- Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4975, @vhosakot)
- Fixes an expired hardcoded certificate which broke unit tests (#4977, @SgtCoDFish, @jakexks)
In 1.6.2, we reverted a change that caused a regression in the ACME Issuer. In 1.6.0 and 1.6.1, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata:annotations:kubernetes.io/ingress.class: istio # The `class` present on the Issuer.
After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the
apiVersion: networking.k8s.io/v1kind: Ingressspec:ingressClassName: istio # 🔥 Breaking change!
This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).
The regression is present in cert-manager 1.5.4, 1.6.0, and 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.
In 1.6.2, we restored the original behavior which is to use the annotation. This patch is also available in 1.5.5 and in 1.7.0.
Most people won't have any trouble upgrading from 1.6.0 or 1.6.1 to 1.6.2. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g.,
istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.
If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g.,
istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.
- The HTTP-01 ACME solver now uses the
kubernetes.io/ingress.classannotation instead of the
spec.ingressClassNamein created Ingress resources. (#4785, @maelvls)
- cert-manager now does one call to the ACME API instead of two when an Order fails. This fix is part of the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#4619, @irbekrm)
- Bump base images to latest versions (#4707, @SgtCoDFish)
- Fixes an issue in
cmctlthat prevented displaying the Order resource with cert-manager 1.6 when running
cmctl status certificate. (#4572, @maelvls)
- Update to latest version of keystore-go to address a backwards incompatible change introduced in v1.6.0 (#4564, @SgtCoDFish)
Following their deprecation in version 1.4, the cert-manager API versions
v1alpha2, v1alpha3, and v1beta1 are no longer served.
This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new
cmctl utility or old
kubectl cert-manager plugin can convert old manifests to
v1 for you.
⛔️ If you are upgrading cert-manager on a cluster which has previously had
v1.0.0, you will need to ensure that all cert-manager custom
resources are stored in
v1 version and that cert-manager CRDs do not
reference the deprecated APIs before you upgrade to
This is explained in more detail in the Upgrading existing cert-manager resources page.
ℹ️ This no longer applies as it was fixed in
v1.6.1, but will remain here for
informational purposes. If you haven't upgraded cert-manager to
v1.6.0 from any
release, we recommend upgrading straight to the latest version, skipping
v1.6.0 JKS Keystores had a minimum password length of 6 characters,
as an unintended side effect of upgrading keystore-go from
If you are using a shorter password, certificates would have failed to renew,
and the only observable error was in the cert-manager logs.
This was fixed in cert-manager
The cert-manager kubectl plugin has been redesigned as a standalone utility:
While the kubectl plugin functionality remains intact, using
cmctl allows for full tab completion.
As part of the wider ecosystem's push for greater supply chain security we are aiming to achieve SLSA 3 by the 1.7 release date. cert-manager 1.6 has achieved the requirements for SLSA 2 when installed via helm. Our helm chart's signature can be verified with the cert-manager maintainers' public key published on our website.
Our container images will be signed using sigstore's cosign as soon as our OCI registry supports it.
- Add Certificate
RenewBeforePrometheus metrics (#4419, @artificial-aidan)
- Add option to specify managed identity id when using Azure DNS DNS01 solver (#4332, @tomasfreund)
- Add support for building & developing on M1 macs (#4485, @munnerz)
- Adds release targets for both
cmctlas well as
- Allow setting Helm chart service annotations (#3639, @treydock)
- CLI: Adds
cmctl completioncommand for generating shell completion scripts for Bash, ZSH, Fish, and PowerShell (#4408, @JoshVanL)
- CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) (#4409, @JoshVanL)
- CLI: Only expose Kubernetes related flags on commands that use them (#4407, @JoshVanL)
- Enable configuring CLI command name and registering completion sub-command at build time. (#4522, @JoshVanL)
- Fix a bug in the Vault client that led to a panic after a request to Vault health endpoint failed. (#4456, @JoshVanL)
- Fix CRDs which were accidentally changed in cert-manager
- Fix a regression in Ingress
- Fixed the HTTP-01 solver creating
NodePortservices by default. (#4393, @jakexks)
- Fix a bug where a Certificate may not get renewed when the issued Certificate has a one-second skew between
spec.durationis not used. This one-second skew can be observed on certificates issued with Let's Encrypt and caused a mismatch in time precision between the time stored in
status.renewalTimeand the time internally computed by cert-manager. (#4399, @irbekrm)
- Helm chart: the post-install hook
startupapicheckis now compatible with PodSecurityPolicy. (#4364, @ndegory)
- Helm chart: the post-install hook
startupapichecknow deletes any post-install hook resources left after a previous failed install allowing
helm installto be re-run after a failed attempt. (#4433, @wallrj)
- The defaults for leader election parameters are now consistent across cert-manager and cainjector. (#4359, @johanfleury)
GetChallengewhen querying the current state of an ACME challenge. (#4430, @JoshVanL)
- Adds middleware logging back to ACME client for debugging (#4429, @JoshVanL)
- Deprecation: The API versions:
v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. (#4482, @wallrj)
- Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). (#4465, @andrewmwhite)
- Fix manually specified
PKCS#10CSR and X.509 Certificate version numbers (although these were ignored in practice) (#4392, @SgtCoDFish)
- Improves logging for 'owner not found' errors for
Orders. (#4369, @irbekrm)
- Refactor: move from
ospackage (#4402, @Juneezee)
- Helm chart and static manifest: the pointless
statusfield is now stripped from the CRD manifests. (#4379, @irbekrm)
- Update cert-manager base image versions (#4474, @SgtCoDFish)
- cert-manager now uses Go 1.17. (#4478, @irbekrm)