Skip to content

Build(deps): bump the minor-and-patch group across 1 directory with 5 updates#480

Merged
pdettori merged 1 commit into
mainfrom
dependabot/go_modules/kagenti-operator/minor-and-patch-d525ecc42b
Jul 15, 2026
Merged

Build(deps): bump the minor-and-patch group across 1 directory with 5 updates#480
pdettori merged 1 commit into
mainfrom
dependabot/go_modules/kagenti-operator/minor-and-patch-d525ecc42b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 4 updates in the /kagenti-operator directory: github.com/cert-manager/cert-manager, github.com/onsi/gomega, github.com/sigstore/sigstore-go and golang.org/x/sync.

Updates github.com/cert-manager/cert-manager from 1.20.2 to 1.21.0

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.21.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.

Known Issues

  • Log spam for non-cert-manager-labelled Secret events: the typed predicates refactoring (#8407) causes filteredEventHandler type assertion failures ("OnAdd missing Object", "OnUpdate missing ObjectOld", "OnDelete missing Object") for every non-cert-manager-labelled Secret event, multiplied by 7 certificate sub-controllers. This is cosmetic only — the affected controllers only need events from cert-manager-labelled Secrets (which arrive via the typed informer); the metadata informer events were always filtered out by predicates in previous versions. Issuer and ClusterIssuer controllers are not affected. See #8994 for details.

Major Themes

Default tokenrequest RBAC removed from Helm chart

⚠️ Breaking change

The Helm chart no longer creates a default Role and RoleBinding granting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.

If you use serviceAccountRef.name pointing at the controller ServiceAccount, you must now either create your own Role/RoleBinding granting serviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).

Restrict Challenge and Order RBAC in cert-manager-edit ClusterRole

⚠️ Potentially breaking change

The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io (GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challenge patch and update are retained because users may need them to remove stuck finalizers.

This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.

Metrics port name and path Helm values removed

⚠️ Breaking change

The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed. The controller Service metrics port has been renamed from tcp-prometheus-servicemonitor to http-metrics. Because the Helm values schema uses additionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)

ACME and Certificate Management

  • ACME Renewal Information (ARI): experimental support for RFC 9773 behind the ACMEUseARI feature gate. When enabled, cert-manager queries the ACME server's renewalInfo endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)
  • waitInsteadOfSelfCheck solver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)
  • AWS IAM authentication for Vault: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. (#8422)
  • Certificate renewal policies: a new renewalPolicies field on the Certificate API provides more expressive control over renewal scheduling, complementing renewBefore and renewBeforePercentage. (#8258)
  • Configurable CertificateRequest retry backoff: the new --certificate-request-maximum-backoff-duration flag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)
  • Modern2026 PKCS#12 profile: a new FIPS 140-3 compatible encoding profile using AES-256 + SHA-256 KDFs instead of legacy 3DES/RC2. (#8841)
  • Webhook certificate renewal after system suspend: the webhook now detects missed certificate renewals after system suspend (S3/S4) or VM live migration by polling wall-clock time, recovering within one minute of resume. (#8464)

Gateway API and cainjector

  • HTTP01 ListenerSet parentRef fallback: the acme.cert-manager.io/http01-parentreffallback: "true" annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)
  • cert-manager.io/ignore-tls-listeners annotation: exclude specific Gateway TLS listeners from certificate management. (#8727)
  • Additional listener protocols: configurable listener protocols beyond the default set. (#8683)
  • enableGatewayAPI configuration restructure: enableGatewayAPI and enableGatewayAPIListenerSet are deprecated in favor of gatewayAPI.enabled / gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)
  • CAInjectorMerging promoted to GA: unconditionally enabled; will be removed in a future release. (#8583)

... (truncated)

Commits
  • b8f325e Merge pull request #8984 from cert-manager-bot/cherry-pick-8983-to-release-1.21
  • 6d43c8c Ignore GO-2026-5932 in trivy scans
  • 8eb9d29 Merge pull request #8980 from cert-manager-bot/cherry-pick-8976-to-release-1.21
  • a95f519 Merge pull request #8981 from erikgb/r-1-21-bump-go
  • 5d62fa3 [release-1.21] Update dependency go to v1.26.5
  • 66241e2 Add acmesolver.runtimeClassName
  • 0357ac2 Merge pull request #8967 from cert-manager/release-1.21-disable-klone
  • 2f2bfc3 Disable generate-klone on release-1.21 branch
  • ae67234 Merge pull request #8893 from lunarwhite/max-backoff-duration
  • 35e46aa Respect configured max backoff in trigger controller
  • Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.42.0 to 1.42.1

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.42.1

1.42.1

Bump Dependencies

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.42.1

Bump Dependencies

Commits

Updates github.com/sigstore/sigstore-go from 1.2.1 to 1.2.2

Release notes

Sourced from github.com/sigstore/sigstore-go's releases.

v1.2.2

What's Changed

Full Changelog: sigstore/sigstore-go@v1.2.1...v1.2.2

Commits
  • 55aa624 Bump golangci/golangci-lint-action from 9.2.1 to 9.3.0 (#655)
  • 2eb9560 Bump the minor-patch group across 1 directory with 2 updates (#656)
  • cbf26e4 Support Verification in sigstore/cosign with X.509 Certificate Chain (#581)
  • 8a3361c Bump go-tuf to v2.4.2 (#652)
  • d6ec891 Bump the minor-patch group across 2 directories with 7 updates (#651)
  • 945a0aa Bump actions/setup-go from 6.4.0 to 6.5.0 (#650)
  • 13a15e1 Bump actions/checkout from 6.0.3 to 7.0.0 (#648)
  • c95d7f4 Update workflows to use Actions network firewall (#646)
  • a2a84a6 Update cert identity verify functions to ensure some criteria is specified (#...
  • See full diff in compare view

Updates golang.org/x/sync from 0.21.0 to 0.22.0

Commits

Updates k8s.io/utils from 0.0.0-20260210185600-b8788abfbbc2 to 0.0.0-20260626114624-be93311217bd

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the minor-and-patch group with 4 updates in the /kagenti-operator directory: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager), [github.com/onsi/gomega](https://github.com/onsi/gomega), [github.com/sigstore/sigstore-go](https://github.com/sigstore/sigstore-go) and [golang.org/x/sync](https://github.com/golang/sync).


Updates `github.com/cert-manager/cert-manager` from 1.20.2 to 1.21.0
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.20.2...v1.21.0)

Updates `github.com/onsi/gomega` from 1.42.0 to 1.42.1
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.42.0...v1.42.1)

Updates `github.com/sigstore/sigstore-go` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/sigstore/sigstore-go/releases)
- [Commits](sigstore/sigstore-go@v1.2.1...v1.2.2)

Updates `golang.org/x/sync` from 0.21.0 to 0.22.0
- [Commits](golang/sync@v0.21.0...v0.22.0)

Updates `k8s.io/utils` from 0.0.0-20260210185600-b8788abfbbc2 to 0.0.0-20260626114624-be93311217bd
- [Commits](https://github.com/kubernetes/utils/commits)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.42.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: github.com/sigstore/sigstore-go
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: k8s.io/utils
  dependency-version: 0.0.0-20260626114624-be93311217bd
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 14, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner July 14, 2026 00:24
@pdettori pdettori changed the title build(deps): bump the minor-and-patch group across 1 directory with 5 updates Build(deps): bump the minor-and-patch group across 1 directory with 5 updates Jul 15, 2026

@pdettori pdettori left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low-risk Dependabot update. All functional CI (Build, E2E, Unit, Integration, CodeQL, Trivy) green; title corrected to pass the case-sensitive verifier. Assisted-By: Claude Code

@pdettori
pdettori merged commit 6ee2283 into main Jul 15, 2026
17 of 18 checks passed
@pdettori
pdettori deleted the dependabot/go_modules/kagenti-operator/minor-and-patch-d525ecc42b branch July 15, 2026 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant