Skip to content

build(deps): update helm release cert-manager to v1.20.3#25

Open
mogenius-renovate-bot[bot] wants to merge 1 commit into
mainfrom
renovate/cert-manager-1.20.x
Open

build(deps): update helm release cert-manager to v1.20.3#25
mogenius-renovate-bot[bot] wants to merge 1 commit into
mainfrom
renovate/cert-manager-1.20.x

Conversation

@mogenius-renovate-bot

@mogenius-renovate-bot mogenius-renovate-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Update Change
cert-manager (source) patch 1.20.0v1.20.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

cert-manager/cert-manager (cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

v1.20.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

v1.20.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression
  • Fixed duplicate parentRef bug when both issuer config and annotations are present. (#​8658, @​hjoshi123)
  • Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#​8655, @​erikgb)
  • Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#​8657, @​erikgb)

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Signed-off-by: mogenius-renovate-bot[bot] <260588915+mogenius-renovate-bot[bot]@users.noreply.github.com>
@mogenius-renovate-bot mogenius-renovate-bot Bot force-pushed the renovate/cert-manager-1.20.x branch from 498d8df to 9804986 Compare June 25, 2026 23:16
@mogenius-renovate-bot mogenius-renovate-bot Bot changed the title build(deps): update helm release cert-manager to v1.20.2 build(deps): update helm release cert-manager to v1.20.3 Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants