Certificate Management

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates. cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially around ACME HTTP01 challenge handling and Ingress-Nginx compatibility. 📝 Summary cert-manager v1.18.1 delivers critical enhancements for ACME HTTP01 challenges and improved compatibility with Ingress-Nginx. This release introduces the ACMEHTTP01IngressPathTypeExact feature gate, now Beta and enabled by default, which switches the Ingress pathType to Exact for heightened security. This prevents misinterpretations of challenge paths and aligns with standard Ingress behaviors. A significant dependency upgrade bumps Ingress-Nginx to v1.12.3, coupled with a vital configuration change that disables strict-validate-path-type to prevent HTTP01 challenge failures caused by a bug in newer Ingress-Nginx versions. Furthermore, the ACME authorization timeout is extended from 20 seconds to 2 minutes, significantly improving reliability for challenges against slower ACME servers or under poor network conditions. The DefaultPrivateKeyRotationPolicyAlways feature gate is also promoted to Beta, ensuring consistent private key rotation. Review these changes to ensure optimal ACME challenge resolution and cluster stability. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates for improved ACME challenge stability and awareness of updated Ingress-Nginx testing within cert-manager’s ecosystem. This cert-manager v1.17.3 patch release focuses on enhancing the reliability of certificate issuance and ensuring robust compatibility with other crucial Kubernetes ecosystem components. You’ll find a significant increase in the ACME challenge authorization timeout, which should lead to more successful certificate requests, particularly in environments with network latency or slower DNS propagation. Additionally, our end-to-end testing environment has been updated to use a newer ingress-nginx version with its admission webhook enabled, reinforcing cert-manager’s compatibility with modern ingress configurations. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended for all users relying on Cloudflare DNS01 challenges to restore functionality and ensure uninterrupted certificate issuance. This cert-manager v1.17.1 patch release delivers a crucial fix for users leveraging Cloudflare DNS01 challenges. Due to a recent breaking API change from Cloudflare, cert-manager v1.17.0 and earlier versions were experiencing issues with certificate issuance via this method. This update ensures seamless operation for your ACME certificates, alongside a standard bump to the Go toolchain to v1.23.6. ...