucacome)
  • Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
  • Helm: Add NetworkPolicy support (#5417, @mjudeikis)
  • To help troubleshooting, make the container names unique.
    BREAKING: this change will break scripts/ CI that depend on cert-manager being the container name. (#5410, @rgl)

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

Thanks also to the following maintainers who worked on cert-manager 1.10:

Contributors

joebowbeer, rgl, and 17 other contributors
Assets 22
Loading