Release Notes

The v0.13 contains a number of important bug-fixes and a few notable feature additions. It is a minor, incremental update over v0.12 and does not require any special upgrade steps.

ACME External Account Binding support

Users that wish to use cert-manager with ACME servers other than Let’s Encrypt may have found themselves unable to register an account due to the lack of (EAB) ‘External Account Binding’ support. This allows an ACME server to validate that a user is somehow associated with some other entity, like an account in the CAs customer management system.

With EAB support, it’s now possible to specify additional parameters (spec.acme.externalAccountBinding) on your ACME Issuer resource and utilize cert-manager with your preferred ACME provider.

Support for full set of x509 ‘subject’ parameters

In this release, support for the full range of ‘subject’ parameters as per the x509 specification has been added. This means you can set fields like organizationalUnit, provinces, serialNumber, country, and all other standard x509 subject fields.

A big thanks to @mathianasj for this addition!

InvalidRequest status condition for CertificateRequest resources

For the growing ecosystem of developers creating their own ‘external issuer types’ for cert-manager, we have added support for a new ‘status condition’ type InvalidRequest - this can be used to signal from your signer/issuer to cert-manager that the parameters that the user has requested on the x509 CSR are ‘invalid’ and the CSR should not be retried.

This prevents users expending API quotas and making requests that will never succeed.

Bug Fixes

  • Fix invalid service account name used in RBAC resources when manually specifying a service account name (#2509, @castlemilk)
  • fixed a bug that in certain cases could cause HTTP01 ingress serviceName fields to be incorrectly set (#2460, @greywolve)
  • Fix bug causing ever-increasing CPU usage in webhook component (#2467, @munnerz)
  • Fix bug causing temporary certificates to overwrite previously issued certificates when adding a new dnsName to an existing Certificate resource (#2469, @munnerz)
  • Fix certmanager_certificate_expiration_timestamp_seconds metric recording (#2416, @munnerz)
  • Fixes ClusterIssuers not finding the secret when the secret is in a different namespace than the certificate request using the Venafi issuer type (#2520, @mathianasj)
  • Fixes generation if invalid certificate name the the 52nd character in a domain name is a symbol. (#2516, @meyskens)

Other Notable Changes

  • Adds InvalidRequest condition type to CertificateRequest, signaling to not retry the request. (#2508, @JoshVanL)
  • Add volume and volume mounts field to cert-manager helm chart (#2504, @joshuastern)
  • Add support for additional x509 ‘subject’ fields (#2518, @mathianasj)
  • Bump k8s.io/* dependencies to Kubernetes 1.17.0 (#2452, @munnerz)
  • It is now possible to disable AppArmor when Pod Security Policies are used. (#2489, @czunker)
  • Support for arbitrary securityContext parameters (#2455, @nefischer)
  • Remove misleading ‘error decoding x509 certificate’ message (#2470, @munnerz)
  • Remove IP address validation on dns01-recursive-nameservers to allow domain names (#2428, @haines)
  • Optional webhook.securityContext and cainjector.securityContext chart parameters to specify pods security context. (#2449, @nefischer)
  • webhook: register HTTP handlers for pprof debug endpoints (#2450, @munnerz)
  • Adds support for chart configurable parameters deploymentAnnotations, webhook.deploymentAnnotations and cainjector.deploymentAnnotations (#2447, @nefischer)
  • Adds ACME external account binding support (#2392, @JoshVanL)
  • Fix false-y values in helm chart to mitigate kubernetes/kubernetes#66450 (#2383, @colek42)
  • Explicitly define containerPort protocol in helm chart (#2405, @bouk)
  • Switch to using upstream golang.org/x/crypto/acme ACME client library (#2422, @munnerz)