cert-manager
v1.20.1Securityv1.20.1 is a targeted patch fixing an OpenShift upgrade blocker, a Gateway API duplicate parentRef bug, and a scanner-flagged gRPC dependency bump.
breakingOpenShift users: upgrade to v1.20.1, skip v1.20.0
v1.20.0 introduced a regression where the order controller lacked the necessary finalizer RBAC, breaking upgrades on OpenShift due to stricter RBAC enforcement. If you're on OpenShift and held back from v1.20.0, go straight to v1.20.1. If you somehow applied v1.20.0, verify that the ClusterRole for the order controller now includes the issuer finalizer permissions after upgrading.
securitygRPC bump is cosmetic — but clear your scanner alerts
The gRPC dependency was bumped purely to satisfy vulnerability scanners. The reported CVE does not affect cert-manager's code paths. No runtime risk, but if your supply chain tooling (Trivy, Grype, etc.) was flagging v1.20.0, this update will resolve those alerts. Good reason to upgrade, but no urgency beyond scanner hygiene.
enhancementGateway API users: fix parentRef duplication before it causes routing issues
If you're using Gateway API integration with cert-manager and specify parent references in both the issuer config and via annotations, v1.20.0 would generate duplicate parentRef entries. This can cause unpredictable behavior depending on your gateway implementation. Upgrading to v1.20.1 resolves this — review any existing certificates using both mechanisms to confirm they're clean post-upgrade.
Key changes (3)
- Fixed missing issuer finalizer RBAC on the order controller — OpenShift users were blocked from upgrading to v1.20.0
- Fixed duplicate parentRef entries in Gateway API when both issuer config and annotations specify parent references
- Bumped google.golang.org/grpc to silence scanner alerts (no actual exploitable vulnerability in cert-manager's usage)