cert-manager(v1.19.1): Critical IssuerRef Consistency Fixes and API Defaulting Changes
📋 Recommended Actions ⚠️ Action Required ⚠️ Action Required Review your IssuerRef configurations and any external tooling that interacts with cert-manager APIs. The Kubernetes API server no longer injects default kind (‘Issuer’) and group (‘cert-manager.io’) for IssuerRef fields in CRDs. While cert-manager itself handles these internally, external clients might need updates to handle potentially empty kind or group fields. 📝 Summary This release for cert-manager v1.19.1 delivers crucial API consistency and stability improvements, primarily revolving around IssuerReference defaulting. We’ve reverted the behavior where the Kubernetes API server would automatically inject default kind and group values for IssuerRef in CRDs. This means that if you omit these fields, the API server will now store them as empty. While this is an important change for external tooling relying on API server-side defaulting, cert-manager’s internal controllers have been enhanced to seamlessly handle these empty fields at runtime, maintaining expected behavior. We’ve also updated the RequestMatchesSpec logic to prevent unnecessary certificate re-issuances when only default IssuerRef values change. Key dependency updates include sigs.k8s.io/controller-runtime to v0.22.3, github.com/Venafi/vcert/v5 to v5.12.2, and Go to 1.25.3. This update ensures better API predictability and internal stability. Review your workflows, especially if external tools process cert-manager resources and expect API-injected defaults. Immediate action isn’t required for core functionality, but client-side adjustments might be. ...