Releases: cert-manager/cert-manager
v1.15.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since v1.15.2
Bug or Regression
- BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing its CA certificate. Please upgrade before the expiration of this CA certificate is reached. (#7232, @cert-manager-bot)
v1.12.13
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📖 Read the release documentation to learn more more about the features introduced in 1.12.
📜 Changes since v1.12.12
This patch release fixes the following vulnerabilities: CVE-2024-6104
, CVE-2024-24791
, CVE-2024-25620
, CVE-2024-26147
, and CVE-2024-41110
.
ℹ️ This version contains an unusually large number of Go dependency changes for
a patch release. The cert-manager maintainers are confident that it is stable
because it has passed the same extensive suite of tests as previous1.12
releases. But if you are importing cert-manager1.12
as a Go module you will
notice that the minimum Go version is1.21
, and thek8s.io
modules are now
updated to0.29
.This reason for the large number of Go dependency changes is that the Helm SDK
has been updated to fix security vulnerabilities incmctl
. This required the
k8s.io
modules to be updated from0.27
to0.29
in all components. Those
newer minor versions of the Kubernetes modules pulled in new transitive
dependencies, and incremented the minimum Go version from1.20
to1.21
.
Bugfixes
- Bump the
go-retryablehttp
dependency to fixCVE-2024-6104
(#7128, @SgtCoDFish) - Updated Helm dependency to resolve
CVE-2024-25620
andCVE-2024-26147
and Docker dependency to resolveCVE-2024-41110
(#7214, @ThatsMrTalbot) - Updates Go to
1.21.13
to resolveCVE-2024-24791
(#7216, @ThatsMrTalbot)
v1.15.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since v1.15.1
Bug or Regression
- BUGFIX
route53
: explicitly set theaws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7189,@cert-manager-bot
) - Bump
grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7167,@SgtCoDFish
) - Fix Azure DNS causing panics whenever authentication error happens (#7188,
@cert-manager-bot
) - Fix incorrect value and indentation of
endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7191,@inteon
) - Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of
HTTPRoute
resources (#7186,@cert-manager-bot
) - Upgrade
golang
from1.22.3
to1.22.5
(#7165,@github-actions
)
v1.16.0-alpha.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.15.0
Feature
- Add
SecretRef
support for Venafi TPP issuer CA Bundle (#7036,@sankalp-at-gh
) - Add a metrics server to the cainjector (#7194,
@wallrj
) - Add a metrics server to the webhook (#7182,
@wallrj
) - Add client certificate auth method for Vault issuer (#4330,
@joshmue
) - Add process and go runtime metrics for controller (#6966,
@mindw
) - Add
renewBeforePercentage
alternative torenewBefore
(#6987,@cbroglie
) - Default
config.apiVersion
andconfig.kind
within the Helm chart (#7126,@ThatsMrTalbot
) - Helm: adds JSON schema validation for the Helm values. (#7069,
@inteon
) - If the
--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly.
AddeddisableAutoApproval
andapproveSignerNames
Helm chart options. (#7049,@inteon
) - Reduce the memory usage of
cainjector
, by only caching the metadata of Secret resources.
Reduce the load on the K8S API server whencainjector
starts up, by only listing the metadata of Secret resources. (#7161,@wallrj
)
Bug or Regression
- BUGFIX
route53
: explicitly set theaws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7108,@inteon
) - BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7105,
@inteon
) - Bump
grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7164,@SgtCoDFish
) - Bump the
go-retryablehttp
dependency to fixCVE-2024-6104
(#7125,@SgtCoDFish
) - Fix Azure DNS causing panics whenever authentication error happens (#7177,
@eplightning
) - Fix incorrect indentation of
endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7190,@wallrj
) - Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#7178,
@miguelvr
) - Helm BUGFIX: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7052,
@inteon
) - Improve the startupapicheck: validate that the validating and mutating webhooks are doing their job. (#7057,
@inteon
) - Update
github.com/Azure/azure-sdk-for-go/sdk/azidentity
to addressCVE-2024-35255
(#7087,@dependabot[bot]
)
v1.15.2-alpha.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since v1.15.1
Bug or Regression
- BUGFIX
route53
: explicitly set theaws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7189,@cert-manager-bot
) - Bump
grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7167,@SgtCoDFish
) - Fix Azure DNS causing panics whenever authentication error happens (#7188,
@cert-manager-bot
) - Fix incorrect value and indentation of
endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7191,@inteon
) - Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of
HTTPRoute
resources (#7186,@cert-manager-bot
) - Upgrade
golang
from1.22.3
to1.22.5
(#7165,@github-actions
)
v1.15.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since v1.15.0
Bug or Regression
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7111, @inteon)
Other (Cleanup or Flake)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7092, @ThatsMrTalbot)
- Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#7130, @SgtCoDFish)
v1.14.7
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.14.6
Bugfixes
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7113, @cert-manager-bot)
Other (Cleanup or Flake)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7093, @ThatsMrTalbot)
v1.12.12
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.12.11
Bugfixes
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7114, @cert-manager-bot)
Other (Cleanup or Flake)
- Upgrade go-jose library to fix CVE-2024-28180 trivy alert. (#7109, @inteon)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7099, @ThatsMrTalbot)
v1.14.6
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.14.5
Other (Cleanup or Flake)
- Upgrade Go to 1.21.10, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r). (#7008, @inteon)
- Helm: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7053, @cert-manager-bot)
- Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7076, @ThatsMrTalbot)
v1.12.11
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.12.10
Other (Cleanup or Flake)
- Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7077, @ThatsMrTalbot )
- Upgrade Go to 1.21.10, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r). (#7010, @inteon)