cert-manager - v1.13.0-beta.0

Welcome to the first beta of the coming 1.13 release!

🌟 This version is a pre-release version intended for testing. It might not be suitable for production uses.

Changes since v1.13.0-alpha.0

Feature gate promotions

• Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). (#6298, @inteon)

Feature

• Add view permissions to the well-known (Openshift) user-facing cluster-reader aggregated cluster role (#6241, @erikgb)
• Certificate Shim: distinguish dns names and ip address in certificate (#6267, @zhangzhiqiangcs)
• Make enableServiceLinks configurable for all Deployments and startupapicheck Job in Helm chart. (#6292, @ubergesundheit)
• The cert-manager controller options are now configurable using a configuration file. (#5337, @AcidLeroy)
• The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. (#6199, @inteon)
• [helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings (#6110, @jkroepke)
• Add support for logging options to webhook config file. (#6243, @inteon)

Bug or Regression

• Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null (#6087, @rouke-broersma)
• BUGFIX[cainjector]: 1-character bug was causing invalid log messages and a memory leak (#6232, @inteon)
• Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. (#6220, @ubergesundheit)
• Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains (#6191, @Richardds)
• Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's net.IP.String() function would have printed that address. (#6293, @SgtCoDFish)
• ⚠️ possibly breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (#6182, @inteon)

Other (Cleanup or Flake)

• A subset of the klogs flags have been deprecated and will be removed in the future. (#5879, @maelvls)
• Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource (#6168, @inteon)
• Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. (#6156, @kahirokunn)
• Cleanup the controller configfile structure by introducing sub-structs. (#6242, @inteon)
• Helm: Add apache 2.0 license annotation (#6225, @arukiidou)
• Simplified the flag and configfile parsing. (#6244, @inteon)
• The SecretPostIssuancePolicyChain now also makes sure that the cert-manager.io/common-name, cert-manager.io/alt-names, ... annotations on Secrets are kept at their correct value. (#6176, @inteon)
• The cmctl logging has been improved and support for json logging has been added. (#6247, @inteon)
• Updates Kubernetes libraries to v0.27.4. (#6227, @lucacome)
• We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. (#6152, @inteon)