chore(deps): update helm release trust-manager to v0.20.2

[renovate]

This PR contains the following updates:

Package	Update	Change
trust-manager (source)	minor	0.19.0 -> 0.20.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

cert-manager/trust-manager (trust-manager)

v0.20.2

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

What's Changed

• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​775
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3 by @​octo-sts[bot] in #​773
• Bump trust package suffix, forcing a new go 1.25.3 build by @​inteon in #​776

Full Changelog: cert-manager/trust-manager@v0.20.1...v0.20.2

v0.20.1

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is a patch release, downgrading Go from 1.25.2 to 1.25.1, to avoid the X.509 issues introduced by trying to fix a CVE. See golang/go#75828 (comment) for additional details.

What's Changed

• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​772

Full Changelog: cert-manager/trust-manager@v0.20.0...v0.20.1

v0.20.0

Compare Source

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

⚠️ Known issue ⚠️

Golang 1.25.2 has a backwards incompatible change (see golang/go#75828 (comment)). This will for example result in certificates with a DNS SAN ending in a dot causing trust-manager to error.

---

This release primarily contains dependency updates, but also includes a new feature that allows trust-manager to be configured to only operate on a list of named target namespaces. While this feature can allow trust-manager to operate without cluster-wide access to namespaces, the Bundle resource is cluster-scoped, and events from cluster-scoped resources are emitted to the default namespace.

⚠️ The code performing migration from client-side to server-side apply is removed in this release. This means that if upgrading from a really old version of trust-manager (< 0.7.0), you must upgrade to 0.19.0 first.

The work on migrating Bundle to ClusterBundle continues, but none of these changes are user-facing in this release.

What's Changed

Features

• You can now use trust-manager in the new "restricted" mode to scope trust-manager’s and target caches to a specific set of Kubernetes namespaces provided at startup. When this feature is not used, behavior remains unchanged (cluster-wide watch). By @​asmaoune in #​744
• Helm: you can now disable the creation of the RBAC resources. By @​asmaoune in #​753

Internal changes

• Add generated applyconfigurations for ClusterBundle API by @​erikgb in #​690
• Split integration tests for Bundle and ClusterBundle by @​erikgb in #​691
• Add new Bundle (migration) controller by @​erikgb in #​681
• Eliminate multiple sigs.k8s.io/structured-merge-diff deps by @​erikgb in #​712
• Refactor cache setup to controller package by @​erikgb in #​727
• Bootstrap shared Renovate preset by @​erikgb in #​751
• Move additional formats handling from source to target by @​erikgb in #​703
• Remove code for migrating CSA to SSA by @​erikgb in #​754
• Bump default CAs bundle version to trigger release by @​erikgb in #​768
• Make: missing quote breaking CI by @​maelvls in #​770
• Don't set the tag in values.yaml, since it is overwritten at chart build time by @​inteon in #​771

Updates by Dependabot/Renovate

• build(deps): Bump the all group with 5 updates by @​dependabot[bot] in #​687
• build(deps): Bump the all-go-deps group across 1 directory with 2 updates by @​dependabot[bot] in #​696
• fix(deps): update module github.com/stretchr/testify to v1.11.0 by @​github-actions[bot] in #​699
• fix(deps): update kubernetes go deps to v0.34.0 by @​erikgb in #​710
• fix(deps): update misc go deps by @​github-actions[bot] in #​707
• fix(deps): update misc go deps by @​github-actions[bot] in #​721
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.2 by @​github-actions[bot] in #​720
• build(deps): Bump actions/setup-go from 5 to 6 in the all-gh-actions group by @​dependabot[bot] in #​729
• chore(deps): update actions/github-script action to v8 by @​octo-sts[bot] in #​732
• chore(deps): pin dependencies by @​octo-sts[bot] in #​731
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 by @​octo-sts[bot] in #​736
• fix(deps): update kubernetes go patches to v0.34.1 by @​octo-sts[bot] in #​745
• chore(deps): pin quay.io/jetstack/trust-pkg-debian-bookworm docker tag to 4e46f31 by @​octo-sts[bot] in #​752
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.1 by @​erikgb in #​757
• chore(deps): update docker/login-action digest to 5e57cd1 by @​octo-sts[bot] in #​760
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.26.0 by @​octo-sts[bot] in #​763
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2 by @​octo-sts[bot] in #​766
• fix(deps): update k8s.io/utils digest to bc988d5 by @​octo-sts[bot] in #​769

Updates by makefile-modules

• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​686
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​692
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​694
• [CI] Self-upgrade merging self-upgrade-main into main by @​inteon in #​695
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​697
• Manual self upgrade by @​erikgb in #​698
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​705
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​706
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​714
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​715
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​717
• [CI] Self-upgrade merging self-upgrade-main into main by @​erikgb in #​718
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​719
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​723
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​724
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​725
• [CI] Merge self-upgrade-main into main by @​github-actions[bot] in #​728
• [CI] Self-upgrade merging self-upgrade-main into main by @​erikgb in #​730
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​735
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​737
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​738
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​739
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​740
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​743
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​746
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​747
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​755
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​758
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​759
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​764
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​765
• [CI] Merge self-upgrade-main into main by @​octo-sts[bot] in #​767

New Contributors

• @​octo-sts[bot] made their first contribution in #​732
• @​asmaoune made their first contribution in #​744
• @​maelvls made their first contribution in #​770

Full Changelog: cert-manager/trust-manager@v0.19.0...v0.20.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.