v0.13 contains a number of important bug-fixes and a few notable feature additions. It is a minor, incremental
v0.12 and does not require any special upgrade steps.
ACME External Account Binding support
Users that wish to use cert-manager with ACME servers other than Let's Encrypt may have found themselves unable to register an account due to the lack of (EAB) 'External Account Binding' support. This allows an ACME server to validate that a user is somehow associated with some other entity, like an account in the CAs customer management system.
With EAB support, it's now possible to specify additional parameters (
spec.acme.externalAccountBinding) on your ACME
Issuer resource and utilize cert-manager with your preferred ACME provider.
Support for full set of X.509 'subject' parameters
In this release, support for the full range of 'subject' parameters as per the X.509 specification has been added.
This means you can set fields like
country, and all other standard
X.509 subject fields.
A big thanks to
@mathianasj for this addition!
InvalidRequest status condition for
For the growing ecosystem of developers creating their own 'external issuer types' for cert-manager, we have added
support for a new 'status condition' type
InvalidRequest - this can be used to signal from your signer/issuer to
cert-manager that the parameters that the user has requested on the X.509 CSR are 'invalid' and the CSR should not
This prevents users expending API quotas and making requests that will never succeed.
- Fix invalid service account name used in RBAC resources when manually specifying a service account name (#2509,
- fixed a bug that in certain cases could cause HTTP01 ingress
serviceNamefields to be incorrectly set (#2460,
- Fix bug causing ever-increasing CPU usage in webhook component (#2467,
- Fix bug causing temporary certificates to overwrite previously issued certificates when adding a new
dnsNameto an existing Certificate resource (#2469,
certmanager_certificate_expiration_timestamp_secondsmetric recording (#2416,
ClusterIssuersnot finding the secret when the secret is in a different namespace than the certificate request using the Venafi issuer type (#2520,
- Fixes generation if invalid certificate name the the 52nd character in a domain name is a symbol. (#2516,
Other Notable Changes
InvalidRequestcondition type to
CertificateRequest, signaling to not retry the request. (#2508,
- Add volume and volume mounts field to cert-manager helm chart (#2504,
- Add support for additional X.509 'subject' fields (#2518,
k8s.io/*dependencies to Kubernetes 1.17.0 (#2452,
- It is now possible to disable
AppArmorwhen Pod Security Policies are used. (#2489,
- Support for arbitrary
- Remove misleading 'error decoding X.509 certificate' message (#2470,
- Remove IP address validation on
dns01-recursive-nameserversto allow domain names (#2428,
cainjector.securityContextchart parameters to specify pods security context. (#2449,
- webhook: register HTTP handlers for
pprofdebug endpoints (#2450,
- Adds support for chart configurable parameters
- Adds ACME external account binding support (#2392,
- Fix false-y values in helm chart to mitigate
- Explicitly define
containerPortprotocol in helm chart (#2405,
- Switch to using upstream
golang.org/x/crypto/acmeACME client library (#2422,