Skip to content

chore(deps): bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#3593

Merged
tekton-robot merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3
Jul 15, 2026
Merged

chore(deps): bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#3593
tekton-robot merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

Commits
  • 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
  • 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
  • 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
  • b352e55 [release-1.20] Update Go to v1.26.4
  • 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
  • 29ae077 chore(deps): update base images
  • 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
  • 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
  • 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
  • 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. labels Jun 29, 2026
@tekton-robot tekton-robot requested review from jkhelil and khrm June 29, 2026 16:33
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 29, 2026
@vdemeester

Copy link
Copy Markdown
Member

/retest

@jkhelil

jkhelil commented Jul 15, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.20.2 to 1.20.3.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.2...v1.20.3)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.20.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3 branch from b2479b3 to 39159ef Compare July 15, 2026 07:40
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.55%. Comparing base (409a035) to head (39159ef).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3593   +/-   ##
=======================================
  Coverage   25.55%   25.55%           
=======================================
  Files         448      448           
  Lines       23317    23317           
=======================================
  Hits         5958     5958           
  Misses      16674    16674           
  Partials      685      685           
Flag Coverage Δ
unit-tests 25.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jkhelil

jkhelil commented Jul 15, 2026

Copy link
Copy Markdown
Member

/approve

@jkhelil

jkhelil commented Jul 15, 2026

Copy link
Copy Markdown
Member

/lgtm

@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2026
@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 15, 2026
@tekton-robot tekton-robot merged commit 4300f2e into main Jul 15, 2026
16 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3 branch July 15, 2026 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants