Breaking Changes

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate review of your cert-manager Helm chart deployment is required due to a significant RBAC reversion. Users relying on the ‘disableHTTPChallengesRole’ flag must update their manifests. Review the certificate name constraints fix to ensure correct certificate issuance. 📝 Summary cert-manager v1.18.2 lands with critical updates, most notably a significant reversion of RBAC changes introduced in v1.18.1. This patch release removes the global.rbac.disableHTTPChallengesRole Helm value, consolidating HTTP-01 and DNS-01 challenge-related ClusterRoles into a single, unified controller role. If your deployments relied on disableHTTPChallengesRole to limit permissions, you must immediately review and update your Helm manifests. This reversion effectively means that HTTP-01 challenge permissions, such as creating pods and services, are now always included within the primary challenge controller role, potentially granting broader permissions than you previously configured or intended. Beyond RBAC, this release also delivers a crucial bug fix. It corrects an issue where certificate name constraints for URI domains were being mistakenly interpreted as ExcludedURIDomains instead of PermittedURIDomains in generated Certificate Signing Requests. This fix ensures that your certificates are issued with the exact URI name constraints you specify, preventing unexpected validation failures. Operations engineers should promptly examine their Helm values and RBAC configurations to prevent unintended permission shifts and ensure correct certificate issuance behavior. ...