The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management.
These release notes track the development of cert-manager Operator for Red Hat OpenShift.
For more information, see About the cert-manager Operator for Red Hat OpenShift.
Issued: 2024-07-08
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.14.0:
Version 1.14.0
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.14.5
. For more information, see the cert-manager project release notes for v1.14.5.
FIPS compliance support
With this release, FIPS mode is now automatically enabled for cert-manager Operator for Red Hat OpenShift. When installed on an OpenShift Container Platform cluster in FIPS mode, cert-manager Operator for Red Hat OpenShift ensures compatibility without affecting the cluster’s FIPS support status.
NCM issuer
The cert-manager Operator for Red Hat OpenShift now supports the Nokia NetGuard Certificate Manager (NCM) issuer. The ncm-issuer
is a cert-manager external issuer that integrates with the NCM PKI system using a Kubernetes controller to sign certificate requests. This integration streamlines the process of obtaining non-self-signed certificates for applications, ensuring their validity and keeping them updated.
The NCM issuer is validated only with version 1.1.1 and the cert-manager Operator for Red Hat OpenShift version 1.14.0. This version handles tasks such as issuance, renewal, and managing certificates for the API server and ingress controller of OpenShift Container Platform clusters. |
Issued: 2024-05-15
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.13.1:
Version 1.13.1
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.13.6
. For more information, see the cert-manager project release notes for v1.13.6.
Issued: 2024-01-16
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.13.0:
Version 1.13.0
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.13.3
. For more information, see the cert-manager project release notes for v1.13.0.
You can now manage certificates for API Server and Ingress Controller by using the cert-manager Operator for Red Hat OpenShift. For more information, see Configuring certificates with an issuer.
With this release, the scope of the cert-manager Operator for Red Hat OpenShift, which was previously limited to the OpenShift Container Platform on AMD64 architecture, has now been expanded to include support for managing certificates on OpenShift Container Platform running on IBM Z® (s390x
), IBM Power® (ppc64le
) and ARM64 architectures.
With this release, you can use DNS over HTTPS (DoH) for performing the self-checks during the ACME DNS-01 challenge verification. The DNS self-check method can be controlled by using the command line flags, --dns01-recursive-nameservers-only
and --dns01-recursive-nameservers
.
For more information, see Customizing cert-manager by overriding arguments from the cert-manager Operator API.
Issued: 2023-11-15
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.12.1:
Version 1.12.1
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.12.5
. For more information, see the cert-manager project release notes for v1.12.5.
Previously, in a multi-architecture environment, the cert-manager Operator pods were prone to failures because of the invalid node affinity configuration. With this fix, the cert-manager Operator pods run without any failures. (OCPBUGS-19446)
Issued: 2023-10-02
The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.12.0:
Version 1.12.0
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.12.4
. For more information, see the cert-manager project release notes for v1.12.4.
Previously, you could not configure the CPU and memory requests and limits for the cert-manager components such as cert-manager controller, CA injector, and Webhook. Now, you can configure the CPU and memory requests and limits for the cert-manager components by using the command-line interface (CLI). For more information, see Overriding CPU and memory limits for the cert-manager components. (OCPBUGS-13830)
Previously, if you updated the ClusterIssuer
object, the cert-manager Operator for Red Hat OpenShift could not verify and update the change in the cluster issuer. Now, if you modify the ClusterIssuer
object, the cert-manager Operator for Red Hat OpenShift verifies the ACME account registration and updates the change. (OCPBUGS-8210)
Previously, the cert-manager Operator for Red Hat OpenShift did not support enabling the --enable-certificate-owner-ref
flag. Now, the cert-manager Operator for Red Hat OpenShift supports enabling the --enable-certificate-owner-ref
flag by adding the spec.controllerConfig.overrideArgs
field in the cluster
object. After enabling the --enable-certificate-owner-ref
flag, cert-manager can automatically delete the secret when the Certificate
resource is removed from the cluster. For more information on enabling the --enable-certificate-owner-ref
flag and deleting the TLS secret automatically, see Deleting a TLS secret automatically upon Certificate removal (CM-98)
Previously, the cert-manager Operator for Red Hat OpenShift could not pull the jetstack-cert-manager-container-v1.12.4-1
image. The cert-manager controller, CA injector, and Webhook pods were stuck in the ImagePullBackOff
state. Now, the cert-manager Operator for Red Hat OpenShift pulls the jetstack-cert-manager-container-v1.12.4-1
image to run the cert-manager controller, CA injector, and Webhook pods successfully. (OCPBUGS-19986)
Issued: 2023-11-15
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.11.5:
The golang version is updated to the version 1.20.10
to fix Common Vulnerabilities and Exposures (CVEs). Version 1.11.5
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.11.5
. For more information, see the cert-manager project release notes for v1.11.5.
Previously, in a multi-architecture environment, the cert-manager Operator pods were prone to failures because of the invalid node affinity configuration. With this fix, the cert-manager Operator pods run without any failures. (OCPBUGS-19446)
Issued: 2023-07-26
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.11.4:
The golang version is updated to the version 1.19.10
to fix Common Vulnerabilities and Exposures (CVEs). Version 1.11.4
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.11.4
. For more information, see the cert-manager project release notes for v1.11.4.
Previously, the cert-manager Operator for Red Hat OpenShift did not allow you to install older versions of the cert-manager Operator for Red Hat OpenShift. Now, you can install older versions of the cert-manager Operator for Red Hat OpenShift using the web console or the command-line interface (CLI). For more information on how to use the web console to install older versions, see Installing the cert-manager Operator for Red Hat OpenShift. (OCPBUGS-16393)
Issued: 2023-06-21
The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.11.1:
Version 1.11.1
of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.11.1
. For more information, see the cert-manager project release notes for v1.11.1.
This is the general availability (GA) release of the cert-manager Operator for Red Hat OpenShift.
To troubleshoot issues with cert-manager and the cert-manager Operator for Red Hat OpenShift, you can now configure the log level verbosity by setting a log level for cert-manager and the cert-manager Operator for Red Hat OpenShift. For more information, see Configuring log levels for cert-manager and the cert-manager Operator for Red Hat OpenShift.
You can now configure cloud credentials for the cert-manager Operator for Red Hat OpenShift on AWS clusters with Security Token Service (STS) and without STS. For more information, see Authenticating the cert-manager Operator for Red Hat OpenShift on AWS Security Token Service and Authenticating the cert-manager Operator for Red Hat OpenShift on AWS.
You can now configure cloud credentials for the cert-manager Operator for Red Hat OpenShift on GCP clusters with Workload Identity and without Workload Identity. For more information, see Authenticating the cert-manager Operator for Red Hat OpenShift with GCP Workload Identity and Authenticating the cert-manager Operator for Red Hat OpenShift with GCP
Previously, the cm-acme-http-solver
pod did not use the latest published Red Hat image registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9
. With this release, the cm-acme-http-solver
pod uses the latest published Red Hat image registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9
. (OCPBUGS-10821)
Previously, the cert-manager Operator for Red Hat OpenShift did not support changing labels for cert-manager pods such as controller, CA injector, and Webhook pods. With this release, you can add labels to cert-manager pods. (OCPBUGS-8466)
Previously, you could not update the log verbosity level in the cert-manager Operator for Red Hat OpenShift. You can now update the log verbosity level by using an environmental variable OPERATOR_LOG_LEVEL
in its subscription resource. (OCPBUGS-9994)
Previously, when uninstalling the cert-manager Operator for Red Hat OpenShift, if you select the Delete all operand instances for this operator checkbox in the OpenShift Container Platform web console, the Operator was not uninstalled properly. The cert-manager Operator for Red Hat OpenShift is now properly uninstalled. (OCPBUGS-9960)
Previously, the cert-manager Operator for Red Hat OpenShift did not support using Google workload identity federation. The cert-manager Operator for Red Hat OpenShift now supports using Google workload identity federation. (OCPBUGS-9998)
After installing the cert-manager Operator for Red Hat OpenShift, if you navigate to Operators → Installed Operators and select Operator details in the OpenShift Container Platform web console, you cannot see the cert-manager resources that are created across all namespaces. As a workaround, you can navigate to Home → API Explorer to see the cert-manager resources. (OCPBUGS-11647)
After uninstalling the cert-manager Operator for Red Hat OpenShift by using the web console, the cert-manager Operator for Red Hat OpenShift does not remove the cert-manager controller, CA injector, and Webhook pods automatically from the cert-manager
namespace. As a workaround, you can manually delete the cert-manager controller, CA injector, and Webhook pod deployments present in the cert-manager
namespace. (OCPBUGS-13679)