chore(deps): update helm release cert-manager to v1.21.0-beta.0#121
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update helm release cert-manager to v1.21.0-beta.0#121renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
31fcdd8 to
31dfcab
Compare
31dfcab to
0ffd4fb
Compare
0ffd4fb to
707e261
Compare
707e261 to
7da3bb4
Compare
7da3bb4 to
9fe0b5f
Compare
9fe0b5f to
8f1557a
Compare
8f1557a to
53c706b
Compare
53c706b to
14093a1
Compare
14093a1 to
ad17b5b
Compare
ad17b5b to
00d3f27
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.18.2→v1.21.0-beta.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cert-manager/cert-manager (cert-manager)
v1.21.0-beta.0Compare Source
For full release notes including breaking changes, upgrade notes, major themes and community credits, see the v1.21 release notes.
Changes since v1.21.0-alpha.1
Feature
certificateRequestMaximumBackoffDurationcontroller configuration option to cap retry backoff time for failed CertificateRequests. Configurable via config file,--certificate-request-maximum-backoff-durationCLI flag, or Helm valueconfig.certificateRequestMaximumBackoffDuration. Defaults to 32 hours for backward compatibility. (#8893, @lunarwhite)waitInsteadOfSelfCheckfield to ACME HTTP01 and DNS01 solvers so cert-manager can skip its own self-check and ask the ACME server to validate after a configured wait. (#8858, @wallrj)runtimeClassNamesupport for cert-manager components and ACME HTTP01 solver pods. (#8791, @jsoref)--ignore-namespaceswas added to the cainjector binary. It can be used to filter out namespaces from being watched for secrets to use for injectables. (#8614, @figaw)cert-manager.io/alt-names,cert-manager.io/ip-sansto Certificates generated from ingress like objects in cert-shim controllers. (#8927, @jabbrwcky)acme.cert-manager.io/http01-parentreffallback: "true"causes cert-manager to use the parent Gateway as the solver HTTPRoute parentRef instead of the ListenerSet. This enables TLS-only ListenerSets to rely on a shared Gateway HTTP listener for ACME challenges. (#8749, @apkatsikas)Bug or Regression
RoleandRoleBindinggranting the cert-manager controller ServiceAccount permission to create tokens for itself (serviceaccounts/token: create). This RBAC was added in v1.16 (#7213) but no documented workflow requires it, and the motivating Route53 docs section was removed in Oct 2024. If you rely onserviceAccountRef.namepointing at the controller ServiceAccount (an undocumented pattern), you must now create your ownRoleandRoleBindinggrantingserviceaccounts/token: createon that ServiceAccount, or migrate to one of the documented patterns (IRSA ambient, or a dedicated ServiceAccount with its own RBAC). (#8931, @wallrj-cyberark)renewBeforePercentagecalculations that caused Certificates with durations longer than approximately 3 years to be incorrectly rejected by validation or assigned incorrect renewal times. (#8947, @ThatsMrTalbot)createand Ordercreate/patch/updatefrom the cert-manager-edit aggregate ClusterRole to prevent direct manipulation of these internal resources (GHSA-8rvj-mm4h-c258). (#8958, @wallrj-cyberark)...path segments inspec.vault.pathand auth mount path fields, preventingpath.Joinfrom silently resolving relative segments before constructing the Vault API request. (#8930, @wallrj-cyberark)Other (Cleanup or Flake)
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.path. The metrics path is always/metricsand the target port is alwayshttp-metrics. Rename the controller service metrics port fromtcp-prometheus-servicemonitortohttp-metricsfor consistency with other workloads. Users must remove these keys from their value overrides before upgrading. (#8952, @erikgb)v1.21.0-alpha.1Compare Source
Changes since v1.21.0-alpha.0
Feature
AuthFailedIssuer condition reason to distinguish bad credentials from transient infrastructure errors. (#8808, @FelixPhipps)--acme-http01-solver-extra-labels, allowing Helm'sglobal.commonLabelsto propagate to all dynamically-created ACME HTTP01 solver resources (Pods, Services, Ingresses, or Gateway API HTTPRoutes). (#8761, @lunarwhite)startupapicheck.ttlSecondsAfterFinishedHelm value to enable automatic cleanup of the startupapicheck Job via the Kubernetes TTL-after-finished controller. (#8523, @dap0am)cert-manager.io/ignore-tls-listenersannotation for ignoring gwapi listeners. (#8727, @hjoshi123)Bug or Regression
e2e-setup-samplewebhookinstallation to use the samplewebhook image repository and tag from the saved image tarball manifest. (#8821, @wallrj)webhook.configandwebhook.volumesare defined. (#8664, @jnohlgard)Other (Cleanup or Flake)
enableGatewayAPIandenableGatewayAPIListenerSetfields onControllerConfigurationare deprecated and moved into thegatewayAPIsub-struct asgatewayAPI.enabledandgatewayAPI.enableListenerSet. The old fields continue to work. (#8732, @ThatsMrTalbot)v1.21.0-alpha.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Changes by Kind since
v1.20.0Feature
Bug or Regression
parentRefbug when both issuer config and annotations are present. (#8619, @hjoshi123)Other (Cleanup or Flake)
v1.20.3Compare Source
v1.20.2Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.20.2 fixes invalid YAML generated in the Helm chart when both
webhook.configand
webhook.volumesare defined, and bumps Go to 1.26.2 along with dependenciesto address reported vulnerabilities.
Changes by Kind
Bug or Regression
webhook.configandwebhook.volumesare defined. (#8665, @cert-manager-bot)Other (Cleanup or Flake)
v1.20.1Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate
parentRefbug when both issuer config and annotations are present (Gateway API).Bug or Regression
parentRefbug when both issuer config and annotations are present. (#8658, @hjoshi123)v1.20.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.
Changes by Kind
Feature
imagePullSecretsin thestartupapicheck-jobHelm template to enable pulling images from private registries. (#8186, @mathieu-clnk)parentRefoverride annotations on the Certificate resource. (#8518, @hjoshi123)venafi.cert-manager.io/custom-fieldsannotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @k0da)acme.cert-manager.io/http01-ingress-ingressclassnameto overridehttp01.ingress.ingressClassNamefield in HTTP-01 challenge solvers. (#8244, @lunarwhite)global.nodeSelectorto helm chart to perform amergeand allow for a singlenodeSelectorto be set across all services. (#8195, @StingRayZA)XListenerSetsfeature gate (#8394, @hjoshi123)Documentation
Bug or Regression
Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#8221, @wallrj-cyberark)
v1.25.5to fixCVE-2025-61727andCVE-2025-61729(#8290, @octo-sts[bot])cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#8162, @LiquidPL)Other (Cleanup or Flake)
XListenerSetsfeature gate toListenerSets(#8501, @hjoshi123)v1.19.6Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release fixes a security issue (
GHSA-8rvj-mm4h-c258, HIGH) where the defaultcert-manager-editaggregate ClusterRole granted namespace users permission to create ACMEChallengeandOrderresources directly. A user who could create aChallengereferencing aClusterIssuercould supply attacker-controlled solver configuration while cert-manager loaded credentials from theClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones,dnsNames,matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.This release also includes Go version bumps to address reported CVEs. All users should upgrade.
Changes by Kind
Bug or Regression
createand Ordercreate,patch,updateverbs from thecert-manager-editaggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8941, @wallrj-cyberark)Other (Cleanup or Flake)
v1.25.11to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8925, @wallrj-cyberark)v1.19.5Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This is a simple patch release to fix some reported vulnerabilities. All users are recommended to upgrade.
Changes by Kind
Other (Cleanup or Flake)
v1.19.4Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.19.4 is a simple patch release to fix some reported vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should upgrade.
Changes by Kind
Bug or Regression
v1.19.3Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
v1.19.2Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
We updated Go to fix some vulnerabilities in the standard library.
Changes since
v1.19.1Bug or Regression
CVE-2025-47914andCVE-2025-58181which were reported by Trivy. (#8283, @SgtCoDFish)v1.25.5to fixCVE-2025-61727andCVE-2025-61729(#8294, @wallrj-cyberark)global.nodeSelectorto helm chart to perform amergeand allow for a singlenodeSelectorto be set across all services. (#8233, @cert-manager-bot)Other (Cleanup or Flake)
golang/x/crypto(#8270, @SgtCoDFish)v1.19.1Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
We reverted the CRD-based API defaults for
Certificate.Spec.IssuerRefandCertificateRequest.Spec.IssuerRefafter they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager1.20.We fixed a bug that caused certificates to be re-issued unexpectedly if the
issuerRefkind or group was changed to one of the "runtime" default values.We upgraded Go to
1.25.3to address the following security vulnerabilities:CVE-2025-61724,CVE-2025-58187,CVE-2025-47912,CVE-2025-58183,CVE-2025-61723,CVE-2025-58186,CVE-2025-58185,CVE-2025-58188, andCVE-2025-61725.Changes since
v1.19.0:Bug or Regression
issuerRefof a Certificate was omitted, upgrading to1.19.xincorrectly caused the certificate to be renewed (#8175, @cert-manager-bot)v1.19.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.
Changes since
v1.18.0:Feature
global.nodeSelectorto helm chart to allow for a singlenodeSelectorto be set across all services. (#7818, @StingRayZA)pathTypeExactin ACME HTTP01 Ingress challenge solvers. (#7795, @sspreitzer)applyconfigurationsallowing clients to make type-safe server-side apply requests for cert-manager resources. (#7866, @erikgb)certmanager_certificate_challenge_statusPrometheus metric. (#7736, @hjoshi123)protocolfield forrfc2136DNS01 provider (#7881, @hjoshi123)hostUsersflag to all pods. Not set by default. (#7973, @hjoshi123)--acme-http01-solver-resource-*settings. (#7972, @lunarwhite)CAInjectorMergingfeature has been promoted to BETA and is now enabled by default (#8017, @ThatsMrTalbot)certificatemetrics to the collector approach. (#7856, @hjoshi123)Bug or Regression
error waiting for authorization(#7796, @hjoshi123)class,ingressClassName,name) are specified simultaneously (#8021, @lunarwhite)global.rbac.disableHTTPChallengesRoleHelm option. (#7836, @inteon)pathlabel of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. (#8109, @mladen-rusev-cyberark)ingress-nginxin E2E tests to ensure compatibility (#7792, @wallrj)Other (Cleanup or Flake)
tokenrequestRoleBinding resource to improve consistency (#7761, @lunarwhite)maps.Copyfor cleaner map handling (#8092, @quantpoet)vault-client-goto the newvault/apiclient. (#8059, @armagankaratosun)v1.18.6Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.18.6 is a simple patch release to fix some reported vulnerabilities, most notably CVE-2025-68121.
NB: We didn't attempt to patch CVE-2026-24051 but that vulnerability affects macOS only, so cert-manager will be unaffected.
Changes by Kind
Bug or Regression
v1.18.5Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
v1.18.4Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
We updated Go to fix some vulnerabilities in the standard library.
Changes since
v1.18.3Bug or Regression
CVE-2025-47914andCVE-2025-58181which were reported by Trivy. (#8282, @SgtCoDFish)v1.24.11to fixCVE-2025-61727andCVE-2025-61729(#8295, @wallrj-cyberark)Other (Cleanup or Flake)
golang/x/crypto(#8271, @SgtCoDFish)v1.18.3Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
We fixed a bug which caused certificates to be re-issued unexpectedly, if the issuerRef kind or group was changed to one of the "runtime" default values. We increased the size limit when parsing PEM certificate chains to handle leaf certificates with large numbers of DNS named or other identities. We upgraded Go to 1.24.9 to fix various non-critical security vulnerabilities.
Changes since
v1.18.2:Bug or Regression
Other (Cleanup or Flake)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.