Skip to content

chore(deps): update helm release cert-manager to v1.21.0-beta.0#121

Open
renovate[bot] wants to merge 1 commit into
devfrom
renovate/cert-manager-1.x
Open

chore(deps): update helm release cert-manager to v1.21.0-beta.0#121
renovate[bot] wants to merge 1 commit into
devfrom
renovate/cert-manager-1.x

Conversation

@renovate

@renovate renovate Bot commented Oct 2, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
cert-manager (source) minor v1.18.2v1.21.0-beta.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

cert-manager/cert-manager (cert-manager)

v1.21.0-beta.0

Compare Source

[!NOTE]
⚠️ This is a pre-release. For testing only!

For full release notes including breaking changes, upgrade notes, major themes and community credits, see the v1.21 release notes.

Changes since v1.21.0-alpha.1

Feature
  • Add certificateRequestMaximumBackoffDuration controller configuration option to cap retry backoff time for failed CertificateRequests. Configurable via config file, --certificate-request-maximum-backoff-duration CLI flag, or Helm value config.certificateRequestMaximumBackoffDuration. Defaults to 32 hours for backward compatibility. (#​8893, @​lunarwhite)
  • Add an optional waitInsteadOfSelfCheck field to ACME HTTP01 and DNS01 solvers so cert-manager can skip its own self-check and ask the ACME server to validate after a configured wait. (#​8858, @​wallrj)
  • Add configurable runtimeClassName support for cert-manager components and ACME HTTP01 solver pods. (#​8791, @​jsoref)
  • Added ARI support through the ACMEUseARI feature gate. (#​8798, @​hjoshi123)
  • Added AWS IAM authentication support for Vault issuer, including IRSA (IAM Roles for Service Accounts) and ambient credentials (EC2/ECS). (#​8422, @​bitloi)
  • Adds support for the Modern2026 go-pkcs12 profile and FIPS 140-3. (#​8841, @​seanorama)
  • A new flag --ignore-namespaces was added to the cainjector binary. It can be used to filter out namespaces from being watched for secrets to use for injectables. (#​8614, @​figaw)
  • Disabled client side rate-limiting if AP&F is enabled. (#​8757, @​hjoshi123)
  • Processed annotations cert-manager.io/alt-names, cert-manager.io/ip-sans to Certificates generated from ingress like objects in cert-shim controllers. (#​8927, @​jabbrwcky)
  • When using ACME HTTP-01 with a ListenerSet, setting the annotation acme.cert-manager.io/http01-parentreffallback: "true" causes cert-manager to use the parent Gateway as the solver HTTPRoute parentRef instead of the ListenerSet. This enables TLS-only ListenerSets to rely on a shared Gateway HTTP listener for ACME challenges. (#​8749, @​apkatsikas)
Bug or Regression
  • BREAKING: The Helm chart no longer ships a default Role and RoleBinding granting the cert-manager controller ServiceAccount permission to create tokens for itself (serviceaccounts/token: create). This RBAC was added in v1.16 (#​7213) but no documented workflow requires it, and the motivating Route53 docs section was removed in Oct 2024. If you rely on serviceAccountRef.name pointing at the controller ServiceAccount (an undocumented pattern), you must now create your own Role and RoleBinding granting serviceaccounts/token: create on that ServiceAccount, or migrate to one of the documented patterns (IRSA ambient, or a dedicated ServiceAccount with its own RBAC). (#​8931, @​wallrj-cyberark)
  • ACME challenges no longer terminally fail on transient network errors (TLS handshake timeouts, DNS failures, context cancellation) during nonce fetches and authorization waits. The challenge controller returns the error and lets the workqueue retry with backoff. (#​8760, @​texasich)
  • Fix webhook serving certificate not being renewed after system suspend. (#​8464, @​Peac36)
  • Fixed a rare panic in the trigger controller when a Certificate is deleted from the informer cache while a reconcile is in progress (e.g. during namespace teardown). (#​8962, @​hjoshi123)
  • Fixed an integer overflow in renewBeforePercentage calculations that caused Certificates with durations longer than approximately 3 years to be incorrectly rejected by validation or assigned incorrect renewal times. (#​8947, @​ThatsMrTalbot)
  • Fixed potential OOM in DNS-over-HTTPS client by bounding response body read with io.LimitReader (128 KB cap). (#​8803, @​SebTardif)
  • Fixed validation of timezone-prefixed renewal window cron specs without a schedule. (#​8813, @​immanuwell)
  • Harden ACME Challenge and Order resources: reject user-created Challenges without Order ownership, enforce Order spec immutability, and detect pre-placed same-name Challenges with mismatched specs. (#​8948, @​wallrj-cyberark)
  • Remove ACME Challenge create and Order create/patch/update from the cert-manager-edit aggregate ClusterRole to prevent direct manipulation of these internal resources (GHSA-8rvj-mm4h-c258). (#​8958, @​wallrj-cyberark)
  • Update logic to identify and preserve the secret matching nextPrivateKeySecretName. (#​8577, @​putongyong)
  • Vault Issuer webhook validation now rejects ... path segments in spec.vault.path and auth mount path fields, preventing path.Join from silently resolving relative segments before constructing the Vault API request. (#​8930, @​wallrj-cyberark)
Other (Cleanup or Flake)
  • Remove Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path. The metrics path is always /metrics and the target port is always http-metrics. Rename the controller service metrics port from tcp-prometheus-servicemonitor to http-metrics for consistency with other workloads. Users must remove these keys from their value overrides before upgrading. (#​8952, @​erikgb)
  • Update base images to Debian 13. (#​8849, @​ltwongaa)

v1.21.0-alpha.1

Compare Source

Changes since v1.21.0-alpha.0

[!NOTE]
⚠️ This is a pre-release. For testing only!

Feature
  • Add Venafi OAuth token request observability and a new AuthFailed Issuer condition reason to distinguish bad credentials from transient infrastructure errors. (#​8808, @​FelixPhipps)
  • Add new controller flag --acme-http01-solver-extra-labels, allowing Helm's global.commonLabels to propagate to all dynamically-created ACME HTTP01 solver resources (Pods, Services, Ingresses, or Gateway API HTTPRoutes). (#​8761, @​lunarwhite)
  • Add opt-in startupapicheck.ttlSecondsAfterFinished Helm value to enable automatic cleanup of the startupapicheck Job via the Kubernetes TTL-after-finished controller. (#​8523, @​dap0am)
  • Added cert-manager.io/ignore-tls-listeners annotation for ignoring gwapi listeners. (#​8727, @​hjoshi123)
  • Added option to specify additional listener protocols the GatewayAPI integration will consider when creating certificates. (#​8683, @​ThatsMrTalbot)
  • Extend the Venafi/CyberArk integration to also support PANW NGTS. (#​8779, @​FelixPhipps)
  • Make cainjector use SSA unconditionally and deprecate the ServerSideApply feature gate (#​8692, @​erikgb)
Bug or Regression
  • Add dns issuer secrets validation before marking it as ready (#​8255, @​Peac36)
  • Add missing issuer finalizer RBAC to the order controller to support owner references (#​8654, @​erikgb)
  • ClusterIssuer metrics collector now correctly respects the enabled-controllers configuration, avoiding a redundant startup when only operating within a namespace. (#​8822, @​lunarwhite)
  • Fix Venafi TPP issuer setup and signing regression on master: restore authentication of the vcert connector in the client constructor, which was removed in #​8808. (#​8843, @​wallrj-cyberark)
  • Fix a performance issue in the certificateRequestApproval webhook where CertificateRequests referencing a GroupKind whose CRD is not yet installed would trigger repeated API server discovery queries on every admission request. Negative results are now cached for 30 seconds. (#​8651, @​mateenali66)
  • Fixed infinite re-issuance loop when issuer returns an already expired certificate (#​8610, @​onurmicoogullari)
  • Fixed local e2e-setup-samplewebhook installation to use the samplewebhook image repository and tag from the saved image tarball manifest. (#​8821, @​wallrj)
  • Helm chart bugfix: rename image helper to avoid umbrella chart conflicts (#​8753, @​FelixPhipps)
  • Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#​8664, @​jnohlgard)
  • Remove issuer owner reference from challenges blocking challenge garbage collection (#​8743, @​erikgb)
Other (Cleanup or Flake)
  • The enableGatewayAPI and enableGatewayAPIListenerSet fields on ControllerConfiguration are deprecated and moved into the gatewayAPI sub-struct as gatewayAPI.enabled and gatewayAPI.enableListenerSet. The old fields continue to work. (#​8732, @​ThatsMrTalbot)

v1.21.0-alpha.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ This is a pre-release. For testing only!

Changes by Kind since v1.20.0

Feature
Bug or Regression
  • Fixed duplicate parentRef bug when both issuer config and annotations are present. (#​8619, @​hjoshi123)
Other (Cleanup or Flake)

v1.20.3

Compare Source

v1.20.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind
Bug or Regression
Other (Cleanup or Flake)

v1.20.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression
  • Fixed duplicate parentRef bug when both issuer config and annotations are present. (#​8658, @​hjoshi123)
  • Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#​8655, @​erikgb)
  • Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#​8657, @​erikgb)

v1.20.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind
Feature
  • Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#​8370, @​jcpunk)
  • Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#​8256, @​tareksha)
  • Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#​8186, @​mathieu-clnk)
  • Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#​8355, @​dancmeyers)
  • Added parentRef override annotations on the Certificate resource. (#​8518, @​hjoshi123)
  • Added support for azure private zones for dns01 issuer. (#​8494, @​hjoshi123)
  • Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#​7642, @​robertlestak)
  • Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#​7728, @​jcpunk)
  • For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#​8301, @​k0da)
  • Improve error message when CA issuers are misconfigured to use a clashing secret name (#​8374, @​majiayu000)
  • Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#​8244, @​lunarwhite)
  • Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8195, @​StingRayZA)
  • Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#​8228, @​terinjokes)
  • Added experimental XListenerSets feature gate (#​8394, @​hjoshi123)
Documentation
Bug or Regression
  • Adds logs for cases when acme server returns us a fatal error in the order controller (#​8199, @​Peac36)
  • Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8160, @​inteon)
  • Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#​8232, @​eleanor-merry)
  • Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. (#​8456, @​tkna)
  • Fix unregulated retries with the DigitalOcean DNS-01 solver
    Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#​8221, @​wallrj-cyberark)
  • Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8403, @​calm329)
  • Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8424, @​SlashNephy)
  • Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#​8443, @​alviss7)
  • Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8173, @​erikgb)
  • Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8469, @​SgtCoDFish)
  • Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8290, @​octo-sts[bot])
  • When Prometheus monitoring is enabled, the metrics label is now set to the intended value of cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#​8162, @​LiquidPL)
Other (Cleanup or Flake)

v1.19.6

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also includes Go version bumps to address reported CVEs. All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

v1.19.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This is a simple patch release to fix some reported vulnerabilities. All users are recommended to upgrade.

Changes by Kind
Other (Cleanup or Flake)

v1.19.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.19.4 is a simple patch release to fix some reported vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should upgrade.

Changes by Kind
Bug or Regression

v1.19.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.

Changes by Kind

Bug or Regression
  • Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8415, @​cert-manager-bot)
  • Fixed an issue where HTTP-01 challenges failed when the Host header contained an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8436, @​cert-manager-bot)
  • Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8468, @​SgtCoDFish)
Other (Cleanup or Flake)

v1.19.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.1

Bug or Regression
  • Address false positive vulnerabilities CVE-2025-47914 and CVE-2025-58181 which were reported by Trivy. (#​8283, @​SgtCoDFish)
  • Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8294, @​wallrj-cyberark)
  • Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8233, @​cert-manager-bot)
Other (Cleanup or Flake)

v1.19.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We reverted the CRD-based API defaults for Certificate.Spec.IssuerRef and CertificateRequest.Spec.IssuerRef after they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager 1.20.
We fixed a bug that caused certificates to be re-issued unexpectedly if the issuerRef kind or group was changed to one of the "runtime" default values.
We upgraded Go to 1.25.3 to address the following security vulnerabilities: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.0:

Bug or Regression
  • BUGFIX: in case kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8175, @​cert-manager-bot)
  • Bump Go to 1.25.3 to fix a backwards incompatible change to the validation of DNS names in X.509 SAN fields which prevented the use of DNS names with a trailing dot (#​8177, @​wallrj-cyberark)
  • Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8178, @​cert-manager-bot)

v1.19.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known issues: The following known issues are fixed in v1.19.1:

This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.

📖 Read the full release notes at cert-manager.io: https://cert-manager.io/docs/releases/release-notes/release-notes-1.19

Changes since v1.18.0:

Feature

  • Add IPv6 rules to the default network policy (#​7726, @​jcpunk)
  • Add global.nodeSelector to helm chart to allow for a single nodeSelector to be set across all services. (#​7818, @​StingRayZA)
  • Add a feature gate to default to Ingress pathType Exact in ACME HTTP01 Ingress challenge solvers. (#​7795, @​sspreitzer)
  • Add generated applyconfigurations allowing clients to make type-safe server-side apply requests for cert-manager resources. (#​7866, @​erikgb)
  • Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). (#​7414, @​erikgb)
  • Added certmanager_certificate_challenge_status Prometheus metric. (#​7736, @​hjoshi123)
  • Added protocol field for rfc2136 DNS01 provider (#​7881, @​hjoshi123)
  • Added experimental field hostUsers flag to all pods. Not set by default. (#​7973, @​hjoshi123)
  • Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global --acme-http01-solver-resource-* settings. (#​7972, @​lunarwhite)
  • The CAInjectorMerging feature has been promoted to BETA and is now enabled by default (#​8017, @​ThatsMrTalbot)
  • The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. (#​8072, @​prasad89)
  • Updated certificate metrics to the collector approach. (#​7856, @​hjoshi123)

Bug or Regression

  • ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization (#​7796, @​hjoshi123)
  • BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#​7816, @​kinolaev)
  • Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (class, ingressClassName, name) are specified simultaneously (#​8021, @​lunarwhite)
  • Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities (#​7961, @​SgtCoDFish)
  • Reverted adding the global.rbac.disableHTTPChallengesRole Helm option. (#​7836, @​inteon)
  • This change removes the path label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics. (#​8109, @​mladen-rusev-cyberark)
  • Use the latest version of ingress-nginx in E2E tests to ensure compatibility (#​7792, @​wallrj)

Other (Cleanup or Flake)

  • Helm: Fix naming template of tokenrequest RoleBinding resource to improve consistency (#​7761, @​lunarwhite)
  • Improve error messages when certificates, CRLs or private keys fail admission due to malformed or missing PEM data (#​7928, @​SgtCoDFish)
  • Major upgrade of Akamai SDK. NOTE: The new version has not been fully tested end-to-end due to the lack of cloud infrastructure. (#​8003, @​hjoshi123)
  • Update kind images to include the Kubernetes 1.33 node image (#​7786, @​wallrj)
  • Use maps.Copy for cleaner map handling (#​8092, @​quantpoet)
  • Vault: Migrate Vault E2E add-on tests from deprecated vault-client-go to the new vault/api client. (#​8059, @​armagankaratosun)

v1.18.6

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.18.6 is a simple patch release to fix some reported vulnerabilities, most notably CVE-2025-68121.

NB: We didn't attempt to patch CVE-2026-24051 but that vulnerability affects macOS only, so cert-manager will be unaffected.

Changes by Kind

Bug or Regression

v1.18.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.

Changes by Kind

Bug or Regression
  • Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8414, @​cert-manager-bot)
  • Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8437, @​cert-manager-bot)
  • Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8467, @​SgtCoDFish)
Other (Cleanup or Flake)

v1.18.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.18 release notes on the cert-manager.io website before upgrading.

Changes since v1.18.3

Bug or Regression
Other (Cleanup or Flake)

v1.18.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We fixed a bug which caused certificates to be re-issued unexpectedly, if the issuerRef kind or group was changed to one of the "runtime" default values. We increased the size limit when parsing PEM certificate chains to handle leaf certificates with large numbers of DNS named or other identities. We upgraded Go to 1.24.9 to fix various non-critical security vulnerabilities.

📖 Read the full 1.18 release notes on the cert-manager.io website before upgrading.

Changes since v1.18.2:

Bug or Regression
Other (Cleanup or Flake)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.19.0-alpha.0 chore(deps): update helm release cert-manager to v1.19.0 Oct 7, 2025
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 31fcdd8 to 31dfcab Compare October 7, 2025 19:37
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.19.0 chore(deps): update helm release cert-manager to v1.19.1 Oct 15, 2025
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 31dfcab to 0ffd4fb Compare October 15, 2025 17:48
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 0ffd4fb to 707e261 Compare November 4, 2025 20:52
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.19.1 chore(deps): update helm release cert-manager to v1.20.0-alpha.0 Nov 4, 2025
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 707e261 to 7da3bb4 Compare January 30, 2026 17:55
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.20.0-alpha.0 chore(deps): update helm release cert-manager to v1.20.0-alpha.1 Jan 30, 2026
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 7da3bb4 to 9fe0b5f Compare February 28, 2026 01:03
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.20.0-alpha.1 chore(deps): update helm release cert-manager to v1.20.0-beta.0 Feb 28, 2026
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.20.0-beta.0 chore(deps): update helm release cert-manager to v1.20.0 Mar 10, 2026
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 9fe0b5f to 8f1557a Compare March 10, 2026 17:52
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.20.0 chore(deps): update helm release cert-manager to v1.21.0-alpha.0 Mar 24, 2026
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 8f1557a to 53c706b Compare March 24, 2026 17:45
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 53c706b to 14093a1 Compare June 8, 2026 14:42
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.21.0-alpha.0 chore(deps): update helm release cert-manager to v1.21.0-alpha.1 Jun 8, 2026
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from 14093a1 to ad17b5b Compare June 11, 2026 21:09
@renovate renovate Bot changed the title chore(deps): update helm release cert-manager to v1.21.0-alpha.1 chore(deps): update helm release cert-manager to v1.21.0-beta.0 Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/cert-manager-1.x branch from ad17b5b to 00d3f27 Compare July 1, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants