RATATOSKRATATOSK
Sign in

cert-manager

v1.21.0Security
Jul 8, 2026

cert-manager v1.21.0 is a hardening-and-features release: it closes a HIGH-severity RBAC escalation in the cert-manager-edit ClusterRole (GHSA-8rvj-mm4h-c258) and ships two other breaking Helm/RBAC changes, alongside new ARI, Vault AWS-IAM, and Gateway API capabilities.

  • securityRBAC tightened on cert-manager-edit ClusterRole (GHSA-8rvj-mm4h-c258)

    The cert-manager-edit aggregate ClusterRole no longer grants create on challenges.acme.cert-manager.io or create/patch/update on orders.acme.cert-manager.io, closing a path where a user with only 'edit' access could escalate by crafting ACME Challenge/Order resources. Backported to v1.20.3; upgrade if you rely on cert-manager-edit permissions and audit any tooling that creates Challenge or Order resources directly.

  • breakingDefault tokenrequest RBAC removed from Helm chart

    The Helm chart no longer creates a default Role/RoleBinding granting the controller serviceaccounts/token: create on its own ServiceAccount. This breaks the undocumented pattern of setting serviceAccountRef.name to the controller's ServiceAccount; review any such references before upgrading.

  • breakingPrometheus Helm values removed, metrics port renamed

    The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed, and the metrics port was renamed from tcp-prometheus-servicemonitor to http-metrics. Any values override still setting the removed keys will fail Helm schema validation on upgrade; update your values files before upgrading.

Key changes (7)

  • Security: cert-manager-edit ClusterRole no longer grants create/patch/update on ACME Challenge/Order resources (GHSA-8rvj-mm4h-c258, HIGH, backported to v1.20.3)
  • Breaking: default Role/RoleBinding for serviceaccounts/token: create removed from the Helm chart, affecting any undocumented serviceAccountRef.name usage
  • Breaking: prometheus.servicemonitor/podmonitor Helm values removed and metrics port renamed to http-metrics; stale overrides will fail schema validation
  • Deprecations: enableGatewayAPI/enableGatewayAPIListenerSet superseded by gatewayAPI.enabled/enableListenerSet (old fields still work); ServerSideApply feature gate deprecated as cainjector now uses SSA unconditionally; CAInjectorMerging promoted to GA
  • New features: experimental ACME Renewal Information (ARI) support, Vault issuer AWS IAM authentication (IRSA/EKS Pod Identity/ambient credentials), new renewalPolicies field, and Gateway API listener improvements (parentref fallback, ignore-tls-listeners)
  • Notable fixes: integer overflow in renewBeforePercentage mis-scheduling long-duration certs, infinite re-issuance loop on already-expired issuer certs, ACME challenges no longer terminally failing on transient network errors
  • Plus several smaller fixes and hardening items: DoH response size capped at 128KB, Vault path traversal rejected, DNS issuer secret validation before ready, base images updated to Debian 13