v1.2 release drops support for Kubernetes versions below
v1.16. This allows new features to be introduced whilst keeping the project maintainable. ⚠️
This release adds new features for several issuers and fixes several bugs.
Please read the upgrade notes before upgrading.
Aside from that, there have been numerous bug fixes and features summarized below.
Deprecated Features and Breaking Changes
--renew-before-expiration-durationflag of the cert-manager controller-manager has been deprecated. Please set the
Certificate.Spec.RenewBeforefield instead. This flag will be removed in the next release.
v1.16is now the earliest supported version, The
legacymanifests have now been removed. You can read more here.
User-Agentrequest header has been changed from
cert-manager/<version>. This may affect functionality if you rely on an a User-Agent allowlist in a corporate environment.
Copyright and Ownership
As this is the first release prepared after the acceptance of cert-manager into the CNCF sandbox, the copyright strings have been changed to remove references to Jetstack.
User-Agentrequest header has changed from
Additional options for cert-manager controllers
The cert-manager controller can now be configured to expose profiling information using the new
cainjector leader election leases are now customizable using the new flags
cert-manager can now create Java KeyStores that are compatible with Java 8 or greater. A file named
keystore.jkswill be added to the secret specified in the
Certificate.spec.secretNameencrypted with the password specified in the
Certificate.spec.jks.passwordSecretRefsecret.apiVersion: cert-manager.io/v1kind: Certificatemetadata:name: jks-examplespec:secretName: jks-keystorejks:create: truepasswordSecretRef:name: supersecretkey: password
ingress-shim now supports the new
cert-manager.io/usagesannotation for specifying custom key usages. If this isn't set, it defaults to
digital signature,key encipherment, but a comma separated list of any valid usages can be specified.
ingress-shim now also checks for
cert-manager.io/renew-beforeannotations and uses those values to set the
The Vault issuer now stores the root CA in
ca.crtrather than the issuing CA, moving the chain into
The Venafi issuer now sets the
ca.crtfield of the secret.
A list of OCSP server URLs can now be set on certificates issued by the CA issuer using the
CLI User Experience
kubectlplugin can now show you information about certificates in your cluster:kubectl cert-manager inspect secret my-crt --namespace my-namespace
cert-manager CRDs have been given categories so now they appear in
kubectl get cert-managerand
kubectl get cert-manager-acme.
- The ACME spec allows for a
NotAfterdate, which is supported by Step CA but not Let's Encrypt. This is gated behind a boolean on
Issuer.spec.acme.enableDurationFeature. When enabled, cert-manager will pass through the requested Duration to the ACME server.
The AWS Route53 DNS01 challenge now uses exponential backoff on failure.
Ingress validation rules have been relaxed to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries.
OpenAPI validation has relaxed in the helm chart to work around a type conversion bug that prevented users from upgrading cert-manager with