Skip to content

v1.18.0-beta.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@jetstack-release-bot jetstack-release-bot released this 05 Jun 17:01
v1.18.0-beta.0
99aded1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ This is a pre-release. Please help the project by testing this release!

📖 Draft release notes: https://release-next--cert-manager.netlify.app/docs/releases/release-notes/release-notes-1.18/

Changes since v1.17.0:

Feature

  • Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#7663, @ThatsMrTalbot)
  • Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#7577, @terinjokes)
  • Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#7612, @solidDoWant)
  • Added ingress-shim option --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#7083, @k0da)
  • Added the iss short name for the cert-manager Issuer resource
  • Added the ciss short name for the cert-manager ClusterIssuer resource (#7373, @SgtCoDFish)
  • Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#7666, @ali-hamza-noor)
  • Allow customizing signature algorithm (#7591, @tareksha)
  • Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#7596, @ThatsIvan)
  • Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#7752, @wallrj)
  • Add support for ACME profiles extension. (#7777, @wallrj)
  • Promote the UseDomainQualifiedFinalizer feature to GA. (#7735, @jsoref)
  • Switched service/servicemon definitions to use port names instead of numbers. (#7727, @jcpunk)
  • The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#7723, @wallrj)
  • Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#7758, @ali-hamza-noor)

Documentation

Bug or Regression

  • Bump go-jose dependency to address CVE-2025-27144. (#7606, @SgtCoDFish)
  • Bump golang.org/x/oauth2 to patch CVE-2025-22868.
  • Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77.
  • Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#7638, @NicholasBlaskey)
  • Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#7767, @sspreitzer)
  • Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#7690, @wallrj)
  • Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#7678, @tsaarni)
  • Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#7081, @johnjcool)
  • Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#7549, @LukeCarrier)
  • Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#7609, @solidDoWant)
  • Fixing the service account template to incorporate boolean values for the annotations. (#7698, @ali-hamza-noor)
  • Quote nodeSelector values in Helm Chart (#7579, @tobiasbp)
  • Skip Gateway TLS listeners in Passthrough mode. (#6986, @vehagn)
  • Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])

Other (Cleanup or Flake)

  • ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behavior. (#7771, @wallrj)
  • Patch the third_party/forked/acme package with support for the ACME profiles extension. (#7776, @wallrj)
  • Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#7744, @erikgb)
  • Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#7553, @SgtCoDFish)
  • Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])
  • Use slices.Contains to simplify code (#7753, @cuinix)
Assets 4
Loading