Skip to content

🌱 Bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#2812

Merged
openshift-merge-bot[bot] merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3
Jul 10, 2026
Merged

🌱 Bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#2812
openshift-merge-bot[bot] merged 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

Commits
  • 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
  • 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
  • 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
  • b352e55 [release-1.20] Update Go to v1.26.4
  • 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
  • 29ae077 chore(deps): update base images
  • 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
  • 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
  • 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
  • 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.20.2 to 1.20.3.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.2...v1.20.3)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.20.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 9, 2026
Copilot AI review requested due to automatic review settings July 9, 2026 14:45
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit f28a11d
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/6a4fb4218d7abc0008e3c7a9
😎 Deploy Preview https://deploy-preview-2812--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@openshift-ci openshift-ci Bot requested review from joelanford and pedjak July 9, 2026 14:45
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: perdasilva, rashmigottipati

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit c63b183 into main Jul 10, 2026
23 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3 branch July 10, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Pull requests that update a dependency file go Pull requests that update Go code lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants