📋 Recommended Actions
⚠️ Action Required
Immediate review of your cert-manager Helm chart deployment is required due to a significant RBAC reversion. Users relying on the ‘disableHTTPChallengesRole’ flag must update their manifests. Review the certificate name constraints fix to ensure correct certificate issuance.
📝 Summary
cert-manager v1.18.2 lands with critical updates, most notably a significant reversion of RBAC changes introduced in v1.18.1. This patch release removes the global.rbac.disableHTTPChallengesRole Helm value, consolidating HTTP-01 and DNS-01 challenge-related ClusterRoles into a single, unified controller role. If your deployments relied on disableHTTPChallengesRole to limit permissions, you must immediately review and update your Helm manifests. This reversion effectively means that HTTP-01 challenge permissions, such as creating pods and services, are now always included within the primary challenge controller role, potentially granting broader permissions than you previously configured or intended. Beyond RBAC, this release also delivers a crucial bug fix. It corrects an issue where certificate name constraints for URI domains were being mistakenly interpreted as ExcludedURIDomains instead of PermittedURIDomains in generated Certificate Signing Requests. This fix ensures that your certificates are issued with the exact URI name constraints you specify, preventing unexpected validation failures. Operations engineers should promptly examine their Helm values and RBAC configurations to prevent unintended permission shifts and ensure correct certificate issuance behavior.
⚠️ Helm Chart RBAC Reversion: disableHTTPChallengesRole Removed
In cert-manager v1.18.2, a significant change in the Helm chart’s RBAC configuration has been reverted, which directly impacts users who previously leveraged the global.rbac.disableHTTPChallengesRole flag. This reversion consolidates the permissions for both HTTP-01 and DNS-01 challenges back into a single cert-manager-controller-challenges ClusterRole. This means the ability to selectively disable HTTP-01 challenge-specific permissions via this dedicated Helm value is no longer available, potentially increasing the default scope of permissions granted.
The global.rbac.disableHTTPChallengesRole Helm value, its corresponding definition in values.schema.json, and the conditional rendering logic for the cert-manager-http01-controller-challenges ClusterRole and ClusterRoleBinding have all been removed. Previously, you might have configured: yaml global: rbac: disableHTTPChallengesRole: true This option no longer exists. All challenge handling permissions are now part of the unified cert-manager-controller-challenges role. If you were setting disableHTTPChallengesRole: true, you’ll need to remove this line from your values.yaml and re-evaluate the permissions granted to the consolidated cert-manager-controller-challenges role to ensure it aligns with your security policies. The permissions for pods, services, and routes that are necessary for HTTP-01 challenges are now always included in this unified role.
Source:
deploy/charts/cert-manager/README.template.md(122-128)deploy/charts/cert-manager/templates/rbac.yaml(217-272, 444-458)deploy/charts/cert-manager/values.schema.json(796-815)deploy/charts/cert-manager/values.yaml(33-39)
🐛 Fix: Corrected Certificate Name Constraints for URI Domains
This release includes an important bug fix that addresses an incorrect interpretation of PermittedURIDomains within certificate name constraints. Previously, if you specified URI domains that should be permitted in your Certificate resource’s NameConstraints field, cert-manager would mistakenly treat them as excluded domains when generating the Certificate Signing Request (CSR). This fix ensures that cert-manager now correctly applies PermittedURIDomains as intended, leading to more accurate and predictable certificate issuance.
The fix involves a single line change in pkg/util/pki/csr.go. The code now correctly assigns crt.Spec.NameConstraints.Permitted.URIDomains to nameConstraints.PermittedURIDomains instead of nameConstraints.ExcludedURIDomains. Old incorrect behavior: go nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains New correct behavior: go nameConstraints.PermittedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains This ensures that when you define a Certificate with specific URI domains allowed in its name constraints, the generated CSR will reflect this correctly, and your issued certificates will adhere to those positive constraints.
Source:
pkg/util/pki/csr.go(302)
Minor Updates & Housekeeping
This focused patch release primarily addresses the critical RBAC reversion and the name constraints bug, with no other significant minor updates or housekeeping changes.