feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.22.0 ) by renovate[bot] · Pull Request #3180 · anthr76/infra

renovate · 2026-02-20T20:55:59Z

This PR contains the following updates:

Package	Update	Change
trust-manager (source)	minor	`v0.20.3` → `v0.22.0`

Release Notes

cert-manager/trust-manager (trust-manager)

`v0.22.0`

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release includes a change which makes it much simpler to mirror container images to self-hosted registries.

There are also several CVE fixes including CVE-2026-27138, CVE-2026-27137, CVE-2026-27142 and CVE-2026-25679.

What's Changed

Features

Add imageRegistry/imageNamespace to Helm chart image settings by @FelixPhipps in #897

Internal

Replace another illegal image tag character in trust image by @erikgb in #891

Bumps / CI

[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #894
chore(deps): update actions/setup-go action to v6.3.0 by @renovate[bot] in #896
fix(deps): update kubernetes go patches to v0.35.2 by @renovate[bot] in #898
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #899
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #901
[CI] Merge trust-package-upgrade-debian-bullseye-main into main by @github-actions[bot] in #890
fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.2 by @renovate[bot] in #903
fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 by @renovate[bot] in #904
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #906
chore(deps): update docker/login-action action to v4 by @renovate[bot] in #902
fix(deps): update module k8s.io/klog/v2 to v2.140.0 by @renovate[bot] in #905
Bump trust packages to force rebuild with go 1.26.1 by @SgtCoDFish in #907

New Contributors

@FelixPhipps made their first contribution in #897

Full Changelog: cert-manager/trust-manager@v0.21.1...v0.22.0

`v0.21.1`

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This is a patch release fixing an RBAC regression introduced in v0.21.0.

What's Changed

Grant additional RBAC to events old API group by @erikgb in #889

Full Changelog: cert-manager/trust-manager@v0.21.0...v0.21.1

`v0.21.0`

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is primarily intended to fix CVE-2025-68121, but it includes several changes which have trickled in since v0.20.3

Notable Changes

Filter Non-CA Certs in Sources

There's a new .filterNonCACerts.enabled value available in the Helm chart, which will cause trust-manager to filter any non-CA certs found in sources. This logic relies on the isCa field of the basicConstraints X.509 extension only. The feature defaults to "off".

CRD Changes

The ClusterBundle CRD got a little stricter, to pass the Kube API Linter checks which we've enabled. We don't expect that this will change the use of the CRD for anyone, since the limits we've added are very permissive.

What's Changed

Functional / CRD Changes

Add certificate verification process to filter non-CA certificates by @arsenalzp in #824
Helm Chart: Add support for setting relabelling on the ServiceMonitor by @tiesmaster in #870
Introduce Kube API linter by @erikgb in #850
Introduce KAL minlength/maxlength checks by @erikgb in #866
Introduce KAL required fields checks by @erikgb in #877
Fix index formatting in webhook validations by @erikgb in #873
Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API by @erikgb in #855
Enable the CommentStart KAL check and fix violations by @erikgb in #858
Rename ClusterBundle sources to sourceRefs by @erikgb in #854

Trust Packages

Bump trust package versions to address CVE-2025-61729 by @SgtCoDFish in #817
Trigger a new build of default trust bundle images by @erikgb in #875

Tests / Docs

Refactor Bundle integration tests by @erikgb in #828
Release improvements by @SgtCoDFish in #816
Fix flaky integration test by @erikgb in #879
Update release process to accurately reflect how new trust packages are picked up by @SgtCoDFish in #818
Improve webhook validation test error list assert by @erikgb in #874

Upcoming Bundle Resource

Use apply configuration to apply Bundle status in migration controller by @erikgb in #843
Change Bundle source includeAllKeys to pointer by @erikgb in #876

Automated / CI

[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #814
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #819
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #820
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #821
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #823
fix(deps): update kubernetes go deps to v0.35.0 by @renovate[bot] in #822
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #826
fix(deps): update module software.sslmate.com/src/go-pkcs12 to v0.7.0 by @renovate[bot] in #825
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #827
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #829
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #832
fix(deps): update github.com/onsi deps by @renovate[bot] in #831
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #833
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #834
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #840
chore(deps): update actions/setup-go action to v6.2.0 by @renovate[bot] in #839
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.5 by @renovate[bot] in #838
fix(deps): update k8s.io/utils digest to 914a6e7 by @renovate[bot] in #842
Extend makefile-modules Renovate preset by @erikgb in #846
Fix conversion Bundle->ClusterBundle by @erikgb in #844
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #847
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #849
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #852
chore(deps): update actions/checkout action to v6.0.2 by @renovate[bot] in #851
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #853
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #859
fix(deps): update github.com/onsi deps by @renovate[bot] in #861
fix(deps): update module github.com/onsi/ginkgo/v2 to v2.28.1 by @renovate[bot] in #862
chore(deps): update docker/login-action digest to c94ce9f by @renovate[bot] in #860
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #864
Upgrade controller-runtime to v0.23.x by @erikgb in #863
Fix events RBAC (new API group) by @erikgb in #865
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #867
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #869
fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.3.2 by @renovate[bot] in #872
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #878
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #880
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #882
fix(deps): update kubernetes go patches to v0.35.1 by @renovate[bot] in #883
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #884
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #885
Explicity set webhook Certificate private key rotation policy to Always by @mattwboyer in #857
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #887
[CI] Merge self-upgrade-main into main by @octo-sts[bot] in #888

New Contributors

@tiesmaster made their first contribution in #870
@mattwboyer made their first contribution in #857

Full Changelog: cert-manager/trust-manager@v0.20.3...v0.21.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-02-20T20:56:31Z

civo-mgmt-0 - kustomization

--- k8s/base/networking/trust-manager Kustomization: flux-system/networking-trust-manager HelmRelease: networking/trust-manager

+++ k8s/base/networking/trust-manager Kustomization: flux-system/networking-trust-manager HelmRelease: networking/trust-manager

@@ -13,13 +13,13 @@

       chart: trust-manager
       interval: 5m
       sourceRef:
         kind: HelmRepository
         name: jetstack-charts
         namespace: flux-system
-      version: v0.20.3
+      version: v0.22.0
   install:
     crds: CreateReplace
   interval: 5m
   upgrade:
     crds: CreateReplace
   values:

github-actions · 2026-02-20T20:56:31Z

civo-mgmt-0 - helmrelease

--- HelmRelease: networking/trust-manager ClusterRole: networking/trust-manager

+++ HelmRelease: networking/trust-manager ClusterRole: networking/trust-manager

@@ -46,12 +46,13 @@

   - create
   - patch
   - watch
   - delete
 - apiGroups:
   - ''
+  - events.k8s.io
   resources:
   - events
   verbs:
   - create
   - patch
 
--- HelmRelease: networking/trust-manager Deployment: networking/trust-manager

+++ HelmRelease: networking/trust-manager Deployment: networking/trust-manager

@@ -23,13 +23,13 @@

         app.kubernetes.io/managed-by: Helm
     spec:
       serviceAccountName: trust-manager
       automountServiceAccountToken: true
       initContainers:
       - name: cert-manager-package-debian
-        image: quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.2
+        image: quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.5
         imagePullPolicy: IfNotPresent
         args:
         - /copyandmaybepause
         - /debian-package
         - /packages
         volumeMounts:
@@ -44,13 +44,13 @@

           readOnlyRootFilesystem: true
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
       containers:
       - name: trust-manager
-        image: quay.io/jetstack/trust-manager:v0.20.3
+        image: quay.io/jetstack/trust-manager:v0.22.0
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 6443
           name: webhook
         - containerPort: 9402
           name: metrics
--- HelmRelease: networking/trust-manager Certificate: networking/trust-manager

+++ HelmRelease: networking/trust-manager Certificate: networking/trust-manager

@@ -10,12 +10,14 @@

     app.kubernetes.io/managed-by: Helm
 spec:
   commonName: trust-manager.networking.svc
   dnsNames:
   - trust-manager.networking.svc
   secretName: trust-manager-tls
+  privateKey:
+    rotationPolicy: Always
   revisionHistoryLimit: 1
   issuerRef:
     name: trust-manager
     kind: Issuer
     group: cert-manager.io

github-actions · 2026-02-20T20:56:40Z

qgr1-cluster-0 - kustomization

--- k8s/base/networking/trust-manager Kustomization: flux-system/networking-trust-manager HelmRelease: networking/trust-manager

+++ k8s/base/networking/trust-manager Kustomization: flux-system/networking-trust-manager HelmRelease: networking/trust-manager

@@ -13,13 +13,13 @@

       chart: trust-manager
       interval: 5m
       sourceRef:
         kind: HelmRepository
         name: jetstack-charts
         namespace: flux-system
-      version: v0.20.3
+      version: v0.22.0
   install:
     crds: CreateReplace
   interval: 5m
   upgrade:
     crds: CreateReplace
   values:

github-actions · 2026-02-20T20:56:41Z

qgr1-cluster-0 - helmrelease

--- HelmRelease: networking/trust-manager ClusterRole: networking/trust-manager

+++ HelmRelease: networking/trust-manager ClusterRole: networking/trust-manager

@@ -46,12 +46,13 @@

   - create
   - patch
   - watch
   - delete
 - apiGroups:
   - ''
+  - events.k8s.io
   resources:
   - events
   verbs:
   - create
   - patch
 
--- HelmRelease: networking/trust-manager Deployment: networking/trust-manager

+++ HelmRelease: networking/trust-manager Deployment: networking/trust-manager

@@ -23,13 +23,13 @@

         app.kubernetes.io/managed-by: Helm
     spec:
       serviceAccountName: trust-manager
       automountServiceAccountToken: true
       initContainers:
       - name: cert-manager-package-debian
-        image: quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.2
+        image: quay.io/jetstack/trust-pkg-debian-bookworm:20230311-deb12u1.5
         imagePullPolicy: IfNotPresent
         args:
         - /copyandmaybepause
         - /debian-package
         - /packages
         volumeMounts:
@@ -44,13 +44,13 @@

           readOnlyRootFilesystem: true
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
       containers:
       - name: trust-manager
-        image: quay.io/jetstack/trust-manager:v0.20.3
+        image: quay.io/jetstack/trust-manager:v0.22.0
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 6443
           name: webhook
         - containerPort: 9402
           name: metrics
--- HelmRelease: networking/trust-manager Certificate: networking/trust-manager

+++ HelmRelease: networking/trust-manager Certificate: networking/trust-manager

@@ -10,12 +10,14 @@

     app.kubernetes.io/managed-by: Helm
 spec:
   commonName: trust-manager.networking.svc
   dnsNames:
   - trust-manager.networking.svc
   secretName: trust-manager-tls
+  privateKey:
+    rotationPolicy: Always
   revisionHistoryLimit: 1
   issuerRef:
     name: trust-manager
     kind: Issuer
     group: cert-manager.io

renovate bot requested a review from anthr76 as a code owner February 20, 2026 20:56

renovate bot added renovate/helm type/minor labels Feb 20, 2026

pull-request-size bot added the size/XS label Feb 20, 2026

renovate bot changed the title ~~feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.21.0 )~~ feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.21.1 ) Feb 23, 2026

renovate bot force-pushed the renovate/trust-manager-0.x branch from c39130f to 9cade48 Compare February 23, 2026 19:35

renovate bot force-pushed the renovate/trust-manager-0.x branch from 9cade48 to 5962dd5 Compare March 9, 2026 17:04

feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.22.0 )

c6a1eec

renovate bot changed the title ~~feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.21.1 )~~ feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.22.0 ) Mar 9, 2026

renovate bot force-pushed the renovate/trust-manager-0.x branch from 5962dd5 to c6a1eec Compare March 9, 2026 21:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.22.0 )#3180

feat(helm): update chart trust-manager ( v0.20.3 ➔ v0.22.0 )#3180
renovate[bot] wants to merge 1 commit intomainfrom
renovate/trust-manager-0.x

renovate bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v0.22.0

What's Changed

Features

Internal

Bumps / CI

New Contributors

v0.21.1

What's Changed

v0.21.0

Notable Changes

Filter Non-CA Certs in Sources

CRD Changes

What's Changed

Functional / CRD Changes

Trust Packages

Tests / Docs

Upcoming Bundle Resource

Automated / CI

New Contributors

Configuration

Uh oh!

github-actions bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

civo-mgmt-0 - kustomization

Uh oh!

github-actions bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

civo-mgmt-0 - helmrelease

Uh oh!

github-actions bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

qgr1-cluster-0 - kustomization

Uh oh!

github-actions bot commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

qgr1-cluster-0 - helmrelease

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Feb 20, 2026 •

edited

Loading

`v0.22.0`

`v0.21.1`

`v0.21.0`

github-actions bot commented Feb 20, 2026 •

edited

Loading

github-actions bot commented Feb 20, 2026 •

edited

Loading

github-actions bot commented Feb 20, 2026 •

edited

Loading

github-actions bot commented Feb 20, 2026 •

edited

Loading