Skip to content

chore(deps): update dependency cert-manager/cert-manager to v1.20.3#19

Merged
TeddyAndrieux merged 1 commit into
mainfrom
renovate/cert-manager-cert-manager-1.x
Jul 15, 2026
Merged

chore(deps): update dependency cert-manager/cert-manager to v1.20.3#19
TeddyAndrieux merged 1 commit into
mainfrom
renovate/cert-manager-cert-manager-1.x

Conversation

@scality-renovate

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change Pending
cert-manager/cert-manager patch v1.20.2v1.20.3 v1.21.0

Release Notes

cert-manager/cert-manager (cert-manager/cert-manager)

v1.20.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING]
Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression
Other (Cleanup or Flake)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@scality-renovate scality-renovate Bot requested a review from a team as a code owner July 15, 2026 15:30
@scality-renovate scality-renovate Bot added dependencies Pull requests that update a dependency file patch labels Jul 15, 2026
@github-actions

Copy link
Copy Markdown

Dependency Bump Evaluation

Version change: cert-manager/cert-manager v1.20.2v1.20.3 (patch)

Changes:

  • Security fix (HIGH): GHSA-8rvj-mm4h-c258cert-manager-edit ClusterRole granted namespace users permission to create ACME Challenge/Order resources directly, potentially disclosing DNS credentials to attacker-controlled endpoints
  • Bug fix: Remove issuer owner reference from Challenges that blocked garbage collection
  • Go update: Bumps to Go 1.26.4 fixing CVE-2026-27145, CVE-2026-42504, CVE-2026-42507

Breaking changes: The cert-manager-edit aggregate ClusterRole no longer grants create for Challenges or create/patch/update for Orders. Not applicable to this project — node-warden-operator uses cert-manager solely for webhook certificate issuance and never creates Challenge or Order resources directly.

Security concerns: None introduced. This release fixes a HIGH severity security issue. Upgrading is recommended.

Impact on codebase: Minimal — the only change is the certmanagerVersion constant in test/utils/utils.go, which controls which cert-manager version is installed in the test cluster. No operator code or deployment manifests are affected.

CI status: Pre Merge checks (build, lint, test, test-e2e) are still in progress. Verify they pass before merging.

Recommendation: SAFE TO MERGE (after CI passes)

Notes: This is a security patch that all cert-manager users are advised to apply. The RBAC change is a hardening measure that does not affect this operator's usage pattern.

— Claude Code

@TeddyAndrieux TeddyAndrieux merged commit 9a61e87 into main Jul 15, 2026
18 checks passed
@TeddyAndrieux TeddyAndrieux deleted the renovate/cert-manager-cert-manager-1.x branch July 15, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file patch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant