Skip to content

deps: bump github.com/cert-manager/cert-manager from 1.19.3 to 1.21.0#109

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.21.0
Open

deps: bump github.com/cert-manager/cert-manager from 1.19.3 to 1.21.0#109
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/cert-manager/cert-manager-1.21.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.19.3 to 1.21.0.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.21.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.

Known Issues

  • Log spam for non-cert-manager-labelled Secret events: the typed predicates refactoring (#8407) causes filteredEventHandler type assertion failures ("OnAdd missing Object", "OnUpdate missing ObjectOld", "OnDelete missing Object") for every non-cert-manager-labelled Secret event, multiplied by 7 certificate sub-controllers. This is cosmetic only — the affected controllers only need events from cert-manager-labelled Secrets (which arrive via the typed informer); the metadata informer events were always filtered out by predicates in previous versions. Issuer and ClusterIssuer controllers are not affected. See #8994 for details.

Major Themes

Default tokenrequest RBAC removed from Helm chart

⚠️ Breaking change

The Helm chart no longer creates a default Role and RoleBinding granting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.

If you use serviceAccountRef.name pointing at the controller ServiceAccount, you must now either create your own Role/RoleBinding granting serviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).

Restrict Challenge and Order RBAC in cert-manager-edit ClusterRole

⚠️ Potentially breaking change

The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io (GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challenge patch and update are retained because users may need them to remove stuck finalizers.

This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.

Metrics port name and path Helm values removed

⚠️ Breaking change

The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed. The controller Service metrics port has been renamed from tcp-prometheus-servicemonitor to http-metrics. Because the Helm values schema uses additionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)

ACME and Certificate Management

  • ACME Renewal Information (ARI): experimental support for RFC 9773 behind the ACMEUseARI feature gate. When enabled, cert-manager queries the ACME server's renewalInfo endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)
  • waitInsteadOfSelfCheck solver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)
  • AWS IAM authentication for Vault: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. (#8422)
  • Certificate renewal policies: a new renewalPolicies field on the Certificate API provides more expressive control over renewal scheduling, complementing renewBefore and renewBeforePercentage. (#8258)
  • Configurable CertificateRequest retry backoff: the new --certificate-request-maximum-backoff-duration flag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)
  • Modern2026 PKCS#12 profile: a new FIPS 140-3 compatible encoding profile using AES-256 + SHA-256 KDFs instead of legacy 3DES/RC2. (#8841)
  • Webhook certificate renewal after system suspend: the webhook now detects missed certificate renewals after system suspend (S3/S4) or VM live migration by polling wall-clock time, recovering within one minute of resume. (#8464)

Gateway API and cainjector

  • HTTP01 ListenerSet parentRef fallback: the acme.cert-manager.io/http01-parentreffallback: "true" annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)
  • cert-manager.io/ignore-tls-listeners annotation: exclude specific Gateway TLS listeners from certificate management. (#8727)
  • Additional listener protocols: configurable listener protocols beyond the default set. (#8683)
  • enableGatewayAPI configuration restructure: enableGatewayAPI and enableGatewayAPIListenerSet are deprecated in favor of gatewayAPI.enabled / gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)
  • CAInjectorMerging promoted to GA: unconditionally enabled; will be removed in a future release. (#8583)

... (truncated)

Commits
  • b8f325e Merge pull request #8984 from cert-manager-bot/cherry-pick-8983-to-release-1.21
  • 6d43c8c Ignore GO-2026-5932 in trivy scans
  • 8eb9d29 Merge pull request #8980 from cert-manager-bot/cherry-pick-8976-to-release-1.21
  • a95f519 Merge pull request #8981 from erikgb/r-1-21-bump-go
  • 5d62fa3 [release-1.21] Update dependency go to v1.26.5
  • 66241e2 Add acmesolver.runtimeClassName
  • 0357ac2 Merge pull request #8967 from cert-manager/release-1.21-disable-klone
  • 2f2bfc3 Disable generate-klone on release-1.21 branch
  • ae67234 Merge pull request #8893 from lunarwhite/max-backoff-duration
  • 35e46aa Respect configured max backoff in trigger controller
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.19.3 to 1.21.0.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.19.3...v1.21.0)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants