v1.15.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.2

Bug or Regression

• BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing its CA certificate. Please upgrade before the expiration of this CA certificate is reached. (#7232, @cert-manager-bot)

v1.12.13

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📖 Read the release documentation to learn more more about the features introduced in 1.12.

📜 Changes since v1.12.12

This patch release fixes the following vulnerabilities: CVE-2024-6104, CVE-2024-24791, CVE-2024-25620, CVE-2024-26147, and CVE-2024-41110.

ℹ️ This version contains an unusually large number of Go dependency changes for
a patch release. The cert-manager maintainers are confident that it is stable
because it has passed the same extensive suite of tests as previous 1.12
releases. But if you are importing cert-manager 1.12 as a Go module you will
notice that the minimum Go version is 1.21, and the k8s.io modules are now
updated to 0.29.

This reason for the large number of Go dependency changes is that the Helm SDK
has been updated to fix security vulnerabilities in cmctl. This required the
k8s.io modules to be updated from 0.27 to 0.29 in all components. Those
newer minor versions of the Kubernetes modules pulled in new transitive
dependencies, and incremented the minimum Go version from 1.20 to 1.21.

Bugfixes

• Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#7128, @SgtCoDFish)
• Updated Helm dependency to resolve CVE-2024-25620 and CVE-2024-26147 and Docker dependency to resolve CVE-2024-41110 (#7214, @ThatsMrTalbot)
• Updates Go to 1.21.13 to resolve CVE-2024-24791 (#7216, @ThatsMrTalbot)

v1.15.2

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.1

Bug or Regression

• BUGFIX route53: explicitly set the aws-global STS region which is now required by the github.com/aws/aws-sdk-go-v2 library. (#7189, @cert-manager-bot)
• Bump grpc-go to fix GHSA-xr7q-jx4m-x55m (#7167, @SgtCoDFish)
• Fix Azure DNS causing panics whenever authentication error happens (#7188, @cert-manager-bot)
• Fix incorrect value and indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart (#7191, @inteon)
• Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#7186, @cert-manager-bot)
• Upgrade golang from 1.22.3 to 1.22.5 (#7165, @github-actions)

v1.16.0-alpha.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.15.0

Feature

• Add SecretRef support for Venafi TPP issuer CA Bundle (#7036, @sankalp-at-gh)
• Add a metrics server to the cainjector (#7194, @wallrj)
• Add a metrics server to the webhook (#7182, @wallrj)
• Add client certificate auth method for Vault issuer (#4330, @joshmue)
• Add process and go runtime metrics for controller (#6966, @mindw)
• Add renewBeforePercentage alternative to renewBefore (#6987, @cbroglie)
• Default config.apiVersion and config.kind within the Helm chart (#7126, @ThatsMrTalbot)
• Helm: adds JSON schema validation for the Helm values. (#7069, @inteon)
• If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly.
  Added disableAutoApproval and approveSignerNames Helm chart options. (#7049, @inteon)
• Reduce the memory usage of cainjector, by only caching the metadata of Secret resources.
  Reduce the load on the K8S API server when cainjector starts up, by only listing the metadata of Secret resources. (#7161, @wallrj)

Bug or Regression

• BUGFIX route53: explicitly set the aws-global STS region which is now required by the github.com/aws/aws-sdk-go-v2 library. (#7108, @inteon)
• BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7105, @inteon)
• Bump grpc-go to fix GHSA-xr7q-jx4m-x55m (#7164, @SgtCoDFish)
• Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#7125, @SgtCoDFish)
• Fix Azure DNS causing panics whenever authentication error happens (#7177, @eplightning)
• Fix incorrect indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart (#7190, @wallrj)
• Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#7178, @miguelvr)
• Helm BUGFIX: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7052, @inteon)
• Improve the startupapicheck: validate that the validating and mutating webhooks are doing their job. (#7057, @inteon)
• Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7087, @dependabot[bot])

v1.15.2-alpha.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.1

Bug or Regression

• BUGFIX route53: explicitly set the aws-global STS region which is now required by the github.com/aws/aws-sdk-go-v2 library. (#7189, @cert-manager-bot)
• Bump grpc-go to fix GHSA-xr7q-jx4m-x55m (#7167, @SgtCoDFish)
• Fix Azure DNS causing panics whenever authentication error happens (#7188, @cert-manager-bot)
• Fix incorrect value and indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart (#7191, @inteon)
• Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#7186, @cert-manager-bot)
• Upgrade golang from 1.22.3 to 1.22.5 (#7165, @github-actions)

v1.15.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.0

Bug or Regression

• BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7111, @inteon)

Other (Cleanup or Flake)

• Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7092, @ThatsMrTalbot)
• Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#7130, @SgtCoDFish)

v1.14.7

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.14.6

Bugfixes

• BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7113, @cert-manager-bot)

Other (Cleanup or Flake)

• Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7093, @ThatsMrTalbot)

v1.12.12

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.12.11

Bugfixes

• BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7114, @cert-manager-bot)

Other (Cleanup or Flake)

• Upgrade go-jose library to fix CVE-2024-28180 trivy alert. (#7109, @inteon)
• Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7099, @ThatsMrTalbot)

v1.14.6

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.14.5

Other (Cleanup or Flake)

• Upgrade Go to 1.21.10, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r). (#7008, @inteon)
• Helm: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7053, @cert-manager-bot)
• Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7076, @ThatsMrTalbot)

v1.12.11

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.12.10

Other (Cleanup or Flake)

• Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7077, @ThatsMrTalbot )
• Upgrade Go to 1.21.10, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r). (#7010, @inteon)