Sourced from github.com/cert-manager/cert-manager's releases.

v1.19.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known issues: We are working on a patch to fix the following issues:

• Unexpected certificate renewal after upgrading to 1.19.0

This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.

📖 Read the full release notes at cert-manager.io: https://cert-manager.io/docs/releases/release-notes/release-notes-1.19

Changes since v1.18.0:

Feature

• Add IPv6 rules to the default network policy (#7726, @​jcpunk)
• Add global.nodeSelector to helm chart to allow for a single nodeSelector to be set across all services. (#7818, @​StingRayZA)
• Add a feature gate to default to Ingress pathType Exact in ACME HTTP01 Ingress challenge solvers. (#7795, @​sspreitzer)
• Add generated applyconfigurations allowing clients to make type-safe server-side apply requests for cert-manager resources. (#7866, @​erikgb)
• Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). (#7414, @​erikgb)
• Added certmanager_certificate_challenge_status Prometheus metric. (#7736, @​hjoshi123)
• Added protocol field for rfc2136 DNS01 provider (#7881, @​hjoshi123)
• Added experimental field hostUsers flag to all pods. Not set by default. (#7973, @​hjoshi123)
• Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global --acme-http01-solver-resource-* settings. (#7972, @​lunarwhite)
• The CAInjectorMerging feature has been promoted to BETA and is now enabled by default (#8017, @​ThatsMrTalbot)
• The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. (#8072, @​prasad89)
• Updated certificate metrics to the collector approach. (#7856, @​hjoshi123)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization (#7796, @​hjoshi123)
• BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#7816, @​kinolaev)
• Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (class, ingressClassName, name) are specified simultaneously (#8021, @​lunarwhite)
• Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities (#7961, @​SgtCoDFish)
• Reverted adding the global.rbac.disableHTTPChallengesRole Helm option. (#7836, @​inteon)
• This change removes the path label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. (#8109, @​mladen-rusev-cyberark)
• Use the latest version of ingress-nginx in E2E tests to ensure compatibility (#7792, @​wallrj)

Other (Cleanup or Flake)

• Helm: Fix naming template of tokenrequest RoleBinding resource to improve consistency (#7761, @​lunarwhite)
• Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data (#7928, @​SgtCoDFish)
• Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure. (#8003, @​hjoshi123)
• Update kind images to include the Kubernetes 1.33 node image (#7786, @​wallrj)
• Use maps.Copy for cleaner map handling (#8092, @​quantpoet)
• Vault: Migrate Vault E2E add-on tests from deprecated vault-client-go to the new vault/api client. (#8059, @​armagankaratosun)

v1.19.0-alpha.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ This is a pre-release. For testing only!

... (truncated)

• 12a3ef9 Merge pull request #8142 from cert-manager/renovate/kubernetes-go-deps
• 50f4142 fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2
• 55c8b13 Merge pull request #8140 from cert-manager/renovate/kubernetes-go-deps
• b532b0d fix(deps): update module sigs.k8s.io/gateway-api to v1.4.0
• 2b1e348 Merge pull request #8138 from cert-manager/self-upgrade-master
• 24e1c7a BOT: run 'make upgrade-klone' and 'make generate'
• 290d577 Merge pull request #8137 from cert-manager/renovate/misc-go-deps
• 8b1650c fix(deps): update misc go deps
• 0343fae Merge pull request #8136 from cert-manager/self-upgrade-master
• dbb59b7 BOT: run 'make upgrade-klone' and 'make generate'
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)