-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Helm release cert-manager to v1.13.2 #96
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
July 26, 2022 15:16
0512667
to
1f38fdc
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.9.0
Update Helm release cert-manager to v1.9.1
Jul 26, 2022
vshn-renovate
changed the title
Update Helm release cert-manager to v1.9.1
Update Helm release cert-manager to v1.10.0
Oct 17, 2022
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
October 17, 2022 13:19
1f38fdc
to
b18a4b0
Compare
Autoclosing SkippedThis PR has been flagged for autoclosing, however it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
vshn-renovate
changed the title
Update Helm release cert-manager to v1.10.0
Update Helm release cert-manager to v1.10.1
Nov 29, 2022
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
November 29, 2022 10:27
b18a4b0
to
737dd68
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.10.1
Update Helm release cert-manager to v1.10.1 - autoclosed
Dec 30, 2022
vshn-renovate
changed the title
Update Helm release cert-manager to v1.10.1 - autoclosed
Update Helm release cert-manager to v1.10.1
Dec 30, 2022
vshn-renovate
changed the title
Update Helm release cert-manager to v1.10.1
Update Helm release cert-manager to v1.10.2
Jan 10, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
January 10, 2023 18:17
737dd68
to
eef12ba
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.10.2
Update Helm release cert-manager to v1.11.0
Jan 11, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
January 11, 2023 17:07
eef12ba
to
84b1638
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.11.0
Update Helm release cert-manager to v1.11.1
Apr 7, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
April 7, 2023 13:58
84b1638
to
34c59a8
Compare
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
May 9, 2023 16:39
34c59a8
to
dc67d20
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.11.1
Update Helm release cert-manager to v1.11.2
May 9, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
May 19, 2023 12:29
dc67d20
to
f241c37
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.11.2
Update Helm release cert-manager to v1.12.0
May 19, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
May 25, 2023 15:00
f241c37
to
0f7df8e
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.12.0
Update Helm release cert-manager to v1.12.1
May 25, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
June 16, 2023 13:10
0f7df8e
to
b1de940
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.12.1
Update Helm release cert-manager to v1.12.2
Jun 16, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
July 26, 2023 12:40
b1de940
to
2b054f6
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.12.2
Update Helm release cert-manager to v1.12.3
Jul 26, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
September 1, 2023 17:30
2b054f6
to
890e23f
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.12.3
Update Helm release cert-manager to v1.12.4
Sep 1, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
September 12, 2023 15:11
890e23f
to
98c1c1c
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.12.4
Update Helm release cert-manager to v1.13.0
Sep 12, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
September 27, 2023 08:30
98c1c1c
to
f203deb
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.13.0
Update Helm release cert-manager to v1.13.1
Sep 27, 2023
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
October 14, 2023 03:49
f203deb
to
e80340b
Compare
vshn-renovate
force-pushed
the
commodore-renovate/cert-manager
branch
from
October 30, 2023 12:50
e80340b
to
0f7c61d
Compare
vshn-renovate
changed the title
Update Helm release cert-manager to v1.13.1
Update Helm release cert-manager to v1.13.2
Oct 30, 2023
Signed-off-by: Renovate Bot <tech+renovate@vshn.ch>
DebakelOrakel
force-pushed
the
commodore-renovate/cert-manager
branch
from
December 6, 2023 07:52
0f7c61d
to
af69026
Compare
DebakelOrakel
approved these changes
Dec 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.8.2
->v1.13.2
Release Notes
cert-manager/cert-manager (cert-manager)
v1.13.2
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.2 fixes some CVE alerts and contains fixes for:
Changes since v1.13.1
Bug or Regression
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6402, @maelvls)Other (Cleanup or Flake)
v1.13.1
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0.
Changes since v1.13.0
Bug or Regression
Other (Cleanup or Flake)
github.com/emicklei/go-restful/v3
tov3.11.0
becausev3.10.2
is labeled as "DO NOT USE". (#6368, @inteon)v1.13.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This is the 1.13 release of cert-manager!
cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned
config file for the cert-manager controller, and more. This release also includes the promotion of
the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta.
Known issues
The
StableCertificateRequestName
that was promoted to Beta contains a "name collision" bug: https://github.com/cert-manager/cert-manager/issues/6342This is fixed in v1.13.1+
Breaking Changes (You MUST read this before you upgrade!)
.featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook. (#6093, @irbekrm)--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)Community
Welcome to these new cert-manager members (more info - https://github.com/cert-manager/cert-manager/pull/6260):
@jsoref
@FlorianLiebhart
@hawksight
@erikgb
Thanks again to all open-source contributors with commits in this release, including:
@AcidLeroy
@FlorianLiebhart
@lucacome
@cypres
@erikgb
@ubergesundheit
@jkroepke
@jsoref
@gdvalle
@rouke-broersma
@schrodit
@zhangzhiqiangcs
@arukiidou
@hawksight
@Richardds
@kahirokunn
Thanks also to the following cert-manager maintainers for their contributions during this release:
@SgtCoDFish
@maelvls
@irbekrm
@inteon
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings!
Special thanks to @AcidLeroy for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see https://github.com/cert-manager/cert-manager/pull/5337)
Also, thanks a lot to @FlorianLiebhart for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see https://github.com/cert-manager/cert-manager/pull/5003)
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes since v1.12.0
Feature
cluster-reader
aggregated cluster role (#6241, @erikgb)enableServiceLinks
configurable for all Deployments andstartupapicheck
Job in Helm chart. (#6292, @ubergesundheit)Design
The DNS check method to be used is controlled through the command line flag:
--dns01-recursive-nameservers-only=true
in combination with--dns01-recursive-nameservers=https://<DoH-endpoint>
(e.g.https://8.8.8.8/dns-query
). It keeps using DNS lookup as a default method. (#5003, @FlorianLiebhart)Bug or Regression
cmctl check api --wait 0
exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code (#6109, @inteon).featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook.--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)net.IP.String()
function would have printed that address. (#6293, @SgtCoDFish)enableServiceLinks
option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. (#6143, @schrodit)Other (Cleanup or Flake)
cert-manager.io/common-name
,cert-manager.io/alt-names
, ... annotations on Secrets are kept at their correct value. (#6176, @inteon)v0.27.2
. (#6077, @lucacome)v0.27.4
. (#6227, @lucacome)v1.12.6
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.6 fixes some CVE alerts and a Venafi issuer bug.
Changes since v1.12.5
Bug or Regression
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6401, @maelvls)Other (Cleanup or Flake)
Known bugs
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).
This problem was resolved in v1.13.2, but the fix cannot be backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to v1.13.2.
v1.12.5
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.5 contains a backport for a name collision bug that was found in v1.13.0
Changes since v1.12.4
Bug or Regression
Other (Cleanup or Flake)
v1.12.4
Compare Source
v1.12.4 contains an important security fix that addresses CVE-2023-29409.
Changes since v1.12.3
net.IP.String()
function would have printed that address. (#6297, @SgtCoDFish)crypto/tls
library. (#6318, @maelvls)v1.12.3
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.3 contains a bug fix for the cainjector which addresses a memory leak!
Changes since v1.12.2
Bugfixes
v1.12.2
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.2 is a bugfix release, but includes a known issue and you should prefer the latest patch release!
Known issues
Changes since v1.12.1
Bugfixes
cmctl check api --wait 0
exited without output; we now make sure we perform the API check at least once (#6116, @jetstack-bot)v1.12.1
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.1 release contains a couple dependency bumps and changes to ACME external webhook library.
Known issues
cmctl
API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgradecmctl
to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context.Changes since v1.12.0
Other (Cleanup or Flake)
Uncategorized
v0.27.2
. (#6077, @lucacome)v0.15.0
(#6098, @lucacome)v1.12.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.
The full release notes are available at https://cert-manager.io/docs/release-notes/release-notes-1.12.
Known issues
cmctl
API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgradecmctl
to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context.Community
Thanks again to all open-source contributors with commits in this release, including:
Thanks also to the following cert-manager maintainers for their contributions during this release:
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!
Special thanks to @erikgb for continuously great input and feedback and to @lucacome for always ensuring that our kube deps are up to date!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes by Kind
Feature
--concurrent-workers
flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon)acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets
field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme)--watch-certs
flag was renamed to--enable-certificates-data-source
. (#5766, @irbekrm)--dns01-recursive-nameservers
,--enable-certificate-owner-ref
, and--dns01-recursive-nameservers-only
through Helm values. (#5614, @jkroepke)ingressClassName
. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls)serviceAccountRef
field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check thevault.auth
field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value forvault.auth
. (#5502, @maelvls)/livez
endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj)--v=5
flag) (#5975, @tobotg)Design
This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm)
Documentation
values.yaml
are now working (#5999, @SgtCoDFish)Bug or Regression
cmctl x install
. (#5720, @irbekrm)--acme-http01-solver-image
given to the variableacmesolver.extraArgs
now has precedence over the variableacmesolver.image
. (#5693, @SgtCoDFish)jks
andpkcs12
fields on a Certificate resource with a CA issuer that doesn't set theca.crt
in the Secret resource, cert-manager no longer loop trying to copyca.crt
intotruststore.jks
ortruststore.p12
. (#5972, @vinzent)literalSubject
field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon)Other (Cleanup or Flake)
make go-workspace
target for generating a go.work file for local development (#5935, @SgtCoDFish)**BREAKING:*- users who are relying on cainjector to work when
certificates.cert-manager.io
CRD is not installed in the cluster, now need to pass--watch-certificates=false
flag to cainjector else it will not start.Users who only use cainjector as cert-manager's internal component and have a large number of
Certificate
resources in cluster can pass--watch-certificates=false
to avoid cainjector from cachingCertificate
resources and save some memory. (#5746, @irbekrm)automountServiceAccountToken
turned off. (#5754, @wallrj)SecretsFilteredCaching
feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with thecontroller.cert-manager.io/fao: true
label. (#5824, @irbekrm)POTENTIALLY BREAKING: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm)
v0.26.2
. (#5820, @lucacome)v0.26.3
. (#5907, @lucacome)v0.27.1
. (#5961, @lucacome)certificate.spec.secretName
is a validSecret
name (#5967, @avi-08)certificate.spec.secretName
Secrets will now be labelled withcontroller.cert-manager.io/fao
label (#5660, @irbekrm)Uncategorized
v1.11.5
Compare Source
v1.11.5 contains an important security fix that addresses CVE-2023-29409.
Changes since v1.11.4
crypto/tls
library. (#6317, @maelvls)v1.11.4
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.11.4 contains some version bumps to address reported CVEs (although we don't expect that cert-manager was actually vulnerable to anything!)
Changes by Kind
Other (Cleanup or Flake)
Dependencies
Changed
v1.11.3
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.11.3 mostly contains ACME library changes. API Priority and Fairness feature is now disabled in the external webhook's extension apiserver.
Changes by Kind
Other (Cleanup or Flake)
v1.11.2
Compare Source
Changelog since v1.11.1
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
Bump the distroless base images (#5930, @maelvls)
Bumps Docker libraries to fix vulnerability scan alert for CVE-2023-28840, CVE-2023-28841, CVE-2023-28842 (#6037, @irbekrm)
Cert-manager was not actually affected by these CVEs which are all to do with Docker daemon's overlay network.
Bumps Kube libraries v0.26.0 -> v0.26.4 (#6038, @irbekrm)
This might help with running cert-manager v1.11 on Kubernetes v1.27, see #6038
v1.11.1
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
In v1.11.1, we updated the base images used for cert-manager containers. In addition, the users of the Venafi issuer will see less certificates repeatedly failing.
If you are a user of Venafi TPP and have been having issues with the error message
This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry
, please use this version.Changes since v1.11.0
Bug or Regression
cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)Other (Cleanup or Flake)
v1.11.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.11.0
includes a drastic reduction in cert-manager's runtime memory usage, a slew of improvements to AKS integrations and various other tweaks, fixes and improvements, all towards cert-manager's goal of being the best way to handle certificates in modern Cloud Native applications.Community
Thanks again to all open-source contributors with commits in this release, including:
Thanks also to the following cert-manager maintainers for their contributions during this release:
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes since cert-manager
v1.10
For an overview of new features, see the v1.11 release notes!
Feature
--max-concurrent-challenges
controller flag to the helm chart (#5638, @lvyanru8200)ko
and redeploying cert-manager to the cluster referenced by your current KUBECONFIG context. (#5655, @wallrj)LiteralSubject
field, all mandatory OIDs are now supported for LDAP certificates (rfc4514). (#5587, @SpectralHiss)ExperimentalGatewayAPISupport
alpha feature must ensure thatv1beta
of Gateway API is installed in cluster. (#5583, @lvyanru8200)Bug or Regression
vcert
was upgraded tov4.23.0
, fixing two bugs in cert-manager. The first bug was preventing the Venafi issuer from renewing certificates when using TPP has been fixed. You should no longer see your certificates getting stuck withWebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. The second bug that was fixed prevented the use ofalgorithm: Ed25519
in Certificate resources with VaaS. (#5674, @maelvls)golang/x/net
to fix CVE-2022-41717 (#5632, [@SgtCoDFConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.