chore(deps): bump github.com/cert-manager/cert-manager from 1.18.2 to 1.19.1

[dependabot]

Bumps github.com/cert-manager/cert-manager from 1.18.2 to 1.19.1.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.19.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We reverted the CRD-based API defaults for Certificate.Spec.IssuerRef and CertificateRequest.Spec.IssuerRef after they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager 1.20. We fixed a bug that caused certificates to be re-issued unexpectedly if the issuerRef kind or group was changed to one of the "runtime" default values. We upgraded Go to 1.25.3 to address the following security vulnerabilities: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.0:

Bug or Regression

• BUGFIX: in case kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#8175, @​cert-manager-bot)
• Bump Go to 1.25.3 to fix a backwards incompatible change to the validation of DNS names in X.509 SAN fields which prevented the use of DNS names with a trailing dot (#8177, @​wallrj-cyberark)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#8178, @​cert-manager-bot)

v1.19.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known issues: The following known issues are fixed in v1.19.1:

• Unexpected certificate renewal after upgrading to 1.19.0

This release focuses on expanding platform compatibility, improving deployment flexibility, enhancing observability, and addressing key reliability issues.

📖 Read the full release notes at cert-manager.io: https://cert-manager.io/docs/releases/release-notes/release-notes-1.19

Changes since v1.18.0:

Feature

• Add IPv6 rules to the default network policy (#7726, @​jcpunk)
• Add global.nodeSelector to helm chart to allow for a single nodeSelector to be set across all services. (#7818, @​StingRayZA)
• Add a feature gate to default to Ingress pathType Exact in ACME HTTP01 Ingress challenge solvers. (#7795, @​sspreitzer)
• Add generated applyconfigurations allowing clients to make type-safe server-side apply requests for cert-manager resources. (#7866, @​erikgb)
• Added API defaults to issuer references group (cert-manager.io) and kind (Issuer). (#7414, @​erikgb)
• Added certmanager_certificate_challenge_status Prometheus metric. (#7736, @​hjoshi123)
• Added protocol field for rfc2136 DNS01 provider (#7881, @​hjoshi123)
• Added experimental field hostUsers flag to all pods. Not set by default. (#7973, @​hjoshi123)
• Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global --acme-http01-solver-resource-* settings. (#7972, @​lunarwhite)
• The CAInjectorMerging feature has been promoted to BETA and is now enabled by default (#8017, @​ThatsMrTalbot)
• The controller, webhook and ca-injector now log their version and git commit on startup for easier debugging and support. (#8072, @​prasad89)
• Updated certificate metrics to the collector approach. (#7856, @​hjoshi123)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization (#7796, @​hjoshi123)
• BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#7816, @​kinolaev)
• Enforced ACME HTTP-01 solver validation to properly reject configurations when multiple ingress options (class, ingressClassName, name) are specified simultaneously (#8021, @​lunarwhite)
• Increase maximum sizes of PEM certificates and chains which can be parsed in cert-manager, to handle leaf certificates with large numbers of DNS names or other identities (#7961, @​SgtCoDFish)

... (truncated)

Commits

• a22e21e Merge pull request #8180 from cert-manager-bot/cherry-pick-8168-to-release-1.19
• e1390a4 fix(deps): update module github.com/venafi/vcert/v5 to v5.12.2
• 36e4265 Merge pull request #8179 from cert-manager-bot/cherry-pick-8164-to-release-1.19
• 3416dd0 fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3
• 4a63715 Merge pull request #8178 from cert-manager-bot/cherry-pick-8173-to-release-1.19
• a48b6fc REVERT: API defaults for issuer reference kind and group
• 4706a48 Merge pull request #8177 from wallrj-cyberark/release-1.19-upgrade-go
• bdfb708 [release-1.19] Disable generate-klone so we can manually update Go versions
• 43825b6 [release-1.19] bump Go to 1.25.3
• de44c90 Merge pull request #8175 from cert-manager-bot/cherry-pick-8160-to-release-1.19
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mlavacca]

This is blocked by #2451, as the cert-manager bump requires k8s libs to be 1.34.x

[programmer04]

@dependabot recreate

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.