Skip to content

CLOUD-727: Bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#1663

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3
Open

CLOUD-727: Bump github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3#1663
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.20.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.20.2 to 1.20.3.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.

All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

Commits
  • 1e1d16d Merge pull request #8940 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
  • 6bda472 Restrict Challenge and Order verbs in aggregate edit ClusterRole
  • 3428d65 Merge pull request #8926 from wallrj-cyberark/update-go-1.26.4-release-1.20
  • b352e55 [release-1.20] Update Go to v1.26.4
  • 725a401 Merge pull request #8899 from cert-manager/renovate/release-1.20-base-images
  • 29ae077 chore(deps): update base images
  • 0bca8fd Merge pull request #8817 from cert-manager/renovate/release-1.20-go-golang.or...
  • 15988af chore(deps): update module golang.org/x/net to v0.55.0 [security]
  • 27414f9 Merge pull request #8818 from cert-manager/renovate/release-1.20-go-golang.or...
  • 136b418 fix(deps): update module golang.org/x/crypto to v0.52.0 [security]
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.20.2 to 1.20.3.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.2...v1.20.3)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.20.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@JNKPercona

Copy link
Copy Markdown
Collaborator
Test Name Result Time
backup-enable-disable passed 00:15:34
builtin-extensions passed 00:07:23
cert-manager-tls passed 00:09:45
custom-envs passed 00:18:38
custom-tls passed 00:06:37
database-init-sql passed 00:02:29
demand-backup passed 00:23:22
demand-backup-offline-snapshot failure 00:14:05
dynamic-configuration passed 00:03:32
finalizers passed 00:03:50
init-deploy passed 00:03:16
huge-pages passed 00:03:04
major-upgrade-14-to-15 passed 00:11:57
major-upgrade-15-to-16 passed 00:10:21
major-upgrade-16-to-17 passed 00:11:21
major-upgrade-17-to-18 passed 00:08:48
ldap passed 00:04:07
ldap-tls passed 00:06:52
monitoring passed 00:08:19
monitoring-pmm3 passed 00:09:35
one-pod passed 00:06:36
operator-self-healing passed 00:11:04
pitr passed 00:13:53
scaling passed 00:05:49
scheduled-backup passed 00:33:55
self-healing passed 00:09:44
sidecars passed 00:03:07
standby-pgbackrest passed 00:19:07
standby-streaming passed 00:12:36
start-from-backup passed 00:11:27
tablespaces passed 00:07:04
telemetry-transfer passed 00:04:42
upgrade-consistency passed 00:05:51
upgrade-minor passed 00:07:54
users passed 00:05:38
Summary Value
Tests Run 35/35
Job Duration 02:40:55
Total Test Time 05:41:37

commit: 384b261
image: perconalab/percona-postgresql-operator:PR-1663-384b261c7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants