Merge pull request #1702 from wallrj/cert-manager-v1.18.0-beta.0

Cert manager v1.18.0 beta.0 release notes

Author: cert-manager-prow[bot]

content/docs/releases/release-notes/release-notes-1.18.md

@@ -3,12 +3,26 @@ title: Release 1.18
 description: 'cert-manager release notes: cert-manager 1.18'
 ---
 
-cert-manager v1.18 includes:
-
-- TODO
+cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
 
 ## Major Themes
 
+### ACME Certificate Profile Selection
+
+cert-manager now supports the selection of ACME certificate profiles, allowing
+users to request different categories of certificates from their ACME
+Certificate Authority.
+This enhancement leverages the latest [ACME protocol extension for certificate profiles (IETF draft)][rfc] and is supported by Let's Encrypt and other providers.
+For example, Let's Encrypt offers the [`tlsserver`][tlsserver] profile for
+standard server certificates and the [`shortlived`][shortlived] profile for
+short-lived six-day certificates.
+These new options provide users with greater flexibility and improved security
+for their certificate management needs.
+
+[rfc]: https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
+[tlsserver]: https://letsencrypt.org/docs/profiles/#tlsserver
+[shortlived]: https://letsencrypt.org/docs/profiles/#shortlived
+
 ### The default value of `Certificate.Spec.PrivateKey.RotationPolicy` is now `Always`
 
 > ⚠️ Breaking change
@@ -50,6 +64,16 @@ config:
 >
 > 📖 Read [Issuance behavior: Rotation of the private key](../../usage/certificate.md#issuance-behavior-rotation-of-the-private-key) to learn more about private key rotation in cert-manager.
 
+
+### The default value of `Certificate.Spec.RevisionHistoryLimit` is now `1`
+
+> ⚠️ Breaking change
+
+The default value for the `Certificate` resource's `revisionHistoryLimit` field is now set to 1.
+This ensures that old `CertificateRequest` revisions are automatically garbage collected, improving resource management and reducing clutter in clusters.
+Previously, if not specified, no limit was applied, potentially leading to an accumulation of stale `CertificateRequest` resources.
+With this update, users no longer need to manually configure the revision history limit to benefit from automated cleanup.
+
 ### Copy annotations from Ingress or Gateway to the Certificate
 
 We've added a new configuration option to the cert-manager controller: `--extra-certificate-annotations`, which allows you to specify annotation keys to be copied from an Ingress or Gateway resource to the resulting Certificate object.
@@ -62,7 +86,23 @@ As always, we'd like to thank all of the community members who helped in this re
 
 A special thanks to:
 
-- TODO
+- [`@terinjokes`](https://github.com/terinjokes)
+- [`@solidDoWant`](https://github.com/solidDoWant)
+- [`@k0da`](https://github.com/k0da)
+- [`@ali-hamza-noor`](https://github.com/ali-hamza-noor)
+- [`@tareksha`](https://github.com/tareksha)
+- [`@ThatsIvan`](https://github.com/ThatsIvan)
+- [`@jsoref`](https://github.com/jsoref)
+- [`@jcpunk`](https://github.com/jcpunk)
+- [`@teslaedison`](https://github.com/teslaedison)
+- [`@NicholasBlaskey`](https://github.com/NicholasBlaskey)
+- [`@sspreitzer`](https://github.com/sspreitzer)
+- [`@tsaarni`](https://github.com/tsaarni)
+- [`@johnjcool`](https://github.com/johnjcool)
+- [`@LukeCarrier`](https://github.com/LukeCarrier)
+- [`@tobiasbp`](https://github.com/tobiasbp)
+- [`@vehagn`](https://github.com/vehagn)
+- [`@cuinix`](https://github.com/cuinix)
 
 for their contributions, comments and support!
 
@@ -98,8 +138,12 @@ Changes since `v1.17.0`:
 - Adds the `global.rbac.disableHTTPChallengesRole` helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. ([`#7666`](https://github.com/cert-manager/cert-manager/pull/7666), [`@ali-hamza-noor`](https://github.com/ali-hamza-noor))
 - Allow customizing signature algorithm ([`#7591`](https://github.com/cert-manager/cert-manager/pull/7591), [`@tareksha`](https://github.com/tareksha))
 - Cache the full DNS response and handle TTL expiration in `FindZoneByFqdn` ([`#7596`](https://github.com/cert-manager/cert-manager/pull/7596), [`@ThatsIvan`](https://github.com/ThatsIvan))
+- Cert-manager now uses a local fork of the `golang.org/x/crypto/acme` package ([`#7752`](https://github.com/cert-manager/cert-manager/pull/7752), [`@wallrj`](https://github.com/wallrj))
+- Add support for [`ACME profiles extension`](https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/). ([`#7777`](https://github.com/cert-manager/cert-manager/pull/7777), [`@wallrj`](https://github.com/wallrj))
 - Promote the `UseDomainQualifiedFinalizer` feature to GA. ([`#7735`](https://github.com/cert-manager/cert-manager/pull/7735), [`@jsoref`](https://github.com/jsoref))
+- Switched `service/servicemon` definitions to use port names instead of numbers. ([`#7727`](https://github.com/cert-manager/cert-manager/pull/7727), [`@jcpunk`](https://github.com/jcpunk))
 - The default value of `Certificate.Spec.PrivateKey.RotationPolicy` changed from `Never` to `Always`. ([`#7723`](https://github.com/cert-manager/cert-manager/pull/7723), [`@wallrj`](https://github.com/wallrj))
+- Set the default `revisionHistoryLimit` to 1 for the CertificateRequest revisions ([`#7758`](https://github.com/cert-manager/cert-manager/pull/7758), [`@ali-hamza-noor`](https://github.com/ali-hamza-noor))
 
 ### Documentation
 
@@ -111,16 +155,22 @@ Changes since `v1.17.0`:
 - Bump `golang.org/x/oauth2` to patch `CVE-2025-22868`.
 - Bump `golang.org/x/crypto` to patch `GHSA-hcg3-q754-cr77`.
 - Bump `github.com/golang-jwt/jwt` to patch `GHSA-mh63-6h87-95cp`. ([`#7638`](https://github.com/cert-manager/cert-manager/pull/7638), [`@NicholasBlaskey`](https://github.com/NicholasBlaskey))
+- Change of the Kubernetes Ingress `pathType` from `ImplementationSpecific` to `Exact` for a reliable handling of ingress controllers and enhanced security. ([`#7767`](https://github.com/cert-manager/cert-manager/pull/7767), [`@sspreitzer`](https://github.com/sspreitzer))
 - Fix AWS Route53 error detection for not-found errors during deletion of DNS records. ([`#7690`](https://github.com/cert-manager/cert-manager/pull/7690), [`@wallrj`](https://github.com/wallrj))
 - Fix behavior when running with `--namespace=<namespace>`: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. ([`#7678`](https://github.com/cert-manager/cert-manager/pull/7678), [`@tsaarni`](https://github.com/tsaarni))
 - Fix handling of certificates with IP addresses in the `commonName` field; IP addresses are no longer added to the DNS `subjectAlternativeName` list and are instead added to the `ipAddresses` field as expected. ([`#7081`](https://github.com/cert-manager/cert-manager/pull/7081), [`@johnjcool`](https://github.com/johnjcool))
 - Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API ([`#7549`](https://github.com/cert-manager/cert-manager/pull/7549), [`@LukeCarrier`](https://github.com/LukeCarrier))
 - Fixed the `certmanager_certificate_renewal_timestamp_seconds` metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. ([`#7609`](https://github.com/cert-manager/cert-manager/pull/7609), [`@solidDoWant`](https://github.com/solidDoWant))
 - Fixing the service account template to incorporate boolean values for the annotations. ([`#7698`](https://github.com/cert-manager/cert-manager/pull/7698), [`@ali-hamza-noor`](https://github.com/ali-hamza-noor))
+- Quote nodeSelector values in Helm Chart ([`#7579`](https://github.com/cert-manager/cert-manager/pull/7579), [`@tobiasbp`](https://github.com/tobiasbp))
 - Skip Gateway TLS listeners in `Passthrough` mode. ([`#6986`](https://github.com/cert-manager/cert-manager/pull/6986), [`@vehagn`](https://github.com/vehagn))
+- Upgrade `golang.org/x/net` fixing `CVE-2025-22870`. ([`#7619`](https://github.com/cert-manager/cert-manager/pull/7619), [`@depandabot[bot]`](https://github.com/apps/dependabot))
 
 ### Other (Cleanup or Flake)
 
+- ACME E2E Tests: Upgraded Pebble to `v2.7.0` and modified the ACME tests to match latest Pebble behavior. ([`#7771`](https://github.com/cert-manager/cert-manager/pull/7771), [`@wallrj`](https://github.com/wallrj))
+- Patch the `third_party/forked/acme` package with support for the ACME profiles extension. ([`#7776`](https://github.com/cert-manager/cert-manager/pull/7776), [`@wallrj`](https://github.com/wallrj))
 - Promote the `AdditionalCertificateOutputFormats` feature to GA, making additional formats always enabled. ([`#7744`](https://github.com/cert-manager/cert-manager/pull/7744), [`@erikgb`](https://github.com/erikgb))
 - Remove deprecated feature gate `ValidateCAA`. Setting this feature gate is now a no-op which does nothing but print a warning log line ([`#7553`](https://github.com/cert-manager/cert-manager/pull/7553), [`@SgtCoDFish`](https://github.com/SgtCoDFish))
 - Upgrade `golang.org/x/net` fixing `CVE-2025-22870`. ([`#7619`](https://github.com/cert-manager/cert-manager/pull/7619), [`@depandabot[bot]`](https://github.com/apps/dependabot))
+- Use `slices.Contains` to simplify code ([`#7753`](https://github.com/cert-manager/cert-manager/pull/7753), [`@cuinix`](https://github.com/cuinix))

content/docs/releases/upgrading/upgrading-1.17-1.18.md

@@ -9,6 +9,10 @@ Before upgrading cert-manager from 1.17 to 1.18, please read the following impor
 
    > 📖 Read [Release 1.18 notes](../release-notes/release-notes-1.18.md) for more information..
 
+1. We have changed the default value of `Certificate.Spec.RevisionHistoryLimit` from `nil` to `1`.
+
+   > 📖 Read [Release 1.18 notes](../release-notes/release-notes-1.18.md) for more information..
+
 ## Next Steps
 
 From here on, you can follow the [regular upgrade process](../../installation/upgrade.md).