{cert-manager-operator} release notes

The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management.

These release notes track the development of cert-manager Operator for Red Hat OpenShift.

For more information, see About the cert-manager Operator for Red Hat OpenShift.

cert-manager Operator for Red Hat OpenShift 1.18.1

Issued: 2026-01-26

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.18.1:

• RHSA-2026:1166

• RHSA-2026:1168

• RHSA-2026:1176

• RHBA-2026:1319

Version 1.18.1 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.18.4. For more information, see the cert-manager project release notes for v1.18.4.

New features and enhancements

The final images use ubi9-minimal as base images

With this update, the cert-manager Operator for Red Hat OpenShift images use ubi9-minimal as their base images providing improved security compliance. No manual action is required, as the Operator automatically uses the updated images upon installation or upgrade.

CVEs

• CVE-2025-66418

• CVE-2025-66471

• CVE-2025-61729

• CVE-2025-21441

• CVE-2025-61727

• CVE-2025-61729

cert-manager Operator for Red Hat OpenShift 1.18.0

Issued: 2025-11-12

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.18.0:

• RHBA-2025:21087

• RHBA-2025:21086

• RHBA-2025:21088

• RHBA-2025:21114

Version 1.18.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.18.3. For more information, see the cert-manager project release notes for v1.18.3.

New features and enhancements

Istio-CSR integration with cert-manager Operator for Red Hat OpenShift (Generally Available)

With this release, the integration of the cert-manager Operator for Red Hat OpenShift with Istio-CSR, which was previously provided as a Technology Preview feature, is fully supported. This feature offers enhanced support for securing workloads and control plane components within Red Hat OpenShift Service Mesh or Istio environments. By utilizing the cert-manager Operator for Red Hat OpenShift managed Istio-CSR agent, Istio can obtain, sign, deliver, and renew certificates required for mutual TLS (mTLS). For more information, see Integrating the cert-manager Operator with Istio-CSR.

Replica count configuration for cert-manager Operator for Red Hat OpenShift operands

With this release, you can override the default replica counts for the cert-manager Operator for Red Hat OpenShift controller, webhook, and cainjector operands. To configure these values, specify the new overrideReplicas fields in the CertManager custom resource. With this enhancement, you can configure high availability (HA) and scale operands based on your specific operational requirements. For more information, see Common configurable fields in the CertManager CR for the cert-manager components.

Root filesystem is read-only for cert-manager Operator for Red Hat OpenShift containers

With this release, to improve security, the cert-manager Operator for Red Hat OpenShift and all its operands have the readOnlyRootFilesystem security context set to true by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container’s root file system.

Network policy hardening is now available for cert-manager Operator for Red Hat OpenShift components

With this release, the cert-manager Operator for Red Hat OpenShift includes predefined NetworkPolicy resources to enhance security by controlling ingress and egress traffic for its components. These policies cover internal traffic, such as ingress to metrics and webhook servers, and egress to the OpenShift API and DNS servers.

By default, this feature is disabled to prevent connectivity issues during upgrades. You must explicitly enable it in the CertManager custom resource. For more information, see Network policy configuration for cert-manager Operator for Red Hat OpenShift.

Known issues

• The upstream cert-manager v1.18 release updated the ACME HTTP-01 challenge ingress path type from ImplementationSpecific to Exact. The OpenShift Route API does not have an equivalent for the Exact path type, which prevents the ingress-to-route controller from supporting it. As a result, ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error. To mitigate this issue, the ACMEHTTP01IngressPathTypeExact feature gate is disabled by default in this release.