feat(helm): update chart cert-manager to v1.12.1 #875
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.11.0
->v1.12.1
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
cert-manager/cert-manager
v1.12.1
Compare Source
v1.12.1
This release contains a couple dependency bumps and changes to ACME external webhook library.
Changes by Kind
Other (Cleanup or Flake)
Uncategorized
v0.27.2
. (#6077, @lucacome)v0.15.0
(#6098, @lucacome)v1.12.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.
The full release notes are available at https://cert-manager.io/docs/release-notes/release-notes-1.12.
Community
Thanks again to all open-source contributors with commits in this release, including:
Thanks also to the following cert-manager maintainers for their contributions during this release:
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!
Special thanks to @erikgb for continuously great input and feedback and to @lucacome for always ensuring that our kube deps are up to date!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes by Kind
Feature
--concurrent-workers
flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon)acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets
field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme)--watch-certs
flag was renamed to--enable-certificates-data-source
. (#5766, @irbekrm)--dns01-recursive-nameservers
,--enable-certificate-owner-ref
, and--dns01-recursive-nameservers-only
through Helm values. (#5614, @jkroepke)ingressClassName
. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls)serviceAccountRef
field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check thevault.auth
field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value forvault.auth
. (#5502, @maelvls)/livez
endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj)--v=5
flag) (#5975, @tobotg)Design
This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm)
Documentation
values.yaml
are now working (#5999, @SgtCoDFish)Bug or Regression
cmctl x install
. (#5720, @irbekrm)--acme-http01-solver-image
given to the variableacmesolver.extraArgs
now has precedence over the variableacmesolver.image
. (#5693, @SgtCoDFish)jks
andpkcs12
fields on a Certificate resource with a CA issuer that doesn't set theca.crt
in the Secret resource, cert-manager no longer loop trying to copyca.crt
intotruststore.jks
ortruststore.p12
. (#5972, @vinzent)literalSubject
field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon)Other (Cleanup or Flake)
make go-workspace
target for generating a go.work file for local development (#5935, @SgtCoDFish)**BREAKING:*- users who are relying on cainjector to work when
certificates.cert-manager.io
CRD is not installed in the cluster, now need to pass--watch-certificates=false
flag to cainjector else it will not start.Users who only use cainjector as cert-manager's internal component and have a large number of
Certificate
resources in cluster can pass--watch-certificates=false
to avoid cainjector from cachingCertificate
resources and save some memory. (#5746, @irbekrm)automountServiceAccountToken
turned off. (#5754, @wallrj)SecretsFilteredCaching
feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with thecontroller.cert-manager.io/fao: true
label. (#5824, @irbekrm)POTENTIALLY BREAKING: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm)
v0.26.2
. (#5820, @lucacome)v0.26.3
. (#5907, @lucacome)v0.27.1
. (#5961, @lucacome)certificate.spec.secretName
is a validSecret
name (#5967, @avi-08)certificate.spec.secretName
Secrets will now be labelled withcontroller.cert-manager.io/fao
label (#5660, @irbekrm)Uncategorized
v1.11.3
Compare Source
v1.11.3 mostly contains ACME library changes. API Priority and Fairness feature is now disabled in the external webhook's extension apiserver.
Changes by Kind
Other (Cleanup or Flake)
v1.11.2
Compare Source
Changelog since v1.11.1
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
Bump the distroless base images (#5930, @maelvls)
Bumps Docker libraries to fix vulnerability scan alert for CVE-2023-28840, CVE-2023-28841, CVE-2023-28842 (#6037, @irbekrm)
Cert-manager was not actually affected by these CVEs which are all to do with Docker daemon's overlay network.
Bumps Kube libraries v0.26.0 -> v0.26.4 (#6038, @irbekrm)
This might help with running cert-manager v1.11 on Kubernetes v1.27, see #6038
v1.11.1
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
In v1.11.1, we updated the base images used for cert-manager containers. In addition, the users of the Venafi issuer will see less certificates repeatedly failing.
If you are a user of Venafi TPP and have been having issues with the error message
This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry
, please use this version.Changes since v1.11.0
Bug or Regression
cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)Other (Cleanup or Flake)
Configuration
📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.