NEW: Get project updates onTwitterandMastodon

Release 1.13

v1.13.6

Special thanks to @BobyMCbobs for reporting and testing the DigitalOcean issue!

Known Issues

  • ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see 1.14 release notes for more information.

Changes

Bug or Regression

v1.13.5

Known Issues

  • ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see 1.14 release notes for more information.

Changes

Bug or Regression

  • Allow cert-manager.io/allow-direct-injection in annotations (#6810, @jetstack-bot)
  • BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6814, @inteon)
  • BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#6832, @inteon)

Other (Cleanup or Flake)

  • Bump base images to the latest version. (#6841, @inteon)
  • Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6824, @inteon)
  • Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6828, @inteon)

v1.13.4

Known Issues

  • ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see 1.14 release notes for more information.

Changes

Bug or Regression

  • BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6772, @jetstack-bot)

Other (Cleanup or Flake)

v1.13.3

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

  • GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

  • CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

Dependencies

Added

Nothing has changed.

Changed

  • cloud.google.com/go/firestore: v1.11.0 → v1.12.0
  • cloud.google.com/go: v0.110.6 → v0.110.7
  • github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
  • github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
  • github.com/go-logr/logr: v1.2.4 → v1.3.0
  • github.com/golang/glog: v1.1.0 → v1.1.2
  • github.com/google/go-cmp: v0.5.9 → v0.6.0
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel: v1.19.0 → v1.20.0
  • go.uber.org/goleak: v1.2.1 → v1.3.0
  • golang.org/x/sys: v0.13.0 → v0.14.0
  • google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
  • google.golang.org/genproto: f966b18 → b8732ec
  • google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

v1.13.2

v1.13.2 fixes some CVE alerts and contains fixes for:

  1. a CertificateRequest runaway situation in case two Certificate resources point to the same Secret target resource
  2. a small bug in the Helm chart (feature gate options)
  3. a Venafi issuer bug

Changes

Bug or Regression

  • Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6432, @SgtCoDFish)
  • BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. (#6381, @jetstack-bot)
  • Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. (#6425, @jetstack-bot)
  • The Venafi issuer now properly resets the certificate and should no longer get stuck with WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.. (#6402, @jetstack-bot)

Other (Cleanup or Flake)

  • Bump go to 1.20.10 to address CVE-2023-39325. Also bumps base images. (#6411, @SgtCoDFish)

v1.13.1

v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0.

Changes

Bug or Regression

  • BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. (#6358, @jetstack-bot)

Other (Cleanup or Flake)

  • Upgrade github.com/emicklei/go-restful/v3 to v3.11.0 because v3.10.2 is labeled as "DO NOT USE". (#6368, @inteon)
  • Upgrade Go from 1.20.7 to 1.20.8. (#6370, @jetstack-bot)

v1.13.0

cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta.

Major Themes

Load cert-manager controller options from a versioned config file

It is now possible to load the cert-manager controller options from a versioned config file. This was supported for the webhook already, but not for the controller. This is very useful way to better manage these options and it allows us to change the options in the future without breaking backwards compatibility by introducing a new config file version.

DNS over HTTPS (DoH) support

It is now possible to use DNS over HTTPS (DoH) for doing the self-checks during the ACME DNS01 verification. The DNS self-check method to be used is controlled through the command line flag: --dns01-recursive-nameservers-only=true in combination with --dns01-recursive-nameservers=https://<DoH RFC 8484 server address> (e.g. https://1.1.1.1/dns-query)

This is very useful in case all traffic must be HTTP(S) traffic, e.g. when using a HTTPS_PROXY.

StableCertificateRequestName and SecretsFilteredCaching feature gates promoted to Beta

The StableCertificateRequestName and SecretsFilteredCaching feature gates have been promoted to Beta. This means that they are enabled by default and that we will not remove them in the future. In case you are experiencing issues with these features, please let us know. The feature gates can still be disabled by setting the feature gate to false (e.g. in case you are experiencing issues with these features). We plan to promote these feature gates to GA in the future, which will mean that they can no longer be disabled.

Community

Welcome to these new cert-manager members (more info - https://github.com/cert-manager/cert-manager/pull/6260): @jsoref @FlorianLiebhart @hawksight @erikgb

Thanks again to all open-source contributors with commits in this release, including: @AcidLeroy @FlorianLiebhart @lucacome @cypres @erikgb @ubergesundheit @jkroepke @jsoref @gdvalle @rouke-broersma @schrodit @zhangzhiqiangcs @arukiidou @hawksight @Richardds @kahirokunn

Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish @maelvls @irbekrm @inteon

Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!

Special thanks to @AcidLeroy for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see https://github.com/cert-manager/cert-manager/pull/5337)

Also, thanks a lot to @FlorianLiebhart for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) traffic, e.g. when using a HTTPS_PROXY. (see https://github.com/cert-manager/cert-manager/pull/5003)

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.

Changes

Feature

Design

  • DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: --dns01-recursive-nameservers-only=true in combination with --dns01-recursive-nameservers=https://<<DoH RFC 8484 server address> (e.g. https://8.8.8.8/dns-query). It keeps using DNS lookup as a default method. (https://github.com/cert-manager/cert-manager/pull/5003, https://github.com/FlorianLiebhart)

Bug or Regression

Other (Cleanup or Flake)