📋 Recommended Actions
✅ No Immediate Action Required
No immediate action required. Review updates for improved ACME challenge stability and awareness of updated Ingress-Nginx testing within cert-manager’s ecosystem.
This cert-manager v1.17.3 patch release focuses on enhancing the reliability of certificate issuance and ensuring robust compatibility with other crucial Kubernetes ecosystem components. You’ll find a significant increase in the ACME challenge authorization timeout, which should lead to more successful certificate requests, particularly in environments with network latency or slower DNS propagation. Additionally, our end-to-end testing environment has been updated to use a newer ingress-nginx version with its admission webhook enabled, reinforcing cert-manager’s compatibility with modern ingress configurations.
✨ Enhanced ACME Challenge Stability with Extended Authorization Timeout
To bolster the resilience of ACME certificate issuance, especially in varied network conditions or with slower DNS propagation, we’ve significantly extended the authorization timeout for ACME challenges. This change directly addresses scenarios where a challenge might fail due to the ACME server taking longer than expected to validate the provided proof, ensuring that cert-manager is more patient and ultimately more successful in obtaining certificates for your services.
The authorizationTimeout in the ACME challenge controller has been increased from a concise 20 seconds to a more generous 2 minutes. This adjustment provides a larger window for the ACME server to complete its validation process, reducing the likelihood of transient failures during certificate requests.
// pkg/controller/acmechallenges/sync.go
const (
// How long to wait for an authorization response from the ACME server in acceptChallenge()
// before giving up
authorizationTimeout = 2 * time.Minute // Previously 20 * time.Second
)
Source:
pkg/controller/acmechallenges/sync.go(lines 47-47)
🚀 Updated Ingress-Nginx in E2E Tests for Broader Compatibility
We’re continually working to ensure cert-manager integrates seamlessly with the most popular Kubernetes components. In this release, our end-to-end (E2E) testing suite has been upgraded to utilize a more recent version of ingress-nginx, specifically v1.12.3, and is now configured to enable its admission webhook. This update reflects a common production deployment scenario and validates cert-manager’s continued compatibility with the latest ingress-nginx features and operational modes, giving you greater confidence when running these components together.
The ingress-nginx image used in our E2E tests has been bumped from v1.10.1 to v1.12.3. Concurrently, the Helm chart version for ingress-nginx in our test setup is updated from 4.10.1 to 4.12.3, and critically, the admissionWebhooks.enabled flag is now set to true. This ensures that our testing environment closely mimics real-world setups where ingress-nginx’s admission webhook is active.
--- a/make/e2e-setup.mk
+++ b/make/e2e-setup.mk
@@ -26,7 +26,7 @@ CRI_ARCH := $(HOST_ARCH)
# is set in one place only.
K8S_VERSION := 1.30
-IMAGE_ingressnginx_amd64 := registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:959e313aceec9f38e18a329ca3756402959e84e63ae8ba7ac1ee48aec28d51b9
+IMAGE_ingressnginx_amd64 := registry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:aadad8e26329d345dea3a69b8deb9f3c52899a97cbaf7e702b8dfbeae3082c15
IMAGE_kyverno_amd64 := ghcr.io/kyverno/kyverno:v1.12.3@sha256:127def0e41f49fea6e260abf7b1662fe7bdfb9f33e8f9047fb74d0162a5697bb
IMAGE_kyvernopre_amd64 := ghcr.io/kyverno/kyvernopre:v1.12.3@sha256:d388cd67b38fb4f55eb5e38107dbbce9e06208b8e3839f0b63f8631f286181be
IMAGE_vault_amd64 := docker.io/hashicorp/vault:1.14.1@sha256:436d056e8e2a96c7356720069c29229970466f4f686886289dcc94dfa21d3155
@@ -34,7 +34,7 @@ IMAGE_bind_amd64 := europe-west1-docker.pkg.dev/cert-manager-tests-trusted/cert-
IMAGE_sampleexternalissuer_amd64 := ghcr.io/cert-manager/sample-external-issuer/controller:v0.4.0@sha256:964b378fe0dda7fc38ce3f211c3b24c780e44cef13c39d3206de985bad67f294
IMAGE_projectcontour_amd64 := ghcr.io/projectcontour/contour:v1.29.1@sha256:bb7af851ac5832c315e0863d12ed583cee54c495d58a206f1d0897647505ed70
-IMAGE_ingressnginx_arm64 := registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:624d1a22b56a52fc4b8e330bef968cd77d49c6eeb36166f20036d50782307341
+IMAGE_ingressnginx_arm64 := registry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:800048a4cdf4ad487a17f56d22ec6be7a34248fc18900d945bc869fee4ccb2f7
IMAGE_kyverno_arm64 := ghcr.io/kyverno/kyverno:v1.12.3@sha256:c076a1ba9e0fb33d8eca3e7499caddfa3bb4f5e52e9dee589d8476ae1688cd34
IMAGE_kyvernopre_arm64 := ghcr.io/kyverno/kyvernopre:v1.12.3@sha256:d8d750012ed4bb46fd41d8892e92af6fb9fd212317bc23e68a2a47199646b04a
IMAGE_vault_arm64 := docker.io/hashicorp/vault:1.14.1@sha256:27dd264f3813c71a66792191db5382f0cf9eeaf1ae91770634911facfcfe4837
@@ -369,7 +369,7 @@ e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ing
$(HELM) upgrade \
--install \
--wait \
- --version 4.10.1 \
+ --version 4.12.3 \
--namespace ingress-nginx \
--create-namespace \
--set controller.image.tag=$(TAG) \
@@ -379,7 +379,7 @@ e2e-setup-ingressnginx: $(call image-tar,ingressnginx) load-$(call image-tar,ing
--set controller.service.clusterIP=${SERVICE_IP_PREFIX}.15 \
--set controller.service.type=ClusterIP \
--set controller.config.no-tls-redirect-locations= \
- --set admissionWebhooks.enabled=false \
+ --set admissionWebhooks.enabled=true \
--set controller.admissionWebhooks.enabled=true \
--set controller.watchIngressWithoutClass=true \
ingress-nginx ingress-nginx/ingress-nginx >/dev/null
Source:
make/e2e-setup.mk(lines 26-27,34-35,372-372,379-379)
Minor Updates & Housekeeping
This release also includes routine maintenance, such as bumping the vendored Go version across all cert-manager binaries from 1.23.8 to 1.23.10 and updating the underlying distroless base images (static-debian12, base-debian12) for various architectures, ensuring that cert-manager remains on a secure and up-to-date foundation.