build(deps): bump github.com/cert-manager/cert-manager from 1.18.4 to 1.20.2 in /controller/deploy/operator

[dependabot]

Bumps github.com/cert-manager/cert-manager from 1.18.4 to 1.20.2.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#8704, @​erikgb)
• Bump go to 1.26.2 (#8703, @​erikgb)

v1.20.1 fixes an issue for OpenShift users that has to do with the finalizer RBAC, bumps gRPC to address a reported non-affecting vulnerability, and fixes a duplicate parentRef bug when both issuer config and annotations are present (Gateway API).

Bug or Regression

• Fixed duplicate parentRef bug when both issuer config and annotations are present. (#8658, @​hjoshi123)
• Add missing issuer finalizer RBAC to the order controller to support owner references. This was preventing OpenShift users from being able to upgrade to v1.20.0. (#8655, @​erikgb)
• Bump google.golang.org/grpc to fix vulnerability reported by scanners. This isn't a vulnerability that affects cert-manager, but we are bumping it because it is reported by scanners. (#8657, @​erikgb)

v1.20.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.20.0 adds alpha support for the new ListenerSet resource, adds support for Azure Private DNS; parentRefs are no longer required when using ACME with Gateway API, and OtherNames was promoted to Beta.

Changes by Kind

Feature

• Added a set of flags to permit setting NetworkPolicy across all deployed containers. Remove redundant global IP ranges from example policies. (#8370, @​jcpunk)
• Added selectable fields to custom resource definitions for .spec.issuerRef.{group, kind, name} (#8256, @​tareksha)
• Added support for specifying imagePullSecrets in the startupapicheck-job Helm template to enable pulling images from private registries. (#8186, @​mathieu-clnk)
• Added 'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar containers within the cert-manager operator pod. This can be used to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. (#8355, @​dancmeyers)
• Added parentRef override annotations on the Certificate resource. (#8518, @​hjoshi123)
• Added support for azure private zones for dns01 issuer. (#8494, @​hjoshi123)
• Added support for configuring PEM decoding size limits, allowing operators to handle larger certificates and keys. (#7642, @​robertlestak)
• Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget (#7728, @​jcpunk)
• For Venafi provider, read venafi.cert-manager.io/custom-fields annotation on Issuer/ClusterIssuer and use it as base with override/append capabilities on Certificate level. (#8301, @​k0da)
• Improve error message when CA issuers are misconfigured to use a clashing secret name (#8374, @​majiayu000)
• Introduce a new Ingress annotation acme.cert-manager.io/http01-ingress-ingressclassname to override http01.ingress.ingressClassName field in HTTP-01 challenge solvers. (#8244, @​lunarwhite)
• Update global.nodeSelector to helm chart to perform a merge and allow for a single nodeSelector to be set across all services. (#8195, @​StingRayZA)
• Vault issuers will now include the Vault server address as one of the default audiences on generated service account tokens. (#8228, @​terinjokes)
• Added experimental XListenerSets feature gate (#8394, @​hjoshi123)

Documentation

• Add GWAPI documentation to NOTES.TXT in helm chart (#8353, @​jaxels10)

... (truncated)

Commits

• e5b7b18 Merge pull request #8704 from erikgb/1-20-fix-vuln-go-deps
• e7ec855 Merge pull request #8703 from erikgb/1-20-bump-go-base-images
• cd96b95 [release-1.20] Bump go dependencies with reported vulnerabilities
• a1b6f11 [release-1.20] Bump go to 1.26.2 and bump base images
• 6dee676 Merge pull request #8665 from cert-manager-bot/cherry-pick-8664-to-release-1.20
• 9ccf555 Fix indentation in webhook-deployment when both webhook.volumes and webhook.c...
• dc96863 Merge pull request #8658 from cert-manager-bot/cherry-pick-8619-to-release-1.20
• 7e66079 removing duplicate parentRefs
• 75f90e4 Merge pull request #8657 from erikgb/fix-grpc-vuln
• f27364c Update module google.golang.org/grpc to v1.79.3 [security] (release-1.20)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36b6079c-4b1d-48b8-80a3-6445f27adaf1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/go_modules/controller/deploy/operator/github.com/cert-manager/cert-manager-1.20.2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ambient-code]

Dependabot PR Review Summary

Changes reviewed: Bumps github.com/cert-manager/cert-manager from 1.18.4 to 1.20.2 in /controller/deploy/operator.

CI Status: ❌ FAILING

Multiple CI jobs are failing: tests, deploy-kind (operator), e2e-test-operator, build-operator-image.

⚠️ This is a Kubernetes version bump in disguise

cert-manager versions are tightly coupled to Kubernetes dependencies:

	cert-manager 1.18.x	cert-manager 1.20.2
Go version	1.24.0	1.25.0
k8s.io/* deps	v0.32.0	v0.35.2
controller-runtime	v0.19.0	v0.23.x

The operator currently uses k8s.io v0.34.1, and the main controller uses k8s.io v0.33.0. Bumping to cert-manager 1.20.2 would force k8s.io to v0.35.2 — two versions ahead of the main controller — creating a severe version conflict across the project.

Root Cause of CI Failures

1. Primary: Operator Dockerfile uses ubi9/go-toolset:1.24.6 with GOTOOLCHAIN=local. cert-manager 1.20.2 requires Go >= 1.25.0.
2. Secondary: Test infrastructure (setup-envtest) pulls controller-runtime v0.23.3 requiring Go 1.25+.

Security Considerations

• cert-manager 1.18.6 (latest in 1.18.x series) already patches CVE-2025-68121 with zero dependency changes and no Go version requirement increase.
• No cert-manager-specific CVEs motivate the jump to 1.20.x.

Recommendation

Close this PR and bump to cert-manager 1.18.6 instead. This is a pure bugfix/security patch that:

• Fixes CVE-2025-68121
• Requires no Go version change
• Requires no k8s dependency version change
• Is a drop-in replacement for 1.18.4

I will push a commit with the 1.18.6 fix as an alternative.

cc @mangelajo @bzlotnik @kirkbrauer — This PR attempts to bump cert-manager from 1.18.4 to 1.20.2, which is effectively a k8s version bump (k8s.io v0.32→v0.35.2) and Go version bump (1.24→1.25). Recommend staying on 1.18.6 for now. If a cert-manager feature upgrade is eventually desired, 1.19.4 would be the best stepping stone (uses k8s.io v0.34.1, matching the operator's current deps).

[raballew]

Safe patch-level bump (actual change is 1.18.4 -> 1.18.6, not 1.20.2 as the title suggests -- the commit history shows the downgrade from 1.20.2 was intentional due to Go 1.25 / k8s v0.35.2 incompatibility).

• Addresses CVE-2025-68121
• No transitive k8s.io dependency changes (go.mod hash identical between 1.18.4 and 1.18.6)
• No API breaking changes (stable v1 types: Issuer, ClusterIssuer, Certificate)
• Other go sub-projects (controller/go.mod, e2e/test/go.mod) do not depend on cert-manager -- no cross-module updates needed
• CI passing

🤖 Generated with Claude Code