cert-manager - v1.6.2
Changelog since v1.6.1
In 1.6.2, we have reverted a change that caused a regression in the ACME Issuer. Before 1.5, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio # The `class` present on the Issuer.
After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
ingressClassName: istio # 🔥 Breaking change!
This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).
The regression is present in cert-manager 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.
In 1.7, we have restored the original behavior which is to use the annotation. We will also backport this fix to 1.5.5 and 1.6.4, allowing people to upgrade safely.
Most people won't have any trouble upgrading from a version that contains the regression to 1.7.0, 1.6.4 or 1.5.5. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.
If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.
Changes by Kind
Bug or Regression
- Fixes an issue in
cmctlthat prevented displaying the Order resource with cert-manager
1.6 when runningcmctl status certificate. (#4572, @jetstack-bot) - The HTTP-01 ACME solver now uses the
kubernetes.io/ingress.classannotation instead of the
spec.ingressClassNamein created Ingress resources. (#4785, @jetstack-bot)
Other (Cleanup or Flake)
- Bump base images to latest versions (#4707, @SgtCoDFish)
- Ensures 1 hour backoff between errored calls for new ACME Orders. (#4619, @jetstack-bot)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Details
- 🔍View and search all cert-manager releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!