Download Latest Version v1.18.2 source code.tar.gz (3.0 MB)
Email in envelope

Get an email when there's a new version of cert-manager

Home / v1.18.0
Name Modified Size InfoDownloads / Week
Parent folder
cert-manager.crds.yaml 2025-06-10 952.1 kB
0
cert-manager.yaml 2025-06-10 992.8 kB
0
README.md 2025-06-10 5.4 kB
0
v1.18.0 source code.tar.gz 2025-06-10 3.0 MB
1 1 weekly downloads
v1.18.0 source code.zip 2025-06-10 3.9 MB
0
Totals: 5 Items   8.9 MB 1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking).

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Known Issues

  • Error presenting challenge: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: ingress contains invalid paths: path /.well-known/acme-challenge/<REDACTED> cannot be used with pathType Exact (#7791)

Changes since v1.17.2:

Feature

  • Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#7663, @ThatsMrTalbot)
  • Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#7577, @terinjokes)
  • Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#7612, @solidDoWant)
  • Added ingress-shim option: --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#7083, @k0da)
  • Added the iss short name for the cert-manager Issuer resource. (#7373, @SgtCoDFish)
  • Added the ciss short name for the cert-manager ClusterIssuer resource (#7373, @SgtCoDFish)
  • Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#7666, @ali-hamza-noor)
  • Allow customizing signature algorithm (#7591, @tareksha)
  • Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#7596, @ThatsIvan)
  • Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#7752, @wallrj)
  • Add support for ACME profiles extension. (#7777, @wallrj)
  • Promote the UseDomainQualifiedFinalizer feature to GA. (#7735, @jsoref)
  • Switched service/servicemon definitions to use port names instead of numbers. (#7727, @jcpunk)
  • The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#7723, @wallrj)
  • Potentially breaking: Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#7758, @ali-hamza-noor)

Documentation

  • Fix some comments (#7620, @teslaedison)

Bug or Regression

  • Bump go-jose dependency to address CVE-2025-27144. (#7606, @SgtCoDFish)
  • Bump golang.org/x/oauth2 to patch CVE-2025-22868. (#7638, @NicholasBlaskey)
  • Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77. (#7638, @NicholasBlaskey)
  • Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#7638, @NicholasBlaskey)
  • Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#7767, @sspreitzer)
  • Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#7690, @wallrj)
  • Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#7678, @tsaarni)
  • Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#7081, @johnjcool)
  • Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#7549, @LukeCarrier)
  • Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#7609, @solidDoWant)
  • Fixing the service account template to incorporate boolean values for the annotations. (#7698, @ali-hamza-noor)
  • Quote nodeSelector values in Helm Chart (#7579, @tobiasbp)
  • Skip Gateway TLS listeners in Passthrough mode. (#6986, @vehagn)
  • Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @dependabot[bot])

Other (Cleanup or Flake)

  • ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behaviour. (#7771, @wallrj)
  • Patch the third_party/forked/acme package with support for the ACME profiles extension. (#7776, @wallrj)
  • Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#7744, @erikgb)
  • Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#7553, @SgtCoDFish)
  • Update kind images to include the Kubernetes 1.33 node image (#7787, @cert-manager-bot)
  • Upgrade Go to v1.24.4 (#7785, @wallrj)
  • Use slices.Contains to simplify code (#7753, @cuinix)
Source: README.md, updated 2025-06-10