Release Notes
The v0.13
contains a number of important bug-fixes and a few notable feature additions. It is a minor, incremental
update over v0.12
and does not require any special upgrade steps.
ACME External Account Binding support
Users that wish to use cert-manager with ACME servers other than Let’s Encrypt may have found themselves unable to register an account due to the lack of (EAB) ‘External Account Binding’ support. This allows an ACME server to validate that a user is somehow associated with some other entity, like an account in the CAs customer management system.
With EAB support, it’s now possible to specify additional parameters (spec.acme.externalAccountBinding
) on your ACME
Issuer resource and utilize cert-manager with your preferred ACME provider.
Support for full set of x509 ‘subject’ parameters
In this release, support for the full range of ‘subject’ parameters as per the x509 specification has been added.
This means you can set fields like organizationalUnit
, provinces
, serialNumber
, country
, and all other standard
x509 subject fields.
A big thanks to @mathianasj
for this addition!
InvalidRequest
status condition for CertificateRequest
resources
For the growing ecosystem of developers creating their own ‘external issuer types’ for cert-manager, we have added
support for a new ‘status condition’ type InvalidRequest
- this can be used to signal from your signer/issuer to
cert-manager that the parameters that the user has requested on the x509 CSR are ‘invalid’ and the CSR should not
be retried.
This prevents users expending API quotas and making requests that will never succeed.
Bug Fixes
- Fix invalid service account name used in RBAC resources when manually specifying a service account name (#2509,
@castlemilk
) - fixed a bug that in certain cases could cause HTTP01 ingress
serviceName
fields to be incorrectly set (#2460,@greywolve
) - Fix bug causing ever-increasing CPU usage in webhook component (#2467,
@munnerz
) - Fix bug causing temporary certificates to overwrite previously issued certificates when adding a new
dnsName
to an existing Certificate resource (#2469,@munnerz
) - Fix
certmanager_certificate_expiration_timestamp_seconds
metric recording (#2416,@munnerz
) - Fixes
ClusterIssuers
not finding the secret when the secret is in a different namespace than the certificate request using the Venafi issuer type (#2520,@mathianasj
) - Fixes generation if invalid certificate name the the 52nd character in a domain name is a symbol. (#2516,
@meyskens
)
Other Notable Changes
- Adds
InvalidRequest
condition type toCertificateRequest
, signaling to not retry the request. (#2508,@JoshVanL
) - Add volume and volume mounts field to cert-manager helm chart (#2504,
@joshuastern
) - Add support for additional x509 ‘subject’ fields (#2518,
@mathianasj
) - Bump
k8s.io/*
dependencies to Kubernetes 1.17.0 (#2452,@munnerz
) - It is now possible to disable
AppArmor
when Pod Security Policies are used. (#2489,@czunker
) - Support for arbitrary
securityContext
parameters (#2455,@nefischer
) - Remove misleading ‘error decoding x509 certificate’ message (#2470,
@munnerz
) - Remove IP address validation on
dns01-recursive-nameservers
to allow domain names (#2428,@haines
) - Optional
webhook.securityContext
andcainjector.securityContext
chart parameters to specify pods security context. (#2449,@nefischer
) - webhook: register HTTP handlers for
pprof
debug endpoints (#2450,@munnerz
) - Adds support for chart configurable parameters
deploymentAnnotations
,webhook.deploymentAnnotations
andcainjector.deploymentAnnotations
(#2447,@nefischer
) - Adds ACME external account binding support (#2392,
@JoshVanL
) - Fix false-y values in helm chart to mitigate
kubernetes/kubernetes#66450
(#2383,@colek42
) - Explicitly define
containerPort
protocol in helm chart (#2405,@bouk
) - Switch to using upstream
golang.org/x/crypto/acme
ACME client library (#2422,@munnerz
)