Update Helm release cert-manager to v1.20.3
No problems deploying cert-manager to Proxmox VE K3s Kubernetes cluster via Helm Chart and Flux V2 reconciliation in a GitOps approach with dependency update facilitated by Mend's Renovate Bot.
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| cert-manager (source) | patch | v1.20.2 → v1.20.3 |
Release Notes
cert-manager/cert-manager (cert-manager)
v1.20.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.
This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.
All users should upgrade.
[!WARNING]
Potentially breaking change: Thecert-manager-editaggregate ClusterRole no longer grantscreateforchallenges.acme.cert-manager.ioorcreate,patch,updatefororders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.
Changes by Kind
Bug or Regression
- Security (HIGH): Remove Challenge
createand Ordercreate,patch,updateverbs from thecert-manager-editaggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8940, @wallrj-cyberark) - Remove issuer owner reference from challenges blocking challenge garbage collection (#8759, @cert-manager-bot)
Other (Cleanup or Flake)
- Bump go to 1.26.3, other deps to fix several govulncheck issues (#8789, @SgtCoDFish)
- Update Go to
v1.26.4to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8926, @wallrj-cyberark)