This release prepares for the implementation of certificate issuance policies and adoption of the upstream Kubernetes CSR API. It also improves interoperability with HashiCorp Vault Enterprise. A slew of bugs have also been squashed.
Special thanks to the external contributors who contributed to this release:
Please read the upgrade notes before upgrading.
As always, the full change log is available on the GitHub release.
Deprecated Features and Breaking Changes
Venafi Cloud Issuer
This release updates the Venafi Cloud Issuer to use
OutagePREDICT instead of
The only impact to Venafi Cloud users is the change in zone syntax.
The zone is now
<Application Name>\<Issuing Template Alias>
My Application\My CIT).
--renew-before-expiration-duration flag has been removed from the cert-manager controller, having been deprecated in the previous release.
CertificateRequests are now immutable - the
metadata.annotations fields cannot be changed after creation. They were always designed to be immutable but this behavior is now enforced by the cert-manager webhook.
Policy Support Preparation
- The design documentation for Certificate Identity is now available.
CertificateRequestsnow have identity fields mirroring the upstream Kubernetes CSR object.
CertificateRequestsare now immutable.
CertificateRequestsnow have an Approval condition type, with
- The cert-manager controller currently always approves any
kubectl cert-manager [approve|deny]commands to the kubectl plugin.
CertificateRequestsnow support the
revisionHistoryLimitfield to limit the amount of retained history. The default is unlimited (
- cert-manager now sends the
X-VAULT-NAMESPACEheader for the
- Fixed an issue which could cause multiple
CertificateRequeststo be created in a short time for a single
- Certificate Readiness controller only updates a certificate’s status if something has changed.
- The issuer now warns if you request a certificate with an empty subject DN - creating a certificate that is in violation of RFC 5280. Some applications will reject such certificates as invalid, such as Java’s
targetPortused by the Prometheus service monitor is now correctly set from helm values.
- The correct permissions are added to the aggregate
SECURITY.mdnow contains information on how to report security issues.
- The language of
CONTRIBUTING.mdhas been updated to match existing copyright notices.
- cert-manager now can be built with go 1.16 on Apple Silicon.
- Docker images targets have been added to the Makefile.
v3.5.0is required to build locally and to run tests.