cert-manager

Update Helm release cert-manager to v1.18.0

Michi Kofler-Häusler

Michi Kofler-Häusler

3 min read
Update Helm release cert-manager to v1.18.0
Photo by Robert Anasch / Unsplash

No problems deploying cert-manager to Proxmox VE K3s Kubernetes cluster via Helm Chart and Flux V2 reconciliation in a GitOps approach with dependency update facilitated by Mend's Renovate Bot.

This MR contains the following updates:

Package Update Change
cert-manager (source) minor v1.17.2 -> v1.18.0

Release Notes

cert-manager/cert-manager (cert-manager)

v1.18.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking).

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Known Issues
  • ACME HTTP01 challenge paths are rejected by the ingress-nginx validating webhook (#​7791)

Changes since v1.17.2:

Feature
  • Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#​7663, @​ThatsMrTalbot)
  • Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#​7577, @​terinjokes)
  • Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#​7612, @​solidDoWant)
  • Added ingress-shim option: --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#​7083, @​k0da)
  • Added the iss short name for the cert-manager Issuer resource. (#​7373, @​SgtCoDFish)
  • Added the ciss short name for the cert-manager ClusterIssuer resource (#​7373, @​SgtCoDFish)
  • Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#​7666, @​ali-hamza-noor)
  • Allow customizing signature algorithm (#​7591, @​tareksha)
  • Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#​7596, @​ThatsIvan)
  • Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#​7752, @​wallrj)
  • Add support for ACME profiles extension. (#​7777, @​wallrj)
  • Promote the UseDomainQualifiedFinalizer feature to GA. (#​7735, @​jsoref)
  • Switched service/servicemon definitions to use port names instead of numbers. (#​7727, @​jcpunk)
  • The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#​7723, @​wallrj)
  • Potentially breaking: Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#​7758, @​ali-hamza-noor)
Documentation
Bug or Regression
  • Bump go-jose dependency to address CVE-2025-27144. (#​7606, @​SgtCoDFish)
  • Bump golang.org/x/oauth2 to patch CVE-2025-22868. (#​7638, @​NicholasBlaskey)
  • Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77. (#​7638, @​NicholasBlaskey)
  • Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#​7638, @​NicholasBlaskey)
  • Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#​7767, @​sspreitzer)
  • Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#​7690, @​wallrj)
  • Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#​7678, @​tsaarni)
  • Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#​7081, @​johnjcool)
  • Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#​7549, @​LukeCarrier)
  • Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#​7609, @​solidDoWant)
  • Fixing the service account template to incorporate boolean values for the annotations. (#​7698, @​ali-hamza-noor)
  • Quote nodeSelector values in Helm Chart (#​7579, @​tobiasbp)
  • Skip Gateway TLS listeners in Passthrough mode. (#​6986, @​vehagn)
  • Upgrade golang.org/x/net fixing CVE-2025-22870. (#​7619, @​dependabot[bot])
Other (Cleanup or Flake)
  • ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behaviour. (#​7771, @​wallrj)
  • Patch the third_party/forked/acme package with support for the ACME profiles extension. (#​7776, @​wallrj)
  • Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#​7744, @​erikgb)
  • Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#​7553, @​SgtCoDFish)
  • Update kind images to include the Kubernetes 1.33 node image (#​7787, @​cert-manager-bot)
  • Upgrade Go to v1.24.4 (#​7785, @​wallrj)
  • Use slices.Contains to simplify code (#​7753, @​cuinix)

Read more

Me on Mastodon - This link is here for verification purposes.