ACME

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially around ACME HTTP01 challenge handling and Ingress-Nginx compatibility. 📝 Summary cert-manager v1.18.1 delivers critical enhancements for ACME HTTP01 challenges and improved compatibility with Ingress-Nginx. This release introduces the ACMEHTTP01IngressPathTypeExact feature gate, now Beta and enabled by default, which switches the Ingress pathType to Exact for heightened security. This prevents misinterpretations of challenge paths and aligns with standard Ingress behaviors. A significant dependency upgrade bumps Ingress-Nginx to v1.12.3, coupled with a vital configuration change that disables strict-validate-path-type to prevent HTTP01 challenge failures caused by a bug in newer Ingress-Nginx versions. Furthermore, the ACME authorization timeout is extended from 20 seconds to 2 minutes, significantly improving reliability for challenges against slower ACME servers or under poor network conditions. The DefaultPrivateKeyRotationPolicyAlways feature gate is also promoted to Beta, ensuring consistent private key rotation. Review these changes to ensure optimal ACME challenge resolution and cluster stability. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates for improved ACME challenge stability and awareness of updated Ingress-Nginx testing within cert-manager’s ecosystem. This cert-manager v1.17.3 patch release focuses on enhancing the reliability of certificate issuance and ensuring robust compatibility with other crucial Kubernetes ecosystem components. You’ll find a significant increase in the ACME challenge authorization timeout, which should lead to more successful certificate requests, particularly in environments with network latency or slower DNS propagation. Additionally, our end-to-end testing environment has been updated to use a newer ingress-nginx version with its admission webhook enabled, reinforcing cert-manager’s compatibility with modern ingress configurations. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended for all users relying on Cloudflare DNS01 challenges to restore functionality and ensure uninterrupted certificate issuance. This cert-manager v1.17.1 patch release delivers a crucial fix for users leveraging Cloudflare DNS01 challenges. Due to a recent breaking API change from Cloudflare, cert-manager v1.17.0 and earlier versions were experiencing issues with certificate issuance via this method. This update ensures seamless operation for your ACME certificates, alongside a standard bump to the Go toolchain to v1.23.6. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is not universally required but highly recommended to review the default changes for promoted feature gates (like NameConstraints and UseDomainQualifiedFinalizer now defaulting to true) and the deprecation of ValidateCAA (now defaulting to false). Adjust your configurations as necessary to maintain desired behavior, especially if you rely on the previous implicit defaults. Consider leveraging the new literal keystore password option for simplified management. ...