Release 1.16
cert-manager 1.16 includes various improvements to the metrics in the cert-manager components.
Themes
Extended Metrics
The webhook and cainjector components now have metrics servers, so that platform teams can monitor the performance of all the cert-manager components and gain more information about the underlying Go runtime in the event of a problem. Read the Prometheus Metrics page to learn more.
Community
Thanks again to all open-source contributors with commits in this release, including: TODO
Thanks also to the following cert-manager maintainers for their contributions during this release: TODO
Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes since v1.15.0
Feature
- Add
SecretRef
support for Venafi TPP issuer CA Bundle (#7036,@sankalp-at-gh
) - Add a metrics server to the cainjector (#7194,
@wallrj
) - Add a metrics server to the webhook (#7182,
@wallrj
) - Add client certificate auth method for Vault issuer (#4330,
@joshmue
) - Add process and go runtime metrics for controller (#6966,
@mindw
) - Add
renewBeforePercentage
alternative torenewBefore
(#6987,@cbroglie
) - Default
config.apiVersion
andconfig.kind
within the Helm chart (#7126,@ThatsMrTalbot
) - Helm: adds JSON schema validation for the Helm values. (#7069,
@inteon
) - If the
--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly. AddeddisableAutoApproval
andapproveSignerNames
Helm chart options. (#7049,@inteon
) - Reduce the memory usage of
cainjector
, by only caching the metadata of Secret resources. Reduce the load on the K8S API server whencainjector
starts up, by only listing the metadata of Secret resources. (#7161,@wallrj
)
Bug or Regression
- BUGFIX
route53
: explicitly set theaws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7108,@inteon
) - BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7105,
@inteon
) - Bump
grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7164,@SgtCoDFish
) - Bump the
go-retryablehttp
dependency to fixCVE-2024-6104
(#7125,@SgtCoDFish
) - Fix Azure DNS causing panics whenever authentication error happens (#7177,
@eplightning
) - Fix incorrect indentation of
endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7190,@wallrj
) - Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#7178,
@miguelvr
) - Helm BUGFIX: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7052,
@inteon
) - Improve the startupapicheck: validate that the validating and mutating webhooks are doing their job. (#7057,
@inteon
) - Update
github.com/Azure/azure-sdk-for-go/sdk/azidentity
to addressCVE-2024-35255
(#7087,@dependabot[bot]
)