Update cert-manager to v1.21.0#205
Open
vshn-renovate wants to merge 1 commit into
Open
Conversation
Signed-off-by: Renovate Bot <tech+renovate@vshn.ch>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.20.3→v1.21.0Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Release Notes
cert-manager/cert-manager (cert-manager)
v1.21.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.
Major Themes
Default
tokenrequestRBAC removed from Helm chartThe Helm chart no longer creates a default
RoleandRoleBindinggranting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.If you use
serviceAccountRef.namepointing at the controller ServiceAccount, you must now either create your ownRole/RoleBindinggrantingserviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).Restrict Challenge and Order RBAC in
cert-manager-editClusterRoleThe
cert-manager-editaggregate ClusterRole no longer grantscreateforchallenges.acme.cert-manager.ioorcreate,patch,updatefororders.acme.cert-manager.io(GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challengepatchandupdateare retained because users may need them to remove stuck finalizers.This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.
Metrics port name and path Helm values removed
The Helm values
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.pathhave been removed. The controller Service metrics port has been renamed fromtcp-prometheus-servicemonitortohttp-metrics. Because the Helm values schema usesadditionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)ACME and Certificate Management
ACMEUseARIfeature gate. When enabled, cert-manager queries the ACME server'srenewalInfoendpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)waitInsteadOfSelfChecksolver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)renewalPoliciesfield on the Certificate API provides more expressive control over renewal scheduling, complementingrenewBeforeandrenewBeforePercentage. (#8258)--certificate-request-maximum-backoff-durationflag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)Gateway API and cainjector
acme.cert-manager.io/http01-parentreffallback: "true"annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)cert-manager.io/ignore-tls-listenersannotation: exclude specific Gateway TLS listeners from certificate management. (#8727)enableGatewayAPIconfiguration restructure:enableGatewayAPIandenableGatewayAPIListenerSetare deprecated in favor ofgatewayAPI.enabled/gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)CAInjectorMergingpromoted to GA: unconditionally enabled; will be removed in a future release. (#8583)ServerSideApplyfeature gate is deprecated. (#8692)--ignore-namespacesflag: skip specified namespaces when watching Secrets for injection. (#8614)Deployment and Observability
AuthFailedIssuer condition reason distinguishes bad credentials from transient errors. PANW NGTS is now supported as a Venafi backend. (#8808, #8779)runtimeClassNamesupport: configurable for cert-manager components and ACME HTTP01 solver pods. (#8791, #8976)startupapicheck.ttlSecondsAfterFinished: opt-in automatic cleanup of the startupapicheck Job. (#8523)--acme-http01-solver-extra-labels: propagateglobal.commonLabelsto dynamically-created ACME HTTP01 solver resources. (#8761)Notable Bug Fixes
renewBeforePercentage: Certificates with durations longer than approximately 3 years were incorrectly rejected or assigned incorrect renewal times. (#8947)..path segments, preventingpath.Joinfrom silently resolving relative segments. (#8930)Community
As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.
A special thanks to:
for their contributions, comments and support!
Also, thanks to the cert-manager maintainer team for their help in this release:
And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:
Changes since v1.20.0
Feature
AuthFailedIssuer condition reason to distinguish bad credentials from transient infrastructure errors. (#8808, @FelixPhipps)certificateRequestMaximumBackoffDurationcontroller configuration option to cap retry backoff time for failed CertificateRequests. Configurable via config file,--certificate-request-maximum-backoff-durationCLI flag, or Helm valueconfig.certificateRequestMaximumBackoffDuration. Defaults to 32 hours for backward compatibility. (#8893, @lunarwhite)waitInsteadOfSelfCheckfield to ACME HTTP01 and DNS01 solvers so cert-manager can skip its own self-check and ask the ACME server to validate after a configured wait. (#8858, @wallrj)runtimeClassNamesupport for cert-manager components and ACME HTTP01 solver pods. (#8791, @jsoref)runtimeClassNamesupport for ACME HTTP01 solver pods via theacmesolver.runtimeClassNameHelm value. (#8976, @erikgb)--acme-http01-solver-extra-labels, allowing Helm'sglobal.commonLabelsto propagate to all dynamically-created ACME HTTP01 solver resources (Pods, Services, Ingresses, or Gateway API HTTPRoutes). (#8761, @lunarwhite)startupapicheck.ttlSecondsAfterFinishedHelm value to enable automatic cleanup of the startupapicheck Job via the Kubernetes TTL-after-finished controller. (#8523, @dap0am)cert-manager.io/ignore-tls-listenersannotation for ignoring gwapi listeners. (#8727, @hjoshi123)--ignore-namespaceswas added to the cainjector binary. It can be used to filter out namespaces from being watched for secrets to use for injectables. (#8614, @figaw)cert-manager.io/alt-names,cert-manager.io/ip-sansto Certificates generated from ingress like objects in cert-shim controllers. (#8927, @jabbrwcky)acme.cert-manager.io/http01-parentreffallback: "true"causes cert-manager to use the parent Gateway as the solver HTTPRoute parentRef instead of the ListenerSet. This enables TLS-only ListenerSets to rely on a shared Gateway HTTP listener for ACME challenges. (#8749, @apkatsikas)Bug or Regression
RoleandRoleBindinggranting the cert-manager controller ServiceAccount permission to create tokens for itself (serviceaccounts/token: create). This RBAC was added in v1.16 (#7213) but no documented workflow requires it, and the motivating Route53 docs section was removed in Oct 2024. If you rely onserviceAccountRef.namepointing at the controller ServiceAccount (an undocumented pattern), you must now create your ownRoleandRoleBindinggrantingserviceaccounts/token: createon that ServiceAccount, or migrate to one of the documented patterns (IRSA ambient, or a dedicated ServiceAccount with its own RBAC). (#8931, @wallrj-cyberark)renewBeforePercentagecalculations that caused Certificates with durations longer than approximately 3 years to be incorrectly rejected by validation or assigned incorrect renewal times. (#8947, @ThatsMrTalbot)parentRefbug when both issuer config and annotations are present. (#8619, @hjoshi123)e2e-setup-samplewebhookinstallation to use the samplewebhook image repository and tag from the saved image tarball manifest. (#8821, @wallrj)webhook.configandwebhook.volumesare defined. (#8664, @jnohlgard)createand Ordercreate/patch/updatefrom the cert-manager-edit aggregate ClusterRole to prevent direct manipulation of these internal resources (GHSA-8rvj-mm4h-c258). (#8958, @wallrj-cyberark)..path segments inspec.vault.pathand auth mount path fields, preventingpath.Joinfrom silently resolving relative segments before constructing the Vault API request. (#8930, @wallrj-cyberark)Other (Cleanup or Flake)
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.path. The metrics path is always/metricsand the target port is alwayshttp-metrics. Rename the controller service metrics port fromtcp-prometheus-servicemonitortohttp-metricsfor consistency with other workloads. Users must remove these keys from their value overrides before upgrading. (#8952, @erikgb)enableGatewayAPIandenableGatewayAPIListenerSetfields onControllerConfigurationare deprecated and moved into thegatewayAPIsub-struct asgatewayAPI.enabledandgatewayAPI.enableListenerSet. The old fields continue to work. (#8732, @ThatsMrTalbot)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.