Skip to content

build(deps): bump the golang group across 1 directory with 4 updates#311

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang-2e9cd824b6
Open

build(deps): bump the golang group across 1 directory with 4 updates#311
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/golang-2e9cd824b6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the golang group with 1 update in the / directory: github.com/cert-manager/cert-manager.

Updates github.com/cert-manager/cert-manager from 1.20.3 to 1.21.0

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.21.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.

Known Issues

  • Log spam for non-cert-manager-labelled Secret events: the typed predicates refactoring (#8407) causes filteredEventHandler type assertion failures ("OnAdd missing Object", "OnUpdate missing ObjectOld", "OnDelete missing Object") for every non-cert-manager-labelled Secret event, multiplied by 7 certificate sub-controllers. This is cosmetic only — the affected controllers only need events from cert-manager-labelled Secrets (which arrive via the typed informer); the metadata informer events were always filtered out by predicates in previous versions. Issuer and ClusterIssuer controllers are not affected. See #8994 for details.

Major Themes

Default tokenrequest RBAC removed from Helm chart

⚠️ Breaking change

The Helm chart no longer creates a default Role and RoleBinding granting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.

If you use serviceAccountRef.name pointing at the controller ServiceAccount, you must now either create your own Role/RoleBinding granting serviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).

Restrict Challenge and Order RBAC in cert-manager-edit ClusterRole

⚠️ Potentially breaking change

The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io (GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challenge patch and update are retained because users may need them to remove stuck finalizers.

This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.

Metrics port name and path Helm values removed

⚠️ Breaking change

The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed. The controller Service metrics port has been renamed from tcp-prometheus-servicemonitor to http-metrics. Because the Helm values schema uses additionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)

ACME and Certificate Management

  • ACME Renewal Information (ARI): experimental support for RFC 9773 behind the ACMEUseARI feature gate. When enabled, cert-manager queries the ACME server's renewalInfo endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)
  • waitInsteadOfSelfCheck solver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)
  • AWS IAM authentication for Vault: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. (#8422)
  • Certificate renewal policies: a new renewalPolicies field on the Certificate API provides more expressive control over renewal scheduling, complementing renewBefore and renewBeforePercentage. (#8258)
  • Configurable CertificateRequest retry backoff: the new --certificate-request-maximum-backoff-duration flag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)
  • Modern2026 PKCS#12 profile: a new FIPS 140-3 compatible encoding profile using AES-256 + SHA-256 KDFs instead of legacy 3DES/RC2. (#8841)
  • Webhook certificate renewal after system suspend: the webhook now detects missed certificate renewals after system suspend (S3/S4) or VM live migration by polling wall-clock time, recovering within one minute of resume. (#8464)

Gateway API and cainjector

  • HTTP01 ListenerSet parentRef fallback: the acme.cert-manager.io/http01-parentreffallback: "true" annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)
  • cert-manager.io/ignore-tls-listeners annotation: exclude specific Gateway TLS listeners from certificate management. (#8727)
  • Additional listener protocols: configurable listener protocols beyond the default set. (#8683)
  • enableGatewayAPI configuration restructure: enableGatewayAPI and enableGatewayAPIListenerSet are deprecated in favor of gatewayAPI.enabled / gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)
  • CAInjectorMerging promoted to GA: unconditionally enabled; will be removed in a future release. (#8583)

... (truncated)

Commits
  • b8f325e Merge pull request #8984 from cert-manager-bot/cherry-pick-8983-to-release-1.21
  • 6d43c8c Ignore GO-2026-5932 in trivy scans
  • 8eb9d29 Merge pull request #8980 from cert-manager-bot/cherry-pick-8976-to-release-1.21
  • a95f519 Merge pull request #8981 from erikgb/r-1-21-bump-go
  • 5d62fa3 [release-1.21] Update dependency go to v1.26.5
  • 66241e2 Add acmesolver.runtimeClassName
  • 0357ac2 Merge pull request #8967 from cert-manager/release-1.21-disable-klone
  • 2f2bfc3 Disable generate-klone on release-1.21 branch
  • ae67234 Merge pull request #8893 from lunarwhite/max-backoff-duration
  • 35e46aa Respect configured max backoff in trigger controller
  • Additional commits viewable in compare view

Updates k8s.io/api from 0.35.3 to 0.36.2

Commits
  • 2f4cefd Update dependencies to v0.36.2 tag
  • 879d396 Merge remote-tracking branch 'origin/master' into release-1.36
  • 030d81f Update github.com/moby/spdystream from v0.5.0 to v0.5.1
  • aef6eb6 Add granular authorization for DRA ResourceClaim status updates
  • 91061ea Merge pull request #136589 from tosi3k/preemption-mode
  • e6b81e2 Add Workload-Aware Preemption fields to Workload and PodGroup APIs
  • f8fce2e Merge pull request #136989 from nojnhuh/podgroup-resourceclaim
  • b928f5e Workload API: PodGroup ResourceClaims (KEP-5729)
  • 61bd78e Merge pull request #137190 from everpeace/KEP-5491-alpha
  • 6bf46eb Merge pull request #137028 from nmn3m/feature/dra-resource-pool-status
  • Additional commits viewable in compare view

Updates k8s.io/apimachinery from 0.35.3 to 0.36.2

Commits
  • ae3f98e Update dependencies to v0.36.2 tag
  • 2ec982d Merge pull request #139508lalitc375/automated-cherry-pick-of-#139480
  • 6a88102 Fix wrong marking of errors
  • efb7f26 Merge remote-tracking branch 'origin/master' into release-1.36
  • d966e56 Update github.com/moby/spdystream from v0.5.0 to v0.5.1
  • 79b3632 Merge pull request #137864 from yongruilin/dv-dra-mismatch
  • a8822f7 Add slice and map union member support with tests
  • 7dba2d0 Use IsZero instead of IsNil for union ratcheting check
  • d95710f Fix union validation ratcheting when oldObj is nil
  • 729062d Merge pull request #137849 from bryantbiggs/deps/update-kube-openapi
  • Additional commits viewable in compare view

Updates sigs.k8s.io/controller-runtime from 0.23.3 to 0.24.1

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.24.1

What's Changed

Full Changelog: kubernetes-sigs/controller-runtime@v0.24.0...v0.24.1

v0.24.0

⚠️ Breaking Changes

🐛 Bug Fixes

  • Cache: Fix IndexField blocking until informer is synced (#3445)
  • Cache: Wait for cache sync when ReaderFailOnMissingInformer is true (#3425)
  • Client: Update typed ApplyConfigurations with server response (#3475)
  • Fakeclient: Fix SSA status patch resource version check (#3443)
  • Fakeclient: Fix panic when using CRs with embedded pointer structs (#3431)
  • Fakeclient: Fix status apply if existing object has managedFields set (#3430)
  • Fakeclient: Retry GenerateName on AlreadyExists collisions (#3498)
  • HTTP servers: Wire up base context into http servers (#3452)

🌱 Others

  • Builder/Webhooks: Remove deprecated custom path function (#3465)
  • Cache: Test cache reader waits for cache sync (#3434)
  • Certwatcher: Deflake certwatcher tests (#3457)
  • Dependencies: Use forked version of btree (#3449)
  • Envtest: Ensure envtest stops the whole process group (#3447)
  • Logging: Add missing space in zap-log-level flag description (#3492)
  • Misc: Adopt new(x) over ptr.To(x) and re-enable newexpr lint (#3489)
  • Owners: Cleanup (#3453)
  • Recorder: Add logger into context for structured logging (#3454)
  • Recorder: Switch to StartLogging for event debug logs (#3451)
  • Scheme: Deprecate the scheme builder (#3461)
  • Source/Kind: Improve logging for dynamic type kind source (#3494)
  • Webhooks: Reduce memory usage of default webhooks (#3463 #3468)

🌱 CI & linters

  • Chore: Update golangci-lint version to v2.8.0 (#3448)
  • Chore: Update golangci-lint version to v2.10.1 (#3470)
  • Chore: Update golangci-lint version to v2.11.3 (#3482)
  • Migrate away from custom GitHub action approval workflow (#3491)
  • Release: Auto-create git tags for the tools/setup-envtest submodule (#3476)

📖 Additionally, there has been 1 contribution to our documentation. (#3477)

Dependencies

... (truncated)

Commits
  • 3be3f1b Merge pull request #3516 from k8s-infra-cherrypick-robot/cherry-pick-3515-to-...
  • 0f7b33d Fix regression in Apply typed error handling
  • d3eaef3 Merge pull request #3475 from alvaroaleman/fixfix
  • 3296f32 🐛 Update typed Applyconfigurations with server response
  • c8b4b9d Merge pull request #3506 from troy0820/troy0820/update-deps-k8s
  • 557c314 update to k8s.io v1.36.0
  • e4a998c Merge pull request #3499 from kubernetes-sigs/dependabot/github_actions/all-g...
  • 1a31c56 Merge pull request #3498 from vieux/fix-fake-client-generatename-retry
  • 80bc294 fakeclient: retry GenerateName on AlreadyExists collisions (match K8s 1.32 be...
  • 77b730a 🌱 Bump the all-github-actions group with 2 updates
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the golang group with 1 update in the / directory: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager).


Updates `github.com/cert-manager/cert-manager` from 1.20.3 to 1.21.0
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.3...v1.21.0)

Updates `k8s.io/api` from 0.35.3 to 0.36.2
- [Commits](kubernetes/api@v0.35.3...v0.36.2)

Updates `k8s.io/apimachinery` from 0.35.3 to 0.36.2
- [Commits](kubernetes/apimachinery@v0.35.3...v0.36.2)

Updates `sigs.k8s.io/controller-runtime` from 0.23.3 to 0.24.1
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/controller-runtime@v0.23.3...v0.24.1)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang
- dependency-name: k8s.io/api
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-version: 0.24.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: golang
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 14, 2026
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Jakob-Naucke

Copy link
Copy Markdown
Member

/ok-to-test

@Jakob-Naucke Jakob-Naucke left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hold on, although we don't use the CI host that's pinned to Golang 1.26 anymore, k8s.io/api etc. were still supposed to be blocked. we should check into that first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code ok-to-test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant