cert-manager(v1.18.2): Key RBAC Reversion and Name Constraints Correction
📋 Recommended Actions ⚠️ Action Required Immediate review of your cert-manager Helm chart deployment is required due to a significant RBAC reversion. Users relying on the ‘disableHTTPChallengesRole’ flag must update their manifests. Review the certificate name constraints fix to ensure correct certificate issuance. 📝 Summary cert-manager v1.18.2 lands with critical updates, most notably a significant reversion of RBAC changes introduced in v1.18.1. This patch release removes the global.rbac.disableHTTPChallengesRole Helm value, consolidating HTTP-01 and DNS-01 challenge-related ClusterRoles into a single, unified controller role. If your deployments relied on disableHTTPChallengesRole to limit permissions, you must immediately review and update your Helm manifests. This reversion effectively means that HTTP-01 challenge permissions, such as creating pods and services, are now always included within the primary challenge controller role, potentially granting broader permissions than you previously configured or intended. Beyond RBAC, this release also delivers a crucial bug fix. It corrects an issue where certificate name constraints for URI domains were being mistakenly interpreted as ExcludedURIDomains instead of PermittedURIDomains in generated Certificate Signing Requests. This fix ensures that your certificates are issued with the exact URI name constraints you specify, preventing unexpected validation failures. Operations engineers should promptly examine their Helm values and RBAC configurations to prevent unintended permission shifts and ensure correct certificate issuance behavior. ...