Tell the project team how you are using cert-manager Take this short anonymous survey

Supported Releases

This page lists the status, timeline and policy for currently supported releases.

Each release is supported for a period of four months, and we aim to create a new release every two months.

Currently supported releases

ReleaseRelease DateEnd of LifeSupported Kubernetes versionsSupported OpenShift versions
1.8Apr 05, 2022Sep 07, 20221.19 → 1.244.6 → 4.11
1.7Jan 26, 2022Jul 06, 20221.18 → 1.234.5 → 4.10

Upcoming releases

ReleaseRelease DateEnd of lifeSupported Kubernetes versionsSupported OpenShift versions
1.9Jul 06, 2022Nov 09, 20221.20 → 1.244.7 → 4.11

Note that 1.9 was delayed by roughly a month because of KubeCon in May.

Dates in the future are uncertain and might change.

Old releases

ReleaseRelease DateEOLCompatible Kubernetes versionsCompatible OpenShift versions
1.6Oct 26, 2021Apr 05, 20221.17 → 1.224.4 → 4.9
1.5Aug 11, 2021Jan 26, 20221.16 → 1.224.3 → 4.8
1.4Jun 15, 2021Oct 26, 20211.16 → 1.214.3 → 4.7
1.3Apr 08, 2021Aug 11, 20211.16 → 1.214.3 → 4.7
1.2Feb 10, 2021Jun 15, 20211.16 → 1.214.3 → 4.7
1.1Nov 24, 2020Apr 08, 20211.11 → 1.213.11 → 4.7
1.0Sep 02, 2020Feb 10, 20211.11 → 1.213.11 → 4.7
0.16Jul 23, 2020Nov 24, 20201.11 → 1.213.11 → 4.7
0.15May 06, 2020Sep 02, 20201.11 → 1.213.11 → 4.7
0.14Mar 11, 2020Jul 23, 20201.11 → 1.213.11 → 4.7
0.13Jan 21, 2020May 06, 20201.11 → 1.213.11 → 4.7
0.12Nov 27, 2019Mar 11, 20201.11 → 1.213.11 → 4.7
0.11Oct 10, 2019Jan 21, 20201.9 → 1.213.09 → 4.7

We list cert-manager releases on GitHub, and release notes on cert-manager.io.

We also maintain detailed upgrade instructions.

Support policy

What we mean by support

Our support window is four months for each release branch. In the below diagram, release-1.2 is an example of a release branch. The support window corresponds to the two latest releases, given that we produce a new final release every two months. We offer two types of support:

For example, imagining that the latest release is v1.2.0, you can expect support for both v1.2.0 and v1.1.0. Only the last patch release of each branch is actually supported.

v1.0.0 ^
Sep 2, 2020 | UNSUPPORTED
------+---------------------------------------------> release-1.0 | RELEASES
\ v
\
\ v1.1.0
\ Nov 24, 2020 ^
---------+-------------------------------> release-1.1 |
\ | SUPPORTED
\ | RELEASES
\ v1.2.0 | = the two
\ Feb 10, 2021 | last
------------+--------------> release-1.2 | releases
\ v
\
\
\
-----------> master branch
April 1, 2021

Technical support

Technical assistance is offered on a best-effort basis for supported releases only. You can request support from the community on Kubernetes Slack (in the #cert-manager channel), using GitHub Discussions or using the cert-manager-dev Google group.

Security and bug fixes

We back-port important bug fixes — including security fixes — to all currently supported releases.

Security issues

Security issues are fixed as soon as possible. They get back-ported to the last two releases, and a new patch release is immediately created for them.

Critical bugs

Critical bugs include both regression bugs as well as upgrade bugs.

Regressions are functionalities that worked in a previous release but no longer work. #4142, #3393 and #2857 are three examples of regressions.

Upgrade bugs are issues (often Helm-related) preventing users from upgrading to currently supported releases from earlier releases of cert-manager. #3882 and #3644 are examples of upgrade bugs.

Note that intentional breaking changes do not belong to this category.

Fixes for critical bugs are (usually) immediately back-ported by creating a new patch release for the two currently supported releases.

Long-standing bugs

Long-standing bug: sometimes a bug exists for a long time, and may have known workarounds. #3444 is an example of a long-standing bug.

Where we feel that back-porting would be difficult or might be a stability risk to clusters running cert-manager, we'll make the fix in a major release but avoid back-porting the fix.

Breaking changes

Breaking changes are changes that intentionally break the cert-manager Kubernetes API or the command line flags. We avoid making breaking changes where possible, and where they're required we'll give as much notice as possible.

How we determine supported Kubernetes versions

The list of supported Kubernetes versions displayed in the Supported Releases section depends on what the cert-manager maintainers think is reasonable to support and to test.

In practice, this is largely determined based on what versions of kind are available for testing.

As of 2022-04-06, our testing coverage is:

Release branchProw configurationDashboardKubernetes versions testedPeriodicity
PRspresubmits.yamlpresubmits-blocking1.23On each PR
masterperiodics.yamlmaster1.19 → 1.23Every 2 hours
release-1.8previous-periodics.yamlprevious1.19 → 1.23Every 2 hours
release-1.7previous-periodics.yamlprevious1.18 → 1.23Every 2 hours
VendorOldest Kubernetes Release*Other Older Kubernetes Releases
EKS1.19 (EOL Jun 2022)1.20 (EOL Sep 2022), 1.21 (EOL Feb 2023), 1.22 (EOL May 2023)
GKE1.19 (EOL Jun 2022)1.20 (EOL Aug 2022), 1.21 (EOL Mar 2023), 1.22 (EOL Apr 2023)
AKS1.21 (EOL Jul 2022)1.22 (EOL Nov 2022)
OpenShift 41.19 (4.6 EUS, EOL Dec 2022)1.20 (4.7, EOL Nov 2022), 1.21 (4.8, EOL Feb 2023, EUS after)

*Oldest release relevant to the next cert-manager release, as of 2022-05-12

OpenShift

cert-manager supports several versions of OpenShift 4, based on the versions of Kubernetes that each version maps to. For convenience, the following table shows these version mappings:

OpenShift versionsKubernetes version
4.111.24
4.10, 4.10 EUS1.23
4.91.22
4.8, 4.8 EUS1.21
4.71.20
4.6, 4.6 EUS1.19

The last version of cert-manager to support OpenShift 3 was cert-manager 1.2, which is no longer maintained.

Terminology

The term "release" (or "minor release") refers to one minor version of cert-manager. For example, 1.2 and 1.3 are two releases. Note that we do not use the prefix v for releases (just "1.2"). This is because releases are not used as git tags.

Patch releases use the v prefix (e.g., v1.2.0, v1.3.1...) since one patch release = one git tag. The initial patch release is called "final release":

Type of releaseExample of git tagCorresponding releaseCorresponding release branch*
Final releasev1.3.01.3release-1.3
Patch releasev1.3.11.3release-1.3
Pre-releasev1.4.0-alpha.0N/A**release-1.4

*For maintainers: each release has an associated long-lived branch that we call the “release branch”. For example, release-1.2 is the release branch for release 1.2.

**Pre-releases (e.g., v1.3.0-alpha.0) don't have a corresponding release (e.g., 1.3) since a release only exists after a final release (e.g., v1.3.0) has been created.

Our naming scheme mostly follows Semantic Versioning 2.0.0 with v prepended to git tags and docker images:

v<major>.<minor>.<patch>

where <minor> is increased for each release, and <patch> counts the number of patches for the current <minor> release. A patch is usually a small change relative to the <minor> release.