Skip to content

fix(helm): update cert-manager ( v1.18.3 → v1.18.6 )#154

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/cert-manager-1.18.x
Open

fix(helm): update cert-manager ( v1.18.3 → v1.18.6 )#154
renovate[bot] wants to merge 1 commit intomainfrom
renovate/cert-manager-1.18.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 10, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
cert-manager (source) patch v1.18.3v1.18.6

Release Notes

cert-manager/cert-manager (cert-manager)

v1.18.6

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.18.6 is a simple patch release to fix some reported vulnerabilities, most notably CVE-2025-68121.

NB: We didn't attempt to patch CVE-2026-24051 but that vulnerability affects macOS only, so cert-manager will be unaffected.

Changes by Kind

Bug or Regression

v1.18.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.

Changes by Kind
Bug or Regression
  • Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8414, @​cert-manager-bot)
  • Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8437, @​cert-manager-bot)
  • Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8467, @​SgtCoDFish)
Other (Cleanup or Flake)

v1.18.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We updated Go to fix some vulnerabilities in the standard library.

📖 Read the full 1.18 release notes on the cert-manager.io website before upgrading.

Changes since v1.18.3

Bug or Regression
Other (Cleanup or Flake)

Configuration

📅 Schedule: Branch creation - "before 11:00 am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Dec 10, 2025
edited
Loading 

--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager

+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager

@@ -13,13 +13,13 @@

     spec:
       chart: cert-manager
       sourceRef:
         kind: HelmRepository
         name: jetstack
         namespace: flux-system
-      version: v1.18.3
+      version: v1.18.6
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

@github-actions
Copy link

github-actions bot commented Dec 10, 2025
edited
Loading 

--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-cainjector
-        image: quay.io/jetstack/cert-manager-cainjector:v1.18.3
+        image: quay.io/jetstack/cert-manager-cainjector:v1.18.6
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --leader-election-namespace=kube-system
         ports:
         - containerPort: 9402
--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

@@ -31,19 +31,19 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-controller
-        image: quay.io/jetstack/cert-manager-controller:v1.18.3
+        image: quay.io/jetstack/cert-manager-controller:v1.18.6
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.3
+        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.6
         - --max-concurrent-challenges=60
         - --dns01-recursive-nameservers-only=true
         - --dns01-recursive-nameservers=https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
         ports:
         - containerPort: 9402
           name: http-metrics
--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-webhook
-        image: quay.io/jetstack/cert-manager-webhook:v1.18.3
+        image: quay.io/jetstack/cert-manager-webhook:v1.18.6
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --secure-port=10250
         - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
         - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
--- HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

+++ HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-startupapicheck
-        image: quay.io/jetstack/cert-manager-startupapicheck:v1.18.3
+        image: quay.io/jetstack/cert-manager-startupapicheck:v1.18.6
         imagePullPolicy: IfNotPresent
         args:
         - check
         - api
         - --wait=1m
         - -v

@renovate renovate bot changed the title fix(helm): update cert-manager ( v1.18.3 → v1.18.4 ) fix(helm): update cert-manager ( v1.18.3 → v1.18.5 ) Feb 2, 2026
@renovate renovate bot force-pushed the renovate/cert-manager-1.18.x branch from b8348ab to 310088a Compare February 2, 2026 20:06
@renovate renovate bot force-pushed the renovate/cert-manager-1.18.x branch from 310088a to 9fd43fe Compare February 12, 2026 17:44
@renovate renovate bot changed the title fix(helm): update cert-manager ( v1.18.3 → v1.18.5 ) fix(helm): update cert-manager ( v1.18.3 → v1.18.6 ) Feb 25, 2026
@renovate renovate bot force-pushed the renovate/cert-manager-1.18.x branch from 9fd43fe to aad6e04 Compare February 25, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/kubernetes area/templates renovate/helm type/patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants