Update Helm release cert-manager to v1

[renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager	major	v0.15.1 -> v1.2.0

---

Release Notes

jetstack/cert-manager

v1.2.0

Compare Source

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• ⚠️ BREAKING CHANGE ⚠️ The minimum supported Kubernetes version is now v1.16.0 as of cert-manager v1.2.0. Users still running Kubernetes v1.15 or below should upgrade to a supported version before installing cert-manager or use cert-manager v1.1.
• The User-Agent request header sent by cert-manager has changed to reflect the ownership transfer to the CNCF — see (#​3515, @​meyskens)
• The --renew-before-expiration-duration flag of the cert-manager controller-manager has been deprecated. Please set the Certificate.Spec.RenewBefore field instead. This flag will be removed in the next release.
• Certificates issued by the Vault issuer have changed — the root CA instead of the issuing CA is now stored in ca.crt — see (#​3433, @​sorah)

Changes by Kind

Feature

• Add cert-manager.io/usages to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#​3545, @​meyskens)
• Add kubectl cert-manager inspect secret to print certificate info from a secret resource (#​3457, @​meyskens)
• Add category names to our CRDs so they appear in kubectl get cert-manager and kubectl get cert-manager-acme (#​3583, @​meyskens)
• Add creation of PKCS12 truststore.p12 using Certificate Authority (#​3489, @​exceptionfactory)
• Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#​3347, @​meyskens)
• Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#​3477, @​tharun208)
• Added the option to specify the OCSP server for certificates issued by the CA issuer (#​3505, @​hugoboos)
• Allows customization of cainjector leader-election leases with new flags --leader-election-lease-duration, --leader-election-renew-deadline and --leader-election-retry-period (#​3527, @​ndrpnt)
• The ingress-shim now checks for cert-manager.io/duration and cert-manager.io/renew-before annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#​3465, @​wallrj)
• Venafi Issuer now sets the CA.crt field of the Secret. (#​3533, @​wallrj)

Bug or Regression

• Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#​3464, @​wallrj)
• Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#​3485, @​maelvls)
• Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#​3623, @​irbekrm)
• Fix Vault issuer not to store a root CA into a certificate bundle (tls.crt). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt), from a CA chain returned from Vault. (#​3433, @​sorah)
• Fix Helm chart type conversion bug (#​3647, @​irbekrm)

Other (Cleanup or Flake)

• Always install using admissionregistration.k8s.io/v1 (#​3519, @​meyskens)
• Change copyright owner to The cert-manager Authors (#​3500, @​meyskens)
• Migrate Ingress to networking.k8s.io/v1beta1 API group (#​3499, @​meyskens)
• Remove Jetstack from user-agent fields (#​3515, @​meyskens)
• Remove legacy release (#​3487, @​meyskens)

v1.1.0

Compare Source

Changes by Kind

Feature

• Add encodeUsagesInRequest to Certificate spec to disable encoding usages in the CSR (#​3304, @​raphink)
• Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#​3347, @​meyskens)
• Add support for issuing IP certificates in ACME (#​3288, @​meyskens)
• Adds ability to Helm chart to set podLabels for the webhook and cainjector deployments (#​3419, @​logicbomb421)
• Helm: Allow custom timeout value for webhook calls (#​3323, @​renan)
• Make ACME dns01 propagation check period configurable (#​3314, @​freym)
• Make Kubernetes API QPS throttling configurable (#​3382, @​meyskens)
• TPP issuer now supports access-token credentials. See https://cert-manager.io/docs/configuration/venafi/&#​35;creating-a-venafi-trust-protection-platform-issuer for details. (#​3379, @​wallrj)

Other (Bug, Cleanup or Flake)

• Add Venafi Cloud e2e tests (#​2966, @​meyskens)
• Do not encode EextendedKeyUsage in the CSR is none is needed (#​3262, @​meyskens)
• Fix a panic when changing the max concurrent challenges to a lower value (#​3399, @​meyskens)
• Fix bug in AWS route53 zone lookup that caused too many IAM requests (#​3354, @​supriya-premkumar)
• Fix conversion webhook when given v1beta1 requests (#​3242, @​meyskens)
• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#​3343, @​meyskens)
• Fix nil pointer error in Cloud DNS when specific config was used. (#​3417, @​meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#​3279, @​meyskens)
• Improve ACME backoff logic + prevent infinity retry without surfacing errors (#​3321, @​meyskens)
• Improved API validation for Venafi Issuer configuration (#​3409, @​wallrj)
• Include ACME resources aggregated ClusterRoles (#​3330, @​sharmaansh21)
• Put current year into manifest license (#​3357, @​meyskens)
• Refactor the cainjector to only have 1 leader election and to avoid duplicate caches (#​3275, @​wallrj)
• Remove stability warning from README for v1.0 (#​3240, @​munnerz)
• Replace Go's ACME retry logic with custom logic (#​3384, @​meyskens)
• Revert de-duplication of cainjector leader-election to fix scenario where it crashes at startup due to broken webhook. (#​3254, @​wallrj)
• Run e2e tests against Venafi TPP (#​3328, @​meyskens)
• Set the resync periods of informers to 10 hours instead of 30 seconds (#​3403, @​meyskens)⏎

v1.0.4

Compare Source

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix a bug where the Venafi Issuer and ClusterIssuer did not set the Ready condition and message if there was an API connection or API authentication failure. The Ready condition will now always be set, including details of any errors during setup. (#​3389, @​wallrj)
• Fix a panic when changing the max concurrent challenges to a lower value (#​3418, @​meyskens)
• Fix bug in AWS route53 zone lookup that caused too many IAM requests (#​3375, @​supriya-premkumar)
• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#​3352, @​meyskens)
• Fix nil pointer error in Cloud DNS when specific config was used. (#​3420, @​meyskens)

v1.0.3

Compare Source

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#​3352, @​meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#​3306, @​meyskens)
• Improve ACME backoff logic + prevent infinity retry without surfacing errors (#​3322, @​meyskens)

v1.0.2

Compare Source

Changes by Kind

Bug or Regression

• Do not encode ExtendedKeyUsage in the CSR is none is needed (#​3295, @​meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#​3306, @​meyskens)

v1.0.1

Compare Source

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix conversion webhook when given v1beta1 requests (#​3243, @​meyskens, @​wallrj)
• Remove stability warning from README for v1.0 (#​3240, @​munnerz)
• Revert de-duplication of cainjector leader-election to fix scenario where it crashes at startup due to broken webhook. (#​3255, @​wallrj)

v1.0.0

Compare Source

With cert-manager v1.0 we're putting a seal of trust on 3 years of development on the cert-manager project.
In these 3 years cert-manager has grown in functionality and stability, but mostly in the community.
Today we see many people using cert-manager to secure their Kubernetes clusters, as well as cert-manager
being integrated into many other parts in the ecosystem.
In the past 16 releases many bugs got fixed, and things that needed to be broken were broken.
Several iterations on the API improved the user experience.
We solved 1500 GitHub Issues with even more PRs by 253 contributors.

With releasing v1.0 we're officially making a statement that cert-manager is a mature project now.
We will also be making a compatibility promise with our v1 API.

A big thank you to everyone who helped to build cert-manager in the past 3 years!
Let v1.0 be the first of many big achievements!

The v1.0 release is a stability release with a few focus areas:

• v1 API
• kubectl cert-manager status command to help with investigating issues
• Using new and stable Kubernetes APIs
• Improved logging
• AMCE improvements

We invite you to read more about these changes on our website

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/
• Versions of Kubernetes lower than v1.16 need special upgrade instructions. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/

Changes by Kind

Feature

• Add Events of Issuer and Secret to the output of status certificate command (#​3213, @​hzhou97)
• Add Events of the Certificate and of the CertificateRequest to the output of the ctl command status certificate (#​3102, @​hzhou97)
• Add priorityClassName field to podTemplate for ACME HTTP01 issuers (#​3112, @​meyskens)
• Add serviceAccountName field to podTemplate for ACME HTTP01 issuers (#​3139, @​paulwilljones)
• Add v1 API version (#​3177, @​wallrj)
• Add webhook.hostNetwork option to the Helm Chart to run the webhook in hostNetwork mode (#​3113, @​jfrancisco0)
• Add boolean field disableAccountKeyGeneration to ACMEIssuer to be able to not generate new account key and reuse existing ones. (#​3141, @​hzhou97)
• Add info about Challenges related to a Certificate resource to the output of status certificate command. (#​3186, @​hzhou97)
• Add key usages into the CSR body (#​3211, @​meyskens)
• Add output about Order resource for status certificate command if ACME Issuer is used. (#​3154, @​hzhou97)
• Add output about the Issuer/ClusterIssuer of the Certificate resource and about creation time of the Certificate. (#​3120, @​hzhou97)
• Add output about the Secret resource for status certificate command (#​3131, @​hzhou97)
• Add support for alternate certs with prefferedChain in ACME (#​3208, @​meyskens)
• Add support for ctl convert over a list (#​3205, @​JoshVanL)
• Added Namespace to VaultIssuer to support vault roles from a different vault namespaces (#​3106, @​thejasbabu)
• Allow cert-manager.io/common-name annotation on ingresses (#​3085, @​meyskens)
• Change default output version of convert command to v1. (#​3235, @​hzhou97)
• Helm chart: add extra custom annotation block to the mutating and validating webhooks. (#​3142, @​Cyanopus)
• Helm chart: add image digest option (#​3175, @​guilhem)
• Helm chart: make webhook-probes configurable (#​3192, @​ckotzbauer)
• Updated controllers to use v1 API and make v1 the storage version (#​3196, @​wallrj)

Other (Bug, Cleanup or Flake)

• Add apiextensions.k8s.io/v1 CRDs (#​3178, @​meyskens)
• Add support for admissionregistration.k8s.io/v1 (#​3167, @​meyskens)
• Add validation webhooks in integration tests (#​2958, @​meyskens)
• Build using Go version 1.15 (#​3228, @​wallrj)
• Bump Kubernetes dependencies to 1.19 (#​3166, @​meyskens)
• Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#​3151, @​JoshVanL)
• Fix bug of status certificate command where the matching CR gets overwritten (#​3117, @​hzhou97)
• Fixes generation of ACME resources if the the 52nd character in a CR name is a symbol. (#​3232, @​meyskens)
• Let cert-manage handle ACME backoff when Retry-After is set on a rate limit error (#​3215, @​meyskens)
• Refactor the cainjector to only have 1 leader election (#​3187, @​meyskens)
• Remove Helm specific labels from static manifests (#​3179, @​meyskens)
• Remove stability warning from README for v1.0 (#​3240, @​munnerz)
• Updates kind cluster 1.19 SHA to use upstream kindest (#​3227, @​JoshVanL)
• Use klog v2 and improve the use of log levels (#​3143, @​meyskens)
• Use rbac.authorization.k8s.io/v1 (#​3172, @​meyskens)

v0.16.1

Compare Source

Changes by Kind

Other (Bug, Cleanup or Flake)

• Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#​3153, @​JoshVanL)

v0.16.0

Compare Source

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.15-0.16/

• Support for AuditSink resources in the auditregistration.k8s.io/v1alpha1 API group has been removed (#​3056, @​munnerz)

Changes by Kind

Feature

• Acme: surface the 'reason' for Order's failing on Certificate & CertificateRequest resources for easier debugging of failures (#​3075, @​munnerz)
• Add Events of the Certificate and of the CertificateRequest to the output of the ctl command status certificate (#​3102, @​hzhou97)
• Add v1beta1 API version (#​3038, @​munnerz)
• Add a hostedZoneName field to Cloud DNS (#​2975, @​meyskens)
• Add cert-manager specific User-Agent to HTTP01 self-checks (#​3046, @​meyskens)
• Add information about the CertificateRequest resource related to the Certificate to the output of the status certificate command. (#​3090, @​hzhou97)
• Add new ctl command that outputs the details of the current status of a Certificate resource (#​3026, @​hzhou97)
• Add new ctl command to manually create a CertificateRequest from yaml description of a Certificate resource. (#​2957, @​hzhou97)
• Added the ability to set the container securityContext for each deployment in the helm chart (#​2858, @​sudermanjr)
• Enable the new certificate controller implementations for all users (#​3049, @​munnerz)
• Kubectl cert-manager: Added flags to wait for the CertificateRequest to be ready and store the certificate in a file. (#​3044, @​hzhou97)
• Venafi: make issuance of certificates asynchronous (#​2979, @​meyskens)

Other (Bug, Cleanup or Flake)

• Add e2e tests for OpenShift 3.11 (#​2788, @​meyskens)
• Add more information to the Cloudflare DNS errors (#​3101, @​meyskens)
• An empty ca.crt will no longer be added into the secret resource (#​2947, @​hzhou97)
• Build using Go version 1.14.4 (#​3058, @​munnerz)
• DNS01: make Cloudflare email optional if a token is used (#​2989, @​meyskens)
• Default to O = cert-manager in the Venafi issuer if DN is empty (#​2946, @​meyskens)
• Ensure Deleted Certificates no longer expose metrics and better cover all controller metrics. (#​2923, @​JoshVanL)
• Error on venafi CertificateRequest when DN is empty (#​3053, @​meyskens)
• Experimental certificate controllers encode private keys according to specification of user. (#​3017, @​hzhou97)
• Experimental certificates controllers: fix automated certificate renewal (#​3027, @​munnerz)
• Fix bug causing kubectl cert-manager convert to not work when conversions need to be performed (#​3018, @​hzhou97)
• Improve documentation of API types displayed via kubectl explain (#​3031, @​munnerz)
• Remove custom retry logic from Route53 DNS01 (#​2898, @​diversario)
• Tag the Docker image with the correct architecture attribute (#​3001, @​meyskens)
• Update the miekg/dns dependency (#​2839, @​meyskens)
• Updates AWS Go SDK to 1.31.3 to support Route53 in AWS China Region (#​2940, @​qqshfox)
• Upgrade to use Kubernetes 1.18.5 client libraries (#​3059, @​munnerz)
• Use ctl.Scheme in create cr ctl command (#​3036, @​hzhou97)

v0.15.2

Compare Source

Changes by Kind

Other (Bug, Cleanup or Flake)

• Error on venafi CertificateRequest when DN is empty (#​3054, @​meyskens)
• Fix entrypoint being inside a shell in UBI images (cert-manager-olm#​12, @​meyskens)

---

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by WhiteSource Renovate. View repository job log here.