Supported Releases
This page lists the status, timeline and policy for currently supported releases of cert-manager.
All cert-manager releases are supported at least until the release of a second subsequent version. That means there are always at least two supported versions of cert-manager at any given time, and possibly more if there's also a current Long Term Support version.
We aim to do regular releases roughly every 4 months but release dates can vary when accounting for holidays, conferences (such as KubeCon), maintainer commitments and other world events.
You don't have to wait until the next minor release to start using new features; we also aim to create regular alpha releases which - while not as thoroughly tested or stable as other releases - should be stable enough to run.
Currently supported releases
Release | Release Date | End of Life | Supported Kubernetes versions | Supported OpenShift versions |
---|---|---|---|---|
1.15 | Jun 05, 2024 | Release of 1.17 | 1.24 → 1.30 | 4.11 → 4.15 |
1.14 | Feb 03, 2024 | Release of 1.16 | 1.24 → 1.30 | 4.11 → 4.15 |
1.12 LTS | May 19, 2023 | May 19, 2025 | 1.22 → 1.30 | 4.9 → 4.15 |
cert-manager 1.12 is a Long Term Support (LTS) release sponsored by Venafi. It will continue to be supported for at least 2 years from release.
Upcoming releases
Release | Release Date | End of Life | Supported Kubernetes versions | Supported OpenShift versions |
---|---|---|---|---|
1.16 | Oct 03, 2024 | Release of 1.18 | 1.25 → 1.30 | 4.12 → 4.15 |
Dates in the future are not firm commitments and are subject to change.
Old releases
Release | Release Date | EOL | Compatible Kubernetes versions | Compatible OpenShift versions |
---|---|---|---|---|
1.13 | Sep 12, 2023 | Jun 05, 2024 | 1.21 → 1.27 | 4.8 → 4.14 |
1.11 | Jan 11, 2023 | Sep 12, 2023 | 1.21 → 1.27 | 4.8 → 4.14 |
1.10 | Oct 17, 2022 | May 19, 2023 | 1.20 → 1.26 | 4.7 → 4.13 |
1.9 | Jul 22, 2022 | Jan 11, 2023 | 1.20 → 1.24 | 4.7 → 4.11 |
1.8 | Apr 05, 2022 | Oct 17, 2022 | 1.19 → 1.24 | 4.6 → 4.11 |
1.7 | Jan 26, 2021 | Jul 22, 2022 | 1.18 → 1.23 | 4.5 → 4.9 |
1.6 | Oct 26, 2021 | Apr 05, 2022 | 1.17 → 1.22 | 4.4 → 4.9 |
1.5 | Aug 11, 2021 | Jan 26, 2022 | 1.16 → 1.22 | 4.3 → 4.8 |
1.4 | Jun 15, 2021 | Oct 26, 2021 | 1.16 → 1.21 | 4.3 → 4.7 |
1.3 | Apr 08, 2021 | Aug 11, 2021 | 1.16 → 1.21 | 4.3 → 4.7 |
1.2 | Feb 10, 2021 | Jun 15, 2021 | 1.16 → 1.21 | 4.3 → 4.7 |
1.1 | Nov 24, 2020 | Apr 08, 2021 | 1.11 → 1.21 | 3.11 → 4.7 |
1.0 | Sep 02, 2020 | Feb 10, 2021 | 1.11 → 1.21 | 3.11 → 4.7 |
0.16 | Jul 23, 2020 | Nov 24, 2020 | 1.11 → 1.21 | 3.11 → 4.7 |
0.15 | May 06, 2020 | Sep 02, 2020 | 1.11 → 1.21 | 3.11 → 4.7 |
0.14 | Mar 11, 2020 | Jul 23, 2020 | 1.11 → 1.21 | 3.11 → 4.7 |
0.13 | Jan 21, 2020 | May 06, 2020 | 1.11 → 1.21 | 3.11 → 4.7 |
0.12 | Nov 27, 2019 | Mar 11, 2020 | 1.11 → 1.21 | 3.11 → 4.7 |
0.11 | Oct 10, 2019 | Jan 21, 2020 | 1.9 → 1.21 | 3.09 → 4.7 |
We list cert-manager releases on GitHub, and release notes on cert-manager.io.
We also maintain detailed upgrade instructions.
Support policy
What we mean by support
Our support window is four months for each release branch. In the below
diagram, release-1.2
is an example of a release branch. The support
window corresponds to the two latest releases, given that we produce a new
final release every two months. We offer two types of support:
For example, imagining that the latest release is v1.2.0
, you can expect
support for both v1.2.0
and v1.1.0
. Only the last patch release of each
branch is actually supported.
v1.0.0 ^Sep 2, 2020 | UNSUPPORTED------+---------------------------------------------> release-1.0 | RELEASES\ v\\ v1.1.0\ Nov 24, 2020 ^---------+-------------------------------> release-1.1 |\ | SUPPORTED\ | RELEASES\ v1.2.0 | = the two\ Feb 10, 2021 | last------------+--------------> release-1.2 | releases\ v\\\-----------> master branchApril 1, 2021
Technical support
Technical assistance is offered on a best-effort basis for supported
releases only. You can request support from the community on Kubernetes
Slack (in the #cert-manager
channel), using
GitHub Discussions or using the cert-manager-dev
Google group.
Security and bug fixes
We back-port important bug fixes — including security fixes — to all currently supported releases.
Security issues
Security issues are fixed as soon as possible. They get back-ported to the last two releases, and a new patch release is immediately created for them.
Critical bugs
Critical bugs include both regression bugs as well as upgrade bugs.
Regressions are functionalities that worked in a previous release but no longer work. #4142, #3393 and #2857 are three examples of regressions.
Upgrade bugs are issues (often Helm-related) preventing users from upgrading to currently supported releases from earlier releases of cert-manager. #3882 and #3644 are examples of upgrade bugs.
Note that intentional breaking changes do not belong to this category.
Fixes for critical bugs are (usually) immediately back-ported by creating a new patch release for the currently supported releases.
Long-standing bugs
Long-standing bug: sometimes a bug exists for a long time, and may have known workarounds. #3444 is an example of a long-standing bug.
Where we feel that back-porting would be difficult or might be a stability risk to clusters running cert-manager, we'll make the fix in a major release but avoid back-porting the fix.
Breaking changes
Breaking changes are changes that intentionally break the cert-manager Kubernetes API or the command line flags. We avoid making breaking changes where possible, and where they're required we'll give as much notice as possible.
Other back-ports
We aim to be conservative in what we back-port. That applies especially for anything which could be a runtime change - that is, a change which might alter behavior for someone upgrading between patch releases.
That means that if a candidate for back-porting has a chance of having a runtime impact we're unlikely to accept the change unless it addresses a security issue or a critical bug.
We reserve the right to back-port other changes which are unlikely to have a runtime impact, such as documentation or tooling changes. An example would be #5209 which updated how we perform a release of cert-manager but didn't have any realistic chance of having a runtime impact.
Generally we'll seek to be pragmatic. A rule of thumb might be to ask:
"Does this back-port improve cert-manager, bearing in mind that we really value stability for already-released versions?"
How we determine supported Kubernetes versions
The list of supported Kubernetes versions displayed in the Supported Releases section depends on what the cert-manager maintainers think is reasonable to support and to test.
In practice, this is largely determined based on what versions of kind are available for testing, and which versions of Kubernetes are provided by major upstream cloud Kubernetes vendors including EKS, GKE, AKS and OpenShift.
Vendor | Oldest Kubernetes Release* | Other Kubernetes Releases |
---|---|---|
EKS | 1.25 (EOL May 2024) | 1.26 (EOL Jun 2024), 1.27 (EOL Jul 2024), 1.28 (EOL Nov 2024), 1.29 (EOL Mar 2025) |
GKE | 1.26 (EOL May 2024) | 1.27 (EOL Aug 2024), 1.28 (EOL Sep 2024), 1.29 (EOL Jan 2025) |
AKS | 1.26 (EOL Jun 2024) | 1.27 (EOL Jul 2024), 1.28 (EOL Nov 2024), 1.29 (EOL - ) |
OpenShift 4 | 1.25 (4.12, EOL Jul 2024) | 1.26 (4.13, EOL Nov 2024), 1.27 (4.14, EOL May 2025), 1.28 (4.15, EOL Aug 2025) |
*Oldest release relevant to the next cert-manager release, as of 2024-04-19
OpenShift
cert-manager supports versions of OpenShift 4 based on the version of Kubernetes that each version maps to.
For convenience, the following table shows these version mappings:
OpenShift versions | Kubernetes version |
---|---|
4.15 | 1.28 |
4.14 | 1.27 |
4.13 | 1.26 |
4.12 | 1.25 |
4.11 | 1.24 |
4.10, 4.10 EUS | 1.23 |
4.9 | 1.22 |
4.8, 4.8 EUS | 1.21 |
4.7 | 1.20 |
4.6, 4.6 EUS | 1.19 |
Note that some OpenShift versions listed above may be predicted, since an updated version of OpenShift may not yet be available for the latest Kubernetes releases.
The last version of cert-manager to support OpenShift 3 was cert-manager 1.2, which is no longer maintained.
Terminology
The term "release" (or "minor release") refers to one minor version of
cert-manager. For example, 1.2 and 1.3 are two releases. Note that we do
not use the prefix v
for releases (just "1.2"). This is because releases
are not used as git tags.
Patch releases use the v
prefix (e.g., v1.2.0
, v1.3.1
...) since one
patch release = one git tag. The initial patch release is called "final
release":
Type of release | Example of git tag | Corresponding release | Corresponding release branch* |
---|---|---|---|
Final release | v1.3.0 | 1.3 | release-1.3 |
Patch release | v1.3.1 | 1.3 | release-1.3 |
Pre-release | v1.4.0-alpha.0 | N/A** | release-1.4 |
*For maintainers: each release has an associated long-lived branch that we
call the “release branch”. For example, release-1.2
is the release branch
for release 1.2.
**Pre-releases (e.g., v1.3.0-alpha.0
) don't have a corresponding
release (e.g., 1.3) since a release only exists after a final release
(e.g., v1.3.0
) has been created.
Our naming scheme mostly follows Semantic Versioning
2.0.0 with v
prepended to git tags and docker
images:
v<major>.<minor>.<patch>
where <minor>
is increased for each release, and <patch>
counts the
number of patches for the current <minor>
release. A patch is usually a
small change relative to the <minor>
release.