CRDs

📋 Recommended Actions ⚠️ Action Required Immediate review and upgrade are recommended to benefit from critical security hardening, traffic management improvements, and enhanced multi-cluster reliability. If using Helm with server-side apply, explicitly configure ‘base.validationFailurePolicy: Fail’ during initial installations or when templating for SSA to avoid potential webhook conflicts. During upgrades, the webhook’s ‘failurePolicy’ will be omitted from the template, preserving the runtime value. 📝 Summary Istio 1.29.2 fortifies your service mesh with significant stability, security, and multi-cluster resilience enhancements. This patch release addresses several critical bugs, including a fix for AuthorizationPolicy regex metacharacter handling and a robust improvement to JWKS URI CIDR blocking, preventing potential bypasses. Operations engineers will appreciate the improved Helm upgrade experience with server-side apply, which resolves a webhook ‘failurePolicy’ conflict and ensures smoother installations. A new CRD filter safeguards against issues with unsupported Gateway API versions, enhancing upgrade predictability. Traffic management sees key improvements: waypoints now support multiple VirtualServices for a single host, and DestinationRule ‘retryBudget’ configurations are more consistently applied. Multi-cluster deployments gain a crucial fallback mechanism for mesh configuration, ensuring continued operation even if remote mesh config is temporarily unreadable. Upgrade promptly to secure your mesh and leverage these vital operational improvements. ...

📋 Recommended Actions ⚠️ Action Required ⚠️ Action Required Review your IssuerRef configurations and any external tooling that interacts with cert-manager APIs. The Kubernetes API server no longer injects default kind (‘Issuer’) and group (‘cert-manager.io’) for IssuerRef fields in CRDs. While cert-manager itself handles these internally, external clients might need updates to handle potentially empty kind or group fields. 📝 Summary This release for cert-manager v1.19.1 delivers crucial API consistency and stability improvements, primarily revolving around IssuerReference defaulting. We’ve reverted the behavior where the Kubernetes API server would automatically inject default kind and group values for IssuerRef in CRDs. This means that if you omit these fields, the API server will now store them as empty. While this is an important change for external tooling relying on API server-side defaulting, cert-manager’s internal controllers have been enhanced to seamlessly handle these empty fields at runtime, maintaining expected behavior. We’ve also updated the RequestMatchesSpec logic to prevent unnecessary certificate re-issuances when only default IssuerRef values change. Key dependency updates include sigs.k8s.io/controller-runtime to v0.22.3, github.com/Venafi/vcert/v5 to v5.12.2, and Go to 1.25.3. This update ensures better API predictability and internal stability. Review your workflows, especially if external tools process cert-manager resources and expect API-injected defaults. Immediate action isn’t required for core functionality, but client-side adjustments might be. ...