📋 Recommended Actions
✅ No Immediate Action Required
No immediate action required. This release primarily provides stability and quality-of-life improvements. Review the updates to leverage enhanced certificate handling and improve your troubleshooting experience.
📝 Summary
cert-manager(v1.18.3) boosts reliability and user experience. It now supports significantly larger certificates and chains, crucial for complex deployments with many SANs. A critical fix prevents unnecessary certificate re-issuance stemming from IssuerRef defaulting. Plus, clearer error messages for malformed PEM data greatly simplify troubleshooting. Upgrade for a more stable and robust certificate management experience.
✨ Expanded Certificate Size Limits for Complex Deployments
If you’ve encountered issues with cert-manager rejecting very large certificates or long certificate chains, this update is for you. Previously, strict size limits on PEM-encoded data could block certificates with numerous Subject Alternative Names (SANs) or extensive trust chains. This release significantly expands these limits, enabling cert-manager to seamlessly handle more complex and demanding PKI configurations.
The internal/pem package now differentiates between CA certificates (which are typically smaller) and leaf certificates, which can contain many more identities (DNS names, IPs, URIs). The maximum allowed size for a single PEM-encoded leaf certificate has increased to approximately 36KB (from 6.5KB), and a full certificate chain can now accommodate up to approximately 95KB of data. This change directly addresses scenarios where a certificate’s size would previously cause parsing failures.
Source:
🧠 Smarter IssuerRef Comparison Prevents Unnecessary Re-issuance
A common frustration in Kubernetes is unexpected reconciliation loops or certificate re-issuance, especially when API defaulting rules subtly alter resource specifications. This release introduces a more intelligent comparison logic for IssuerRef fields in Certificate and CertificateRequest resources. By correctly accounting for default kind and group values (e.g., kind: Issuer, group: cert-manager.io), cert-manager now avoids triggering unwanted re-issuance when these fields are implicitly or explicitly set to their default values, ensuring greater stability and efficiency in your certificate lifecycle management.
The RequestMatchesSpec function, critical for determining if a certificate needs re-issuance, has been enhanced with issuerKindsEqual and issuerGroupsEqual helper functions. These functions normalize empty Kind and Group fields to their default cert-manager.io/Issuer values during comparison. This change ensures that a CertificateRequest with an empty Group and Kind is correctly matched against a Certificate that has these fields explicitly set to their defaults, thus preventing spurious mismatches and unnecessary certificate renewals.
Source:
📝 Improved Diagnostics with More Descriptive PEM Error Messages
Debugging certificate issues can be challenging, especially when confronted with generic ’error decoding PEM block’ messages. This release significantly enhances cert-manager’s diagnostic capabilities by providing more specific and actionable error messages when malformed PEM data is encountered. Instead of a vague error, you’ll now get clearer indicators like ’no PEM data was found in given input’ or ’no valid certificates found,’ greatly streamlining your troubleshooting process and reducing the time spent identifying root causes.
Updates across several controller components (ACME, CA, SelfSigned, Sync) and the core PKI utility functions now wrap underlying PEM decoding errors, passing through more precise messages from the Go standard library. Additionally, the certificate request validation logic now truncates excessively long request data within error messages, preventing log spam and making the relevant error details easier to spot. This results in a much more user-friendly debugging experience.
Source:
internal/apis/certmanager/validation/certificaterequest.go(113-125)pkg/util/pki/parse.go(31-33, 104-106, 130-132)
Minor Updates & Housekeeping
This release also includes an upgrade to Go 1.24.9 for improved performance and security. We’ve backported Renovate configuration for better dependency management and fixed Gateway API end-to-end tests for Project Contour, including updating the Envoy image to bitnamilegacy due to upstream deprecation.