chore(helm): Update AUTOMERGE - Helm Minor Updates

[renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager (source)	minor	v1.19.4 → v1.20.0
cert-manager-webhook-ovh	minor	0.8.0 → 0.9.4
common	minor	2.0.0 → 2.1.2
kgateway	minor	v2.1.2 → v2.2.2
portainer (source)	minor	2.33.6 → 2.39.0
prometheus (source)	minor	28.6.0 → 28.13.0

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.20.0

Compare Source

v1.20.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#​8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#​8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#​8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#​8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#​8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#​8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#​7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#​7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#​8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#​8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#​8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#​8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#​8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#​8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#​8353, @​jaxels10)

Bug or Regression

• Adds logs for cases when acme server returns us a fatal error in the order controller (#​8199, @​Peac36)
• Fixed an issue where kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#​8160, @​inteon)
• Changes to the Duration and RenewBefore annotations on ingress and gateway-api resources will now trigger certificate updates. (#​8232, @​eleanor-merry)
• Fix an issue where ACME challenge TXT records are not cleaned up when there are many resource records in CloudDNS. (#​8456, @​tkna)
• Fix unregulated retries with the DigitalOcean DNS-01 solver
  Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging (#​8221, @​wallrj-cyberark)
• Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8403, @​calm329)
• Fixed an issue where HTTP-01 challenges failed when the Host header contains an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8424, @​SlashNephy)
• Fixed the HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames when the challenge DNSName is an IP address. (#​8443, @​alviss7)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#​8173, @​erikgb)
• Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8469, @​SgtCoDFish)
• Update Go to v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729 (#​8290, @​octo-sts[bot])
• When Prometheus monitoring is enabled, the metrics label is now set to the intended value of cert-manager. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). (#​8162, @​LiquidPL)

Other (Cleanup or Flake)

• Promoted the OtherNames feature to Beta and enabled it by default (#​8288, @​wallrj-cyberark)
• Promoting XListenerSets feature gate to ListenerSets (#​8501, @​hjoshi123)
• Rebranding of the Venafi Issuer to CyberArk (#​8215, @​iossifbenbassat123)
• Switched to SSA for challenge finalizer updates (#​8519, @​inteon)
• The default container user (UID) is now 65532 (previously 1000) and the default container group (GID) is now 65532 (previously 0) (#​8408, @​wallrj-cyberark)
• The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to GA and can no longer be disabled. (#​8287, @​wallrj-cyberark)
• Update cert-manager's ACME client, forked from golang/x/crypto (#​8268, @​SgtCoDFish)
• Use the latest version of Kyverno (1.16.2) in the best-practice installation tests (#​8389, @​wallrj-cyberark)
• We stopped testing with Coutour due to it not supporting the new XListenerSet resource, and moved to kgateway. (#​8426, @​hjoshi123)

aureq/cert-manager-webhook-ovh (cert-manager-webhook-ovh)

v0.9.4

Compare Source

Noteworthy changes

• ⏩ upgrade base container image to grab latest security updates

v0.9.3

Compare Source

⭐ If you are using this project, please consider supporting it by starring the repository. It helps me a lot to keep maintaining and improving this project. Thank you!

❤️ In loving memory of my mom. She was my biggest supporter. This release is dedicated to her memory. I miss you mom, and I love you. April 27th, 1948 ~ February 19th, 2026.

Noteworthy changes

• 🌿 make secret-reader RoleBinding roleRef kind configurable via rbac.roleType to address a permission issue.
• 🌿 add unit tests to validate rbac.roleType option in Helm templates
• 🐛 fix template indentation (Fixes #​83, Thanks to Sébastien de Melo for the report and the initial suggestion)
• 🌿 add pod.tolerations support
• 📝 document pod.tolerations parameter in README
• 🌱 add unit tests for nodeSelector, affinity and tolerations
• ⚙️ publish chart to the OCI registry, thanks to Erwan Leboucher
• ⚙️ set explicit Helm version v4.1.1 in both build jobs
• 📄 document secret namespace requirement for credential secrets
• ⚙️ add harden-runner step to docker and helm jobs in release workflow
• 🐛 fix changelog extraction to match exact version strings

Dependencies

• ⏩ update github.com/cert-manager/cert-manager to v1.19.4
• ⏩ update go.opentelemetry.io/otel/sdk to v1.40.0 to address CVE-2026-24051
• ⏩ upgrade step-security/harden-runner to v2.15.1
• ⏩ upgrade actions/checkout to v6
• ⏩ upgrade docker/setup-qemu-action to v4
• ⏩ upgrade docker/setup-buildx-action to v4
• ⏩ upgrade docker/login-action to v4
• ⏩ upgrade docker/metadata-action to v6
• ⏩ upgrade docker/build-push-action to v7
• ⏩ upgrade actions/upload-artifact to v7
• ⏩ upgrade actions/download-artifact to v8

v0.9.2

Compare Source

⭐ If you are using this project, please consider supporting it by starring the repository. It helps me a lot to keep maintaining and improving this project. Thank you!

❤️ In loving memory of my mom. She was my biggest supporter. This release is dedicated to her memory. I miss you mom, and I love you. April 27th, 1948 ~ February 19th, 2026.

Noteworthy changes

• 🌿 add external account binding validation in Helm templates (fixes #​79)
• 🌿 add unit tests to validate external account binding validation
• 🌿 add groupName empty value validation in Helm templates
• 🌿 add default value for cert-manager namespace in RBAC binding
• 📝 add helm-docs template and generate comprehensive README
• 📝 publish generated documentation to GitHub pages instead of using static page

Dependencies

• ⏩ update to alpine 3.23 for main container, and make it consistent with build container
• ⏩ update k8s.io/api to v0.34.4
• ⏩ update k8s.io/apiextensions-apiserver to v0.34.4
• ⏩ update k8s.io/apimachinery to v0.34.4
• ⏩ update k8s.io/client-go to v0.34.4

v0.9.1

Compare Source

⭐ If you are using this project, please consider supporting it by starring the repository. It helps me a lot to keep maintaining and improving this project. Thank you!

❤️ In loving memory of my mom. She was my biggest supporter. This release is dedicated to her memory. I miss you mom, and I love you. April 27th, 1948 ~ February 19th, 2026.

Noteworthy changes

• 🐛 explicitly declare ovhAuthenticationRef as optional in issuer schema
• 🐛 add nil guards for authentication objects in Helm template helpers (fixes #​79)
• 🌱 add new unit tests to cover nil guards in Helm template helpers

v0.9.0

Compare Source

⭐ If you are using this project, please consider supporting it by starring the repository. It helps me a lot to keep maintaining and improving this project. Thank you!

Breaking changes and important notes

🚀 Overall, this release gets us closer to a more robust, polished and user-friendly Helm chart. The time and quality invested in this release aim to bring it close to what you'd expect from a commercial product.

🚀 The values.yaml is now fully documented and it now supports JSON schema validation. A lot of time has gone into rewriting unit tests to catch potential issues and ensure the stability of this Helm chart. The new validator template and the JSON schema validation helps catch configuration errors early and provides much better feedback to users.

⚠️ Due to the refactor of the Helm chart structure, the values.yaml file has been reorganized and some configuration keys have been moved. Please refer to the updated values.yaml and the new README.md for details on the new structure and configuration options.

⚠️ ️Temporarily remove support for deployment tolerations due to a problem with the Helm Chart template rendering.

❤️ In loving memory of my mom. She was my biggest supporter. This release is dedicated to her memory. I miss you mom, and I love you. April 27th, 1948 ~ February 19th, 2026.

Major features

• 🚀 add JSON schema for Helm chart values.yaml validation when deploying the Chart
• 🚀 rewrite the Chart unit tests to validate the Chart rendering and error handling
• 🎉 add JSON schema annotations to all options in values.yaml
• 🎉 refactor/reorganize the Helm chart values.yaml structure (⚠️ see breaking changes above)
• 🎉 add dedicated validator.yaml template for issuer authentication
• 📄 add inline documentation to values.yaml, including JSON schema for schema generation
• 📄 add Helm chart README.md with values documentation

Noteworthy changes

• 🌿 add unit tests for groupName, certManager, rbac, image, service and pod options
• 🌿 refactor authentication helper functions in _helpers.tpl
• 🌿 update helm unit tests for refactored authentication helpers
• 🌿 update test values for refactored authentication validation
• 🌿 add annotations support for service
• 🌿 add validation to enforce single authentication method per issuer
• 🌿 add unit tests for validator template with dual authentication rejection
• 🌿 add issuer authentication method field validation
• 🌿 add unit tests for issuer authentication method validation
• 🌱 add YAML language server schema annotation to values.yaml
• 🌱 remove redundant fail check and add inline comments in issuer.yaml
• 🌱 remove redundant fail check in secret.yaml
• 🌱 add default value schema annotations for ovhAuthenticationRef key fields
• 📄 improve profile option comments in values.yaml
• 📄 update release workflow with helm-docs and helm-schema steps in README.md
• 📄 update feature list in README.md
• 📄 clarify image.tag accepts version numbers or digests
• ⚙️ add -trimpath flag to go build in Dockerfile to support reproducible builds
• ⚙️ add helm-docs, helm-schema, and helm-unittest targets in Makefile
• 🔥 temporarily remove deployment tolerations due to a problem with the Helm template rendering.
• 🔥 remove legacy test files and test value fixtures
• 📝 update README feature list with unit tests entry and wording fixes

Dependencies

• ⏩ upgrade github.com/cert-manager/cert-manager to v1.19.3

trowaflo/helm-charts (common)

v2.1.2

Compare Source

Common library chart providing reusable Helm templates and default configurations. Standardizes Kubernetes resource deployment (Deployments, Services, Ingress, ServiceMonitor, PersistentVolumes, PersistentVolumeClaims) across the chart repository with consistent security, observability, and best practices. Used by all application charts in this repository for consistency.

What's Changed

• fix(common): remove fullname prefix from PV/PVC names by @​trowaflo in #​214

Full Changelog: common-2.1.1...common-2.1.2

v2.1.1

Compare Source

Common library chart providing reusable Helm templates and default configurations. Standardizes Kubernetes resource deployment (Deployments, Services, Ingress, ServiceMonitor, PersistentVolumes, PersistentVolumeClaims) across the chart repository with consistent security, observability, and best practices. Used by all application charts in this repository for consistency.

What's Changed

• fix: dummy by @​trowaflo in #​211
• fix: enable full git history in release-library job by @​Copilot in #​210

Full Changelog: common-2.1.0...common-2.1.1

portainer/k8s (portainer)

v2.39.0

Compare Source

Helm chart used to deploy the Portainer for Kubernetes

v2.33.7

Compare Source

Helm chart used to deploy the Portainer for Kubernetes

prometheus-community/helm-charts (prometheus)

v28.13.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Add value to use distroless image variant by @​erpel in #​6677

Full Changelog: prometheus-community/helm-charts@kube-prometheus-stack-82.4.3...prometheus-28.13.0

v28.12.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Update Helm release prometheus-node-exporter to 4.52.* by @​renovate[bot] in #​6685

Full Changelog: prometheus-community/helm-charts@kube-prometheus-stack-82.4.1...prometheus-28.12.0

v28.11.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Update Helm release kube-state-metrics to 7.2.* by @​renovate[bot] in #​6683

Full Changelog: prometheus-community/helm-charts@prometheus-node-exporter-4.52.0...prometheus-28.11.0

v28.10.1

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Update quay.io/oauth2-proxy/oauth2-proxy Docker tag to v7.14.3 by @​renovate[bot] in #​6678

Full Changelog: prometheus-community/helm-charts@kube-state-metrics-7.2.0...prometheus-28.10.1

v28.10.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Update dependency prometheus/prometheus to v3.10.0 by @​renovate[bot] in #​6676

Full Changelog: prometheus-community/helm-charts@prometheus-nginx-exporter-1.19.3...prometheus-28.10.0

v28.9.1

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] harden NOTES when deps absent by @​firasmosbehi in #​6558

Full Changelog: prometheus-community/helm-charts@prometheus-redis-exporter-6.21.0...prometheus-28.9.1

v28.9.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Update prometheus dependency non-major updates by @​renovate[bot] in #​6598

Full Changelog: prometheus-community/helm-charts@prometheus-snmp-exporter-9.12.0...prometheus-28.9.0

v28.8.1

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Relax certificate validation with kubelets by @​zeritti in #​6578

Full Changelog: prometheus-community/helm-charts@prometheus-postgres-exporter-7.5.0...prometheus-28.8.1

v28.8.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [docs] Add information about helm chart signing by @​jkroepke in #​6546
• [prometheus] Update Helm release alertmanager to 1.32.* by @​renovate[bot] in #​6583

Full Changelog: prometheus-community/helm-charts@alertmanager-1.32.0...prometheus-28.8.0

v28.7.0

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [prometheus] Remove permissions to nodes/proxy from cluster role by @​zeritti in #​6533

Full Changelog: prometheus-community/helm-charts@kube-prometheus-stack-81.4.2...prometheus-28.7.0

v28.6.1

Compare Source

Prometheus is a monitoring system and time series database.

What's Changed

• [all] Enable provenance / signed by @​jkroepke in #​6511
• [CI] Update crazy-max/ghaction-import-gpg action to v6.3.0 by @​renovate[bot] in #​6512
• Fix GPG passphrase secret reference in release workflow by @​jkroepke in #​6513
• Refactor GPG key handling in release workflow by @​jkroepke in #​6514
• [kube-prometheus-stack] add grafana additionalDataSourcesString by @​firasmosbehi in #​6517
• [prometheus-redis-exporter] Update dependency oliver006/redis_exporter to v1.80.2 by @​renovate[bot] in #​6521
• [alertmanager] Update quay.io/prometheus-operator/prometheus-config-reloader Docker tag to v0.88.1 by @​renovate[bot] in #​6523
• [prometheus-blackbox-exporter] Update quay.io/prometheus-operator/prometheus-config-reloader Docker tag to v0.88.1 by @​renovate[bot] in #​6524
• Update CR_KEY in release workflow configuration by @​jkroepke in #​6525
• [kube-prometheus-stack] Do not send the bearer token to every service by @​killerwhile in #​6427
• [CI] Update CR_KEY in release workflow by @​jkroepke in #​6528
• [prometheus-operator-admission-webhook] Update dependency prometheus-operator/prometheus-operator to v0.88.1 by @​renovate[bot] in #​6526
• [prometheus-operator-crds] Update dependency prometheus-operator/prometheus-operator to v0.88.1 by @​renovate[bot] in #​6527
• [prometheus-snmp-exporter] Update quay.io/prometheus-operator/prometheus-config-reloader Docker tag to v0.88.1 by @​renovate[bot] in #​6531
• [kube-prometheus-stack] Update kube-prometheus-stack dependency non-major updates by @​renovate[bot] in #​6530
• [prometheus] Update quay.io/prometheus-operator/prometheus-config-reloader Docker tag to v0.88.1 by @​renovate[bot] in #​6532
• [prometheus-nats-exporter] - Add healthz flag to metrics configuration by @​matej-topolovec in #​6535
• [CI] Update github-workflow dependency updates by @​renovate[bot] in #​6538
• Update GPG passphrase handling in release workflow by @​jkroepke in #​6539

New Contributors

• @​firasmosbehi made their first contribution in #​6517
• @​killerwhile made their first contribution in #​6427
• @​matej-topolovec made their first contribution in #​6535

Full Changelog: prometheus-community/helm-charts@kube-prometheus-stack-81.2.2...prometheus-28.6.1

---

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📦 PR Charts Available for Testing

The following charts from this PR have been packaged and published:

• cert-manager-platform version 1.3.0-pr219
• frigate-exporter version 1.1.0-pr219
• graphite-exporter version 1.1.0-pr219
• kgateway-platform version 1.2.0-pr219
• portainer version 0.1.0-pr219
• prometheus version 3.6.0-pr219

Testing with Helm

helm repo add pr-charts https://raw.githubusercontent.com/trowaflo/helm-charts/pr-charts
helm repo update
helm search repo pr-charts
helm install test-release pr-charts/<chart-name> --version <version-from-above>

---

💡 These charts will be automatically removed when this PR is merged or closed.

[github-actions]

KICS version: v2.1.20

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 67 Files parsed 40 Files failed to scan 0 Total executed queries 146 Queries failed to execute 0 Execution time 3

Queries Results

| |