Upgrading from v1.20 to v1.21
Before upgrading cert-manager from 1.20 to 1.21, please read the following important notes about breaking changes in 1.21:
-
The Helm chart no longer creates a default
RoleandRoleBindinggranting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create).This RBAC was added in v1.16 but no documented workflow requires it. If you use
serviceAccountRef.namepointing at the controller ServiceAccount (e.g. for Vault Kubernetes auth or Route53), you must now either:- create your own
RoleandRoleBindinggrantingserviceaccounts/token: createon that ServiceAccount, or - migrate to a dedicated ServiceAccount with its own RBAC (recommended — see the Vault or Route53 documentation).
📖 Read Release 1.21 notes for more information.
- create your own
-
The
cert-manager-editaggregate ClusterRole no longer grantscreateforchallenges.acme.cert-manager.ioorcreate,patch,updatefororders.acme.cert-manager.io. This fixes a security issue (GHSA-8rvj-mm4h-c258) where these permissions allowed namespace users to bypass Issuer solver selectors and abuse ClusterIssuer credentials.This change was already shipped in patch releases v1.20.3 and v1.19.6, so if you are already running one of those versions this will not be a breaking change.
These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.
📖 Read Release 1.21 notes for more information.
-
The Helm values
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.pathhave been removed. The metrics path (/metrics) and target port name (http-metrics) are now hardcoded.The controller Service metrics port has also been renamed from
tcp-prometheus-servicemonitortohttp-metrics.Because the Helm values schema uses
additionalProperties: false, you must remove these keys from your values overrides before upgrading, orhelm upgradewill fail with a schema validation error.If you have custom Prometheus scrape configurations that reference the old Service port name
tcp-prometheus-servicemonitor, update them to usehttp-metrics.📖 Read Release 1.21 notes for more information.
Next Steps
From here on, you can follow the regular upgrade process.