Release 1.6

Breaking Changes (You MUST read this before you upgrade!)

Legacy cert-manager API versions are no-longer served

Following their deprecation in version 1.4, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 are no longer served.

This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new cmctl utility or old kubectl cert-manager plugin can convert old manifests to v1 for you.

⛔️ If you are upgrading cert-manager on a cluster which has previously had cert-manager < v1.0.0, you will need to ensure that all cert-manager custom resources are stored in etcd at v1 version and that cert-manger CRDs do not reference the deprecated APIs before you upgrade to v1.6.

This is explained in more detail in the Upgrading existing cert-manager resources page.

JKS Keystore Minimum Password Length

ℹ️ This no longer applies as it was fixed in v1.6.1, but will remain here for informational purposes. If you haven’t upgraded cert-manager to v1.6.0 from any v1.5 release, we recommend upgrading straight to the latest version, skipping v1.6.0.

In cert-manager v1.6.0 JKS Keystores had a minimum password length of 6 characters, as an unintended side effect of upgrading keystore-go from v2 to v4. If you are using a shorter password, certificates would have failed to renew, and the only observable error was in the cert-manager logs. This was fixed in cert-manager v1.6.1.

Major Themes

Command-line tool User Experience

The cert-manager kubectl plugin has been redesigned as a standalone utility: cmctl

While the kubectl plugin functionality remains intact, using cmctl allows for full tab completion.

Supply Chain Security

As part of the wider ecosystem’s push for greater supply chain security we are aiming to achieve SLSA 3 by the 1.7 release date. cert-manager 1.6 has achieved the requirements for SLSA 2 when installed via helm. Our helm chart’s signature can be verified with the cert-manager maintainers' public key published on our website.

Our container images will be signed using sigstore’s cosign as soon as our OCI registry supports it.

Tool Chain Updates

cert-manager is now built with go 1.17 (#4478, @irbekrm) and can now be compiled on Apple Silicon (#4485, @munnerz).

Changes by Kind


  • Add Certificate RenewBefore Prometheus metrics (#4419, @artificial-aidan)
  • Add option to specify managed identity id when using Azure DNS DNS01 solver (#4332, @tomasfreund)
  • Add support for building & developing on M1 macs (#4485, @munnerz)
  • Adds release targets for both cmctl as well as kubectl-cert_manager (#4523, @JoshVanL)
  • Allow setting Helm chart service annotations (#3639, @treydock)
  • CLI: Adds cmctl completion command for generating shell completion scripts for Bash, ZSH, Fish, and PowerShell (#4408, @JoshVanL)
  • CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) (#4409, @JoshVanL)
  • CLI: Only expose Kubernetes related flags on commands that use them (#4407, @JoshVanL)
  • Enable configuring CLI command name and registering completion sub-command at build time. (#4522, @JoshVanL)

Bug or Regression

  • Fix a bug in the Vault client that led to a panic after a request to Vault health endpoint failed. (#4456, @JoshVanL)
  • Fix CRDs which were accidentally changed in cert-manager v1.5.0 (#4353, @SgtCoDFish)
  • Fix regression in Ingress PathType introduced in v1.5.0 (#4373, @jakexks)
  • Fixed the HTTP-01 solver creating ClusterIP instead of NodePort services by default. (#4393, @jakexks)
  • Fixes renewal time issue for certs with skewed duration period. (#4399, @irbekrm)
  • Pod Security Policy for startup API check job (#4364, @ndegory)
  • The startupapicheck post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. (#4433, @wallrj)
  • The defaults for leader election parameters are now consistent across cert-manager and cainjector. (#4359, @johanfleury)
  • Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. (#4430, @JoshVanL)

Other (Cleanup or Flake)

  • Adds middleware logging back to ACME client for debugging (#4429, @JoshVanL)
  • Deprecation: The API versions: v1alpha2, v1alpha3, and v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. (#4482, @wallrj)
  • Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). (#4465, @andrewmwhite)
  • Fix manually specified PKCS#10 CSR and X.509 Certificate version numbers (although these were ignored in practice) (#4392, @SgtCoDFish)
  • Improves logging for ‘owner not found’ errors for CertificateRequests owning Orders. (#4369, @irbekrm)
  • Refactor: move from io/ioutil to io and os package (#4402, @Juneezee)
  • Removes status fields from CRD manifests (#4379, @irbekrm)
  • Update cert-manager base image versions (#4474, @SgtCoDFish)
  • Uses Go 1.17 (#4478, @irbekrm)
Last modified November 1, 2021 : Update 1.6 release notes for v1.6.1 (c7fd953)