Skip to content

chore(deps): update helm release cert-manager to v1.20.3#499

Open
scout-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cert-manager-1.x
Open

chore(deps): update helm release cert-manager to v1.20.3#499
scout-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/cert-manager-1.x

Conversation

@scout-renovate

@scout-renovate scout-renovate Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change Pending
cert-manager (source) patch v1.20.2v1.20.3 v1.21.0

Reminder: Review .trivyignore.yaml files for suppressed CVEs that may no longer be needed after this upgrade.


Release Notes

cert-manager/cert-manager (cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@scout-renovate scout-renovate Bot added the dependencies Pull requests that update a dependency file label Jul 9, 2026
@scout-renovate scout-renovate Bot requested a review from a team as a code owner July 9, 2026 14:31
@scout-renovate scout-renovate Bot added the dependencies Pull requests that update a dependency file label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 416b869.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

@scout-renovate scout-renovate Bot force-pushed the renovate/cert-manager-1.x branch from fe33adb to 416b869 Compare July 9, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants