yolokube/core-deployments
yolokube/core-deployments
2
3
Fork 0
Code Issues 3 Pull requests 10 Projects Wiki Activity

Update Helm release cert-manager to v1.20.3 #2103

Open
renovate wants to merge 1 commit from renovate/cert-manager-1.x into main
pull from: renovate/cert-manager-1.x
merge into: yolokube:main
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate commented 2026-06-25 17:02:12 +02:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
cert-manager (source) patch v1.20.2v1.20.3

Release Notes

cert-manager/cert-manager (cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://cert-manager.io) ([source](https://github.com/cert-manager/cert-manager)) | patch | `v1.20.2` → `v1.20.3` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.20.3`](https://github.com/cert-manager/cert-manager/releases/tag/v1.20.3) [Compare Source](https://github.com/cert-manager/cert-manager/compare/v1.20.2...v1.20.3) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This patch release fixes a security issue ([`GHSA-8rvj-mm4h-c258`](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-8rvj-mm4h-c258), HIGH) where the default `cert-manager-edit` aggregate ClusterRole granted namespace users permission to create ACME `Challenge` and `Order` resources directly. A user who could create a `Challenge` referencing a `ClusterIssuer` could supply attacker-controlled solver configuration while cert-manager loaded credentials from the `ClusterIssuer`'s namespace, bypassing Issuer solver selectors (`dnsZones`, `dnsNames`, `matchLabels`). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint. This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs. All users should upgrade. > \[!WARNING] > **Potentially breaking change:** The `cert-manager-edit` aggregate ClusterRole no longer grants `create` for `challenges.acme.cert-manager.io` or `create`, `patch`, `update` for `orders.acme.cert-manager.io`. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly. #### Changes by Kind ##### Bug or Regression - Security (HIGH): Remove Challenge `create` and Order `create`, `patch`, `update` verbs from the `cert-manager-edit` aggregate ClusterRole ([`GHSA-8rvj-mm4h-c258`](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-8rvj-mm4h-c258)). ([#&#8203;8940](https://github.com/cert-manager/cert-manager/issues/8940), [@&#8203;wallrj-cyberark](https://github.com/wallrj-cyberark)) - Remove issuer owner reference from challenges blocking challenge garbage collection ([#&#8203;8759](https://github.com/cert-manager/cert-manager/issues/8759), [@&#8203;cert-manager-bot](https://github.com/cert-manager-bot)) ##### Other (Cleanup or Flake) - Bump go to 1.26.3, other deps to fix several govulncheck issues ([#&#8203;8789](https://github.com/cert-manager/cert-manager/issues/8789), [@&#8203;SgtCoDFish](https://github.com/SgtCoDFish)) - Update Go to `v1.26.4` to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 ([#&#8203;8926](https://github.com/cert-manager/cert-manager/issues/8926), [@&#8203;wallrj-cyberark](https://github.com/wallrj-cyberark)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update Helm release cert-manager to v1.20.3
All checks were successful
ci/woodpecker/push/yamllint Pipeline was successful
Details
a98e7dd350
All checks were successful
ci/woodpecker/push/yamllint Pipeline was successful
Required
Details
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/cert-manager-1.x:renovate/cert-manager-1.x
git switch renovate/cert-manager-1.x
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
state
stale

  
state
to-do

  
state
waiting

  
system
argo

  
system
cni

  
system
dashboard

  
system
ingress

  
system
monitoring

  
system
sso

  
system
storage

  
system
woodpecker

  
type
bug
 Something is not working

  
type
enhancement
 New feature

  
type
update
 Software needs an update

  
type
dependency-dashboard
 Only for Renovate Dependency Dashboard

No labels
state
stale
state
to-do
state
waiting
system
argo
system
cni
system
dashboard
system
ingress
system
monitoring
system
sso
system
storage
system
woodpecker
type
bug
type
enhancement
type
update
type
dependency-dashboard
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
yolokube/core-deployments!2103
No description provided.