cert-manager/cert-manager
### [`v1.12.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.0)
[Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.11.2...v1.12.0)
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.
### Community
Thanks again to all open-source contributors with commits in this release, including:
- [@malovme](https://togithub.com/malovme)
- [@e96wic](https://togithub.com/e96wic)
- [@ExNG](https://togithub.com/ExNG)
- [@waterfoul](https://togithub.com/waterfoul)
- [@jkroepke](https://togithub.com/jkroepke)
- [@andrewsomething](https://togithub.com/andrewsomething)
- [@yulng](https://togithub.com/yulng)
- [@tobotg](https://togithub.com/tobotg)
- [@maumontesilva](https://togithub.com/maumontesilva)
- [@avi-08](https://togithub.com/avi-08)
- [@vinzent](https://togithub.com/vinzent)
- [@TrilokGeer](https://togithub.com/TrilokGeer)
- [@g-gaston](https://togithub.com/g-gaston)
- [@james-callahan](https://togithub.com/james-callahan)
- [@lucacome](https://togithub.com/lucacome)
- [@yanggangtony](https://togithub.com/yanggangtony)
- [@vidarno](https://togithub.com/vidarno)
- [@ctrought](https://togithub.com/ctrought)
- [@Robfz](https://togithub.com/Robfz)
- [@dsonck92](https://togithub.com/dsonck92)
- [@rayandas](https://togithub.com/rayandas)
- [@olekfur](https://togithub.com/olekfur)
- [@ptrc-n](https://togithub.com/ptrc-n)
- [@bradjones1](https://togithub.com/bradjones1)
- [@gdvalle](https://togithub.com/gdvalle)
Thanks also to the following cert-manager maintainers for their contributions during this release:
- [@inteon](https://togithub.com/inteon)
- [@wallrj](https://togithub.com/wallrj)
- [@maelvls](https://togithub.com/maelvls)
- [@SgtCoDFish](https://togithub.com/SgtCoDFish)
- [@irbekrm](https://togithub.com/irbekrm)
- [@jakexks](https://togithub.com/jakexks)
- [@JoshVanL](https://togithub.com/JoshVanL)
- [@munnerz](https://togithub.com/munnerz)
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!
Special thanks to [@erikgb](https://togithub.com/erikgb) for continuously great input and feedback and to [@lucacome](https://togithub.com/lucacome) for always ensuring that our kube deps are up to date!
Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer).
In addition, massive thanks to [Jetstack](https://www.jetstack.io/) (by [Venafi](https://www.venafi.com/)) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
#### Changes by Kind
##### Feature
- **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. ([#5880](https://togithub.com/cert-manager/cert-manager/pull/5880), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- Added support for JSON logging (using --logging-format=json) ([#5828](https://togithub.com/cert-manager/cert-manager/pull/5828), [@malovme](https://togithub.com/malovme))
- Added the `--concurrent-workers` flag that lets you control the number of concurrent workers for each of our controllers. ([#5936](https://togithub.com/cert-manager/cert-manager/pull/5936), [@inteon](https://togithub.com/inteon))
- Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. ([#5801](https://togithub.com/cert-manager/cert-manager/pull/5801), [@malovme](https://togithub.com/malovme))
- Cainjector:
- New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled.
- The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. ([#5766](https://togithub.com/cert-manager/cert-manager/pull/5766), [@irbekrm](https://togithub.com/irbekrm))
- Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). ([#3931](https://togithub.com/cert-manager/cert-manager/pull/3931), [@e96wic](https://togithub.com/e96wic))
- Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. ([#5788](https://togithub.com/cert-manager/cert-manager/pull/5788), [@ExNG](https://togithub.com/ExNG))
- Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. ([#5668](https://togithub.com/cert-manager/cert-manager/pull/5668), [@waterfoul](https://togithub.com/waterfoul))
- Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. ([#5614](https://togithub.com/cert-manager/cert-manager/pull/5614), [@jkroepke](https://togithub.com/jkroepke))
- The DigitalOcean issuer now sets a cert-manager user agent string. ([#5869](https://togithub.com/cert-manager/cert-manager/pull/5869), [@andrewsomething](https://togithub.com/andrewsomething))
- The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to [@dsonck92](https://togithub.com/dsonck92) for implementing the initial PR. ([#5849](https://togithub.com/cert-manager/cert-manager/pull/5849), [@maelvls](https://togithub.com/maelvls))
- The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. ([#5502](https://togithub.com/cert-manager/cert-manager/pull/5502), [@maelvls](https://togithub.com/maelvls))
- The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. ([#5962](https://togithub.com/cert-manager/cert-manager/pull/5962), [@wallrj](https://togithub.com/wallrj))
- Upgraded Gateway API to v0.6.0. ([#5768](https://togithub.com/cert-manager/cert-manager/pull/5768), [@yulng](https://togithub.com/yulng))
- Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) ([#5975](https://togithub.com/cert-manager/cert-manager/pull/5975), [@tobotg](https://togithub.com/tobotg))
##### Design
- Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests.
This is not necessarily a breaking change as due to a race condition this may already have been the case. ([#5887](https://togithub.com/cert-manager/cert-manager/pull/5887), [@irbekrm](https://togithub.com/irbekrm))
- The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. ([#5991](https://togithub.com/cert-manager/cert-manager/pull/5991), [@inteon](https://togithub.com/inteon))
##### Documentation
- Helm: the dead links in `values.yaml` are now working ([#5999](https://togithub.com/cert-manager/cert-manager/pull/5999), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
##### Bug or Regression
- Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied ([#5896](https://togithub.com/cert-manager/cert-manager/pull/5896), [@maumontesilva](https://togithub.com/maumontesilva))
- Cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. ([#5720](https://togithub.com/cert-manager/cert-manager/pull/5720), [@irbekrm](https://togithub.com/irbekrm))
- Fix development environment and go vendoring on Linux arm64. ([#5810](https://togithub.com/cert-manager/cert-manager/pull/5810), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- Fix ordering of remote git tags when preparing integration tests ([#5910](https://togithub.com/cert-manager/cert-manager/pull/5910), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. ([#5693](https://togithub.com/cert-manager/cert-manager/pull/5693), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). ([#5878](https://togithub.com/cert-manager/cert-manager/pull/5878), [@avi-08](https://togithub.com/avi-08))
- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 ([#5674](https://togithub.com/cert-manager/cert-manager/issues/5674)) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. ([#5805](https://togithub.com/cert-manager/cert-manager/pull/5805), [@inteon](https://togithub.com/inteon))
- Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images ([#5813](https://togithub.com/cert-manager/cert-manager/pull/5813), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. ([#5972](https://togithub.com/cert-manager/cert-manager/pull/5972), [@vinzent](https://togithub.com/vinzent))
- When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. ([#5747](https://togithub.com/cert-manager/cert-manager/pull/5747), [@inteon](https://togithub.com/inteon))
##### Other (Cleanup or Flake)
- ACME account registration is now re-verified if account key is manually changed. ([#5949](https://togithub.com/cert-manager/cert-manager/pull/5949), [@TrilokGeer](https://togithub.com/TrilokGeer))
- Add `make go-workspace` target for generating a go.work file for local development ([#5935](https://togithub.com/cert-manager/cert-manager/pull/5935), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
- Added a Makefile target to build a standalone E2E test binary: make e2e-build ([#5804](https://togithub.com/cert-manager/cert-manager/pull/5804), [@wallrj](https://togithub.com/wallrj))
- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history ([#5724](https://togithub.com/cert-manager/cert-manager/pull/5724), [@g-gaston](https://togithub.com/g-gaston))
- Bump the distroless base images ([#5929](https://togithub.com/cert-manager/cert-manager/pull/5929), [@maelvls](https://togithub.com/maelvls))
- Bumps base images ([#5793](https://togithub.com/cert-manager/cert-manager/pull/5793), [@irbekrm](https://togithub.com/irbekrm))
- Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half.
\*\*BREAKING:\*- users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start.
Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. ([#5746](https://togithub.com/cert-manager/cert-manager/pull/5746), [@irbekrm](https://togithub.com/irbekrm))
- Cainjector now only reconciles annotated objects of injectable kind. ([#5764](https://togithub.com/cert-manager/cert-manager/pull/5764), [@irbekrm](https://togithub.com/irbekrm))
- Container images are have an OCI source label ([#5722](https://togithub.com/cert-manager/cert-manager/pull/5722), [@james-callahan](https://togithub.com/james-callahan))
- Enable cmctl to be imported by third parties ([#6050](https://togithub.com/cert-manager/cert-manager/pull/6050), [@jetstack-bot](https://togithub.com/jetstack-bot))
- The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. ([#5754](https://togithub.com/cert-manager/cert-manager/pull/5754), [@wallrj](https://togithub.com/wallrj))
- The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. ([#5824](https://togithub.com/cert-manager/cert-manager/pull/5824), [@irbekrm](https://togithub.com/irbekrm))
- The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. ([#5966](https://togithub.com/cert-manager/cert-manager/pull/5966), [@irbekrm](https://togithub.com/irbekrm))
- The controller now makes fewer calls to the ACME server.
**POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. ([#5901](https://togithub.com/cert-manager/cert-manager/pull/5901), [@irbekrm](https://togithub.com/irbekrm))
- The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. ([#5976](https://togithub.com/cert-manager/cert-manager/pull/5976), [@irbekrm](https://togithub.com/irbekrm))
- The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. ([#6006](https://togithub.com/cert-manager/cert-manager/pull/6006), [@vidarno](https://togithub.com/vidarno))
- Updates Kubernetes libraries to `v0.26.2`. ([#5820](https://togithub.com/cert-manager/cert-manager/pull/5820), [@lucacome](https://togithub.com/lucacome))
- Updates Kubernetes libraries to `v0.26.3`. ([#5907](https://togithub.com/cert-manager/cert-manager/pull/5907), [@lucacome](https://togithub.com/lucacome))
- Updates Kubernetes libraries to `v0.27.1`. ([#5961](https://togithub.com/cert-manager/cert-manager/pull/5961), [@lucacome](https://togithub.com/lucacome))
- Updates base images ([#5832](https://togithub.com/cert-manager/cert-manager/pull/5832), [@irbekrm](https://togithub.com/irbekrm))
- Upgrade to Go 1.20 ([#5969](https://togithub.com/cert-manager/cert-manager/pull/5969), [@wallrj](https://togithub.com/wallrj))
- Upgrade to go 1.19.5 ([#5712](https://togithub.com/cert-manager/cert-manager/pull/5712), [@yanggangtony](https://togithub.com/yanggangtony))
- Validates that `certificate.spec.secretName` is a valid `Secret` name ([#5967](https://togithub.com/cert-manager/cert-manager/pull/5967), [@avi-08](https://togithub.com/avi-08))
- We are now testing with Kubernetes v1.27.1 by default. ([#5979](https://togithub.com/cert-manager/cert-manager/pull/5979), [@irbekrm](https://togithub.com/irbekrm))
- `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label ([#5660](https://togithub.com/cert-manager/cert-manager/pull/5660), [@irbekrm](https://togithub.com/irbekrm))
##### Uncategorized
- We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. ([#6000](https://togithub.com/cert-manager/cert-manager/pull/6000), [@SgtCoDFish](https://togithub.com/SgtCoDFish))
Configuration
📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.11.2
->v1.12.0
Release Notes
cert-manager/cert-manager
### [`v1.12.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.11.2...v1.12.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field. ### Community Thanks again to all open-source contributors with commits in this release, including: - [@malovme](https://togithub.com/malovme) - [@e96wic](https://togithub.com/e96wic) - [@ExNG](https://togithub.com/ExNG) - [@waterfoul](https://togithub.com/waterfoul) - [@jkroepke](https://togithub.com/jkroepke) - [@andrewsomething](https://togithub.com/andrewsomething) - [@yulng](https://togithub.com/yulng) - [@tobotg](https://togithub.com/tobotg) - [@maumontesilva](https://togithub.com/maumontesilva) - [@avi-08](https://togithub.com/avi-08) - [@vinzent](https://togithub.com/vinzent) - [@TrilokGeer](https://togithub.com/TrilokGeer) - [@g-gaston](https://togithub.com/g-gaston) - [@james-callahan](https://togithub.com/james-callahan) - [@lucacome](https://togithub.com/lucacome) - [@yanggangtony](https://togithub.com/yanggangtony) - [@vidarno](https://togithub.com/vidarno) - [@ctrought](https://togithub.com/ctrought) - [@Robfz](https://togithub.com/Robfz) - [@dsonck92](https://togithub.com/dsonck92) - [@rayandas](https://togithub.com/rayandas) - [@olekfur](https://togithub.com/olekfur) - [@ptrc-n](https://togithub.com/ptrc-n) - [@bradjones1](https://togithub.com/bradjones1) - [@gdvalle](https://togithub.com/gdvalle) Thanks also to the following cert-manager maintainers for their contributions during this release: - [@inteon](https://togithub.com/inteon) - [@wallrj](https://togithub.com/wallrj) - [@maelvls](https://togithub.com/maelvls) - [@SgtCoDFish](https://togithub.com/SgtCoDFish) - [@irbekrm](https://togithub.com/irbekrm) - [@jakexks](https://togithub.com/jakexks) - [@JoshVanL](https://togithub.com/JoshVanL) - [@munnerz](https://togithub.com/munnerz) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon! Special thanks to [@erikgb](https://togithub.com/erikgb) for continuously great input and feedback and to [@lucacome](https://togithub.com/lucacome) for always ensuring that our kube deps are up to date! Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Jetstack](https://www.jetstack.io/) (by [Venafi](https://www.venafi.com/)) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes by Kind ##### Feature - **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. ([#5880](https://togithub.com/cert-manager/cert-manager/pull/5880), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Added support for JSON logging (using --logging-format=json) ([#5828](https://togithub.com/cert-manager/cert-manager/pull/5828), [@malovme](https://togithub.com/malovme)) - Added the `--concurrent-workers` flag that lets you control the number of concurrent workers for each of our controllers. ([#5936](https://togithub.com/cert-manager/cert-manager/pull/5936), [@inteon](https://togithub.com/inteon)) - Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. ([#5801](https://togithub.com/cert-manager/cert-manager/pull/5801), [@malovme](https://togithub.com/malovme)) - Cainjector: - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled. - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. ([#5766](https://togithub.com/cert-manager/cert-manager/pull/5766), [@irbekrm](https://togithub.com/irbekrm)) - Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). ([#3931](https://togithub.com/cert-manager/cert-manager/pull/3931), [@e96wic](https://togithub.com/e96wic)) - Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. ([#5788](https://togithub.com/cert-manager/cert-manager/pull/5788), [@ExNG](https://togithub.com/ExNG)) - Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. ([#5668](https://togithub.com/cert-manager/cert-manager/pull/5668), [@waterfoul](https://togithub.com/waterfoul)) - Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. ([#5614](https://togithub.com/cert-manager/cert-manager/pull/5614), [@jkroepke](https://togithub.com/jkroepke)) - The DigitalOcean issuer now sets a cert-manager user agent string. ([#5869](https://togithub.com/cert-manager/cert-manager/pull/5869), [@andrewsomething](https://togithub.com/andrewsomething)) - The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to [@dsonck92](https://togithub.com/dsonck92) for implementing the initial PR. ([#5849](https://togithub.com/cert-manager/cert-manager/pull/5849), [@maelvls](https://togithub.com/maelvls)) - The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. ([#5502](https://togithub.com/cert-manager/cert-manager/pull/5502), [@maelvls](https://togithub.com/maelvls)) - The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. ([#5962](https://togithub.com/cert-manager/cert-manager/pull/5962), [@wallrj](https://togithub.com/wallrj)) - Upgraded Gateway API to v0.6.0. ([#5768](https://togithub.com/cert-manager/cert-manager/pull/5768), [@yulng](https://togithub.com/yulng)) - Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) ([#5975](https://togithub.com/cert-manager/cert-manager/pull/5975), [@tobotg](https://togithub.com/tobotg)) ##### Design - Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. This is not necessarily a breaking change as due to a race condition this may already have been the case. ([#5887](https://togithub.com/cert-manager/cert-manager/pull/5887), [@irbekrm](https://togithub.com/irbekrm)) - The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. ([#5991](https://togithub.com/cert-manager/cert-manager/pull/5991), [@inteon](https://togithub.com/inteon)) ##### Documentation - Helm: the dead links in `values.yaml` are now working ([#5999](https://togithub.com/cert-manager/cert-manager/pull/5999), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) ##### Bug or Regression - Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied ([#5896](https://togithub.com/cert-manager/cert-manager/pull/5896), [@maumontesilva](https://togithub.com/maumontesilva)) - Cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. ([#5720](https://togithub.com/cert-manager/cert-manager/pull/5720), [@irbekrm](https://togithub.com/irbekrm)) - Fix development environment and go vendoring on Linux arm64. ([#5810](https://togithub.com/cert-manager/cert-manager/pull/5810), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Fix ordering of remote git tags when preparing integration tests ([#5910](https://togithub.com/cert-manager/cert-manager/pull/5910), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. ([#5693](https://togithub.com/cert-manager/cert-manager/pull/5693), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). ([#5878](https://togithub.com/cert-manager/cert-manager/pull/5878), [@avi-08](https://togithub.com/avi-08)) - The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 ([#5674](https://togithub.com/cert-manager/cert-manager/issues/5674)) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. ([#5805](https://togithub.com/cert-manager/cert-manager/pull/5805), [@inteon](https://togithub.com/inteon)) - Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images ([#5813](https://togithub.com/cert-manager/cert-manager/pull/5813), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. ([#5972](https://togithub.com/cert-manager/cert-manager/pull/5972), [@vinzent](https://togithub.com/vinzent)) - When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. ([#5747](https://togithub.com/cert-manager/cert-manager/pull/5747), [@inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - ACME account registration is now re-verified if account key is manually changed. ([#5949](https://togithub.com/cert-manager/cert-manager/pull/5949), [@TrilokGeer](https://togithub.com/TrilokGeer)) - Add `make go-workspace` target for generating a go.work file for local development ([#5935](https://togithub.com/cert-manager/cert-manager/pull/5935), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Added a Makefile target to build a standalone E2E test binary: make e2e-build ([#5804](https://togithub.com/cert-manager/cert-manager/pull/5804), [@wallrj](https://togithub.com/wallrj)) - Bump keystore-go to v4.4.1 to work around an upstream rewrite of history ([#5724](https://togithub.com/cert-manager/cert-manager/pull/5724), [@g-gaston](https://togithub.com/g-gaston)) - Bump the distroless base images ([#5929](https://togithub.com/cert-manager/cert-manager/pull/5929), [@maelvls](https://togithub.com/maelvls)) - Bumps base images ([#5793](https://togithub.com/cert-manager/cert-manager/pull/5793), [@irbekrm](https://togithub.com/irbekrm)) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. \*\*BREAKING:\*- users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. ([#5746](https://togithub.com/cert-manager/cert-manager/pull/5746), [@irbekrm](https://togithub.com/irbekrm)) - Cainjector now only reconciles annotated objects of injectable kind. ([#5764](https://togithub.com/cert-manager/cert-manager/pull/5764), [@irbekrm](https://togithub.com/irbekrm)) - Container images are have an OCI source label ([#5722](https://togithub.com/cert-manager/cert-manager/pull/5722), [@james-callahan](https://togithub.com/james-callahan)) - Enable cmctl to be imported by third parties ([#6050](https://togithub.com/cert-manager/cert-manager/pull/6050), [@jetstack-bot](https://togithub.com/jetstack-bot)) - The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. ([#5754](https://togithub.com/cert-manager/cert-manager/pull/5754), [@wallrj](https://togithub.com/wallrj)) - The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. ([#5824](https://togithub.com/cert-manager/cert-manager/pull/5824), [@irbekrm](https://togithub.com/irbekrm)) - The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. ([#5966](https://togithub.com/cert-manager/cert-manager/pull/5966), [@irbekrm](https://togithub.com/irbekrm)) - The controller now makes fewer calls to the ACME server. **POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. ([#5901](https://togithub.com/cert-manager/cert-manager/pull/5901), [@irbekrm](https://togithub.com/irbekrm)) - The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. ([#5976](https://togithub.com/cert-manager/cert-manager/pull/5976), [@irbekrm](https://togithub.com/irbekrm)) - The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. ([#6006](https://togithub.com/cert-manager/cert-manager/pull/6006), [@vidarno](https://togithub.com/vidarno)) - Updates Kubernetes libraries to `v0.26.2`. ([#5820](https://togithub.com/cert-manager/cert-manager/pull/5820), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.26.3`. ([#5907](https://togithub.com/cert-manager/cert-manager/pull/5907), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.1`. ([#5961](https://togithub.com/cert-manager/cert-manager/pull/5961), [@lucacome](https://togithub.com/lucacome)) - Updates base images ([#5832](https://togithub.com/cert-manager/cert-manager/pull/5832), [@irbekrm](https://togithub.com/irbekrm)) - Upgrade to Go 1.20 ([#5969](https://togithub.com/cert-manager/cert-manager/pull/5969), [@wallrj](https://togithub.com/wallrj)) - Upgrade to go 1.19.5 ([#5712](https://togithub.com/cert-manager/cert-manager/pull/5712), [@yanggangtony](https://togithub.com/yanggangtony)) - Validates that `certificate.spec.secretName` is a valid `Secret` name ([#5967](https://togithub.com/cert-manager/cert-manager/pull/5967), [@avi-08](https://togithub.com/avi-08)) - We are now testing with Kubernetes v1.27.1 by default. ([#5979](https://togithub.com/cert-manager/cert-manager/pull/5979), [@irbekrm](https://togithub.com/irbekrm)) - `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label ([#5660](https://togithub.com/cert-manager/cert-manager/pull/5660), [@irbekrm](https://togithub.com/irbekrm)) ##### Uncategorized - We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. ([#6000](https://togithub.com/cert-manager/cert-manager/pull/6000), [@SgtCoDFish](https://togithub.com/SgtCoDFish))Configuration
📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.