all:
  children:
    controllers:
      hosts:
        controller: null
    zuul_unreachable:
      hosts: {}
  hosts:
    controller:
      ansible_connection: ssh
      ansible_host: 199.204.45.155
      ansible_port: 22
      ansible_python_interpreter: auto
      ansible_user: zuul
      cilium_helm_values:
        operator:
          replicas: 1
      cilium_ipv4_cidr: 172.24.0.0/16
      kube_vip_address: 172.17.0.100
      kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}'
      kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}'
      kubernetes_version: 1.28.13
      molecule_scenario: secretgen-controller
      nodepool:
        az: nova
        cloud: public
        external_id: 3e929c6e-3b94-4994-a2cb-52c4805cfe21
        host_id: a14e37c14509a0e10156ccf8c706cd5613db7e363735e5577c330644
        interface_ip: 199.204.45.155
        label: ubuntu-noble
        node_properties: {}
        private_ipv4: 199.204.45.155
        private_ipv6: null
        provider: yul1
        public_ipv4: 199.204.45.155
        public_ipv6: 2604:e100:1:0:f816:3eff:feae:b47c
        region: ca-ymq-1
        slot: null
      zuul_node:
        az: nova
        cloud: public
        external_id: 3e929c6e-3b94-4994-a2cb-52c4805cfe21
        host_id: a14e37c14509a0e10156ccf8c706cd5613db7e363735e5577c330644
        interface_ip: 199.204.45.155
        label: ubuntu-noble
        node_properties: {}
        private_ipv4: 199.204.45.155
        private_ipv6: null
        provider: yul1
        public_ipv4: 199.204.45.155
        public_ipv6: 2604:e100:1:0:f816:3eff:feae:b47c
        region: ca-ymq-1
        slot: null
        uuid: null
  vars:
    cilium_helm_values:
      operator:
        replicas: 1
    kubernetes_version: 1.28.13
    molecule_scenario: secretgen-controller
    zuul:
      _inheritance_path:
      - '<Job base explicit: None implied: {MatchAny:{ImpliedBranchMatcher:main}}
        source: vexxhost/zuul-config/zuul.d/jobs.yaml@main#1>'
      - '<Job molecule explicit: None implied: {MatchAny:{ImpliedBranchMatcher:main}}
        source: vexxhost/zuul-jobs/zuul.d/ansible-jobs.yaml@main#1>'
      - '<Job atmosphere-common-molecule explicit: None implied: {MatchAny:{ImpliedBranchMatcher:main}}
        source: vexxhost/atmosphere.common/.zuul.yaml@main#4>'
      - '<Job atmosphere-common-molecule-secretgen-controller explicit: None implied:
        {MatchAny:{ImpliedBranchMatcher:main}} source: vexxhost/atmosphere.common/.zuul.yaml@main#29>'
      - '<Job atmosphere-common-molecule-secretgen-controller explicit: None implied:
        None source: vexxhost/atmosphere.common/.zuul.yaml@main#35>'
      ansible_version: '9'
      attempts: 1
      branch: main
      build: c4d3d1b5b0744a2a9a7e786f640d8460
      build_refs:
      - branch: main
        change: '105'
        change_message: "chore(deps): update helm release cert-manager to v1.20.1\n\nThis
          PR contains the following updates:\n\n| Package | Update | Change |\n|---|---|---|\n|
          [cert-manager](https://cert-manager.io) ([source](https://redirect.github.com/cert-manager/cert-manager))
          | minor | `1.18.2` \u2192 `1.20.1` |\n\n---\n\n### Release Notes\n\n<details>\n<summary>cert-manager/cert-manager
          (cert-manager)</summary>\n\n### [`v1.20.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.20.0...v1.20.1)\n\nv1.20.1
          fixes an issue for OpenShift users that has to do with the finalizer RBAC,
          bumps gRPC to address a reported non-affecting vulnerability, and fixes
          a duplicate `parentRef` bug when both issuer config and annotations are
          present (Gateway API).\n\n##### Bug or Regression\n\n- Fixed duplicate `parentRef`
          bug when both issuer config and annotations are present. ([#&#8203;8658](https://redirect.github.com/cert-manager/cert-manager/issues/8658),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Add missing
          issuer finalizer RBAC to the order controller to support owner references.
          This was preventing OpenShift users from being able to upgrade to v1.20.0.
          ([#&#8203;8655](https://redirect.github.com/cert-manager/cert-manager/issues/8655),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Bump google.golang.org/grpc
          to fix vulnerability reported by scanners. This isn't a vulnerability that
          affects cert-manager, but we are bumping it because it is reported by scanners.
          ([#&#8203;8657](https://redirect.github.com/cert-manager/cert-manager/issues/8657),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n\n### [`v1.20.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.4...v1.20.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.20.0 adds alpha support for the new ListenerSet
          resource, adds support for Azure Private DNS; parentRefs are no longer required
          when using ACME with Gateway API, and OtherNames was promoted to Beta.\n\n####
          Changes by Kind\n\n##### Feature\n\n- Added a set of flags to permit setting
          NetworkPolicy across all deployed containers. Remove redundant global IP
          ranges from example policies. ([#&#8203;8370](https://redirect.github.com/cert-manager/cert-manager/issues/8370),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Added selectable
          fields to custom resource definitions for .spec.issuerRef.{group, kind,
          name} ([#&#8203;8256](https://redirect.github.com/cert-manager/cert-manager/issues/8256),
          [@&#8203;tareksha](https://redirect.github.com/tareksha))\n- Added support
          for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template
          to enable pulling images from private registries. ([#&#8203;8186](https://redirect.github.com/cert-manager/cert-manager/issues/8186),
          [@&#8203;mathieu-clnk](https://redirect.github.com/mathieu-clnk))\n- Added
          'extraContainers' helm chart value, allowing the deployment of arbitrary
          sidecar containers within the cert-manager operator pod. This can be used
          to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification.
          ([#&#8203;8355](https://redirect.github.com/cert-manager/cert-manager/issues/8355),
          [@&#8203;dancmeyers](https://redirect.github.com/dancmeyers))\n- Added `parentRef`
          override annotations on the Certificate resource. ([#&#8203;8518](https://redirect.github.com/cert-manager/cert-manager/issues/8518),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for azure private zones for dns01 issuer. ([#&#8203;8494](https://redirect.github.com/cert-manager/cert-manager/issues/8494),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for configuring PEM decoding size limits, allowing operators to handle larger
          certificates and keys. ([#&#8203;7642](https://redirect.github.com/cert-manager/cert-manager/issues/7642),
          [@&#8203;robertlestak](https://redirect.github.com/robertlestak))\n- Added
          support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#&#8203;7728](https://redirect.github.com/cert-manager/cert-manager/issues/7728),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- For Venafi provider,
          read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer
          and use it as base with override/append capabilities on Certificate level.
          ([#&#8203;8301](https://redirect.github.com/cert-manager/cert-manager/issues/8301),
          [@&#8203;k0da](https://redirect.github.com/k0da))\n- Improve error message
          when CA issuers are misconfigured to use a clashing secret name ([#&#8203;8374](https://redirect.github.com/cert-manager/cert-manager/issues/8374),
          [@&#8203;majiayu000](https://redirect.github.com/majiayu000))\n- Introduce
          a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname`
          to override `http01.ingress.ingressClassName` field in HTTP-01 challenge
          solvers. ([#&#8203;8244](https://redirect.github.com/cert-manager/cert-manager/issues/8244),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Update
          `global.nodeSelector` to helm chart to perform a `merge` and allow for a
          single `nodeSelector` to be set across all services. ([#&#8203;8195](https://redirect.github.com/cert-manager/cert-manager/issues/8195),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Vault issuers
          will now include the Vault server address as one of the default audiences
          on generated service account tokens. ([#&#8203;8228](https://redirect.github.com/cert-manager/cert-manager/issues/8228),
          [@&#8203;terinjokes](https://redirect.github.com/terinjokes))\n- Added experimental
          `XListenerSets` feature gate ([#&#8203;8394](https://redirect.github.com/cert-manager/cert-manager/issues/8394),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Documentation\n\n-
          Add GWAPI documentation to NOTES.TXT in helm chart ([#&#8203;8353](https://redirect.github.com/cert-manager/cert-manager/issues/8353),
          [@&#8203;jaxels10](https://redirect.github.com/jaxels10))\n\n##### Bug or
          Regression\n\n- Adds logs for cases when acme server returns us a fatal
          error in the order controller ([#&#8203;8199](https://redirect.github.com/cert-manager/cert-manager/issues/8199),
          [@&#8203;Peac36](https://redirect.github.com/Peac36))\n- Fixed an issue
          where kind or group in the issuerRef of a Certificate was omitted, upgrading
          to 1.19.x incorrectly caused the certificate to be renewed ([#&#8203;8160](https://redirect.github.com/cert-manager/cert-manager/issues/8160),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- Changes to the
          Duration and RenewBefore annotations on ingress and gateway-api resources
          will now trigger certificate updates. ([#&#8203;8232](https://redirect.github.com/cert-manager/cert-manager/issues/8232),
          [@&#8203;eleanor-merry](https://redirect.github.com/eleanor-merry))\n- Fix
          an issue where ACME challenge TXT records are not cleaned up when there
          are many resource records in CloudDNS. ([#&#8203;8456](https://redirect.github.com/cert-manager/cert-manager/issues/8456),
          [@&#8203;tkna](https://redirect.github.com/tkna))\n- Fix unregulated retries
          with the DigitalOcean DNS-01 solver\n  Add full detailed DNS-01 errors to
          the events attached to the Challenge, for easier debugging ([#&#8203;8221](https://redirect.github.com/cert-manager/cert-manager/issues/8221),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Fixed an infinite re-issuance loop that could occur when an issuer returns
          a certificate with a public key that doesn't match the CSR. The issuing
          controller now validates the certificate before storing it and fails with
          backoff on mismatch. ([#&#8203;8403](https://redirect.github.com/cert-manager/cert-manager/issues/8403),
          [@&#8203;calm329](https://redirect.github.com/calm329))\n- Fixed an issue
          where HTTP-01 challenges failed when the Host header contains an IPv6 address.
          This means that users can now issue IP address certificates for IPv6 address
          subjects. ([#&#8203;8424](https://redirect.github.com/cert-manager/cert-manager/issues/8424),
          [@&#8203;SlashNephy](https://redirect.github.com/SlashNephy))\n- Fixed the
          HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames
          when the challenge DNSName is an IP address. ([#&#8203;8443](https://redirect.github.com/cert-manager/cert-manager/issues/8443),
          [@&#8203;alviss7](https://redirect.github.com/alviss7))\n- Revert API defaults
          for issuer reference kind and group introduced in 0.19.0 ([#&#8203;8173](https://redirect.github.com/cert-manager/cert-manager/issues/8173),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Security (MODERATE):
          Fix a potential panic in the cert-manager controller when a DNS response
          in an unexpected order was cached. If an attacker was able to modify DNS
          responses (or if they controlled the DNS server) it was possible to cause
          denial of service for the cert-manager controller. ([#&#8203;8469](https://redirect.github.com/cert-manager/cert-manager/issues/8469),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8290](https://redirect.github.com/cert-manager/cert-manager/issues/8290),
          [@&#8203;octo-sts](https://redirect.github.com/octo-sts)\\[bot])\n- When
          Prometheus monitoring is enabled, the metrics label is now set to the intended
          value of `cert-manager`. Previously, it was set depending on various factors
          (namespace cert-manager is installed in and/or Helm release name). ([#&#8203;8162](https://redirect.github.com/cert-manager/cert-manager/issues/8162),
          [@&#8203;LiquidPL](https://redirect.github.com/LiquidPL))\n\n##### Other
          (Cleanup or Flake)\n\n- Promoted the OtherNames feature to Beta and enabled
          it by default ([#&#8203;8288](https://redirect.github.com/cert-manager/cert-manager/issues/8288),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Promoting `XListenerSets` feature gate to `ListenerSets` ([#&#8203;8501](https://redirect.github.com/cert-manager/cert-manager/issues/8501),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Rebranding
          of the Venafi Issuer to CyberArk ([#&#8203;8215](https://redirect.github.com/cert-manager/cert-manager/issues/8215),
          [@&#8203;iossifbenbassat123](https://redirect.github.com/iossifbenbassat123))\n-
          Switched to SSA for challenge finalizer updates ([#&#8203;8519](https://redirect.github.com/cert-manager/cert-manager/issues/8519),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- The default container
          user (UID) is now 65532 (previously 1000) and the default container group
          (GID) is now 65532 (previously 0) ([#&#8203;8408](https://redirect.github.com/cert-manager/cert-manager/issues/8408),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to
          GA and can no longer be disabled. ([#&#8203;8287](https://redirect.github.com/cert-manager/cert-manager/issues/8287),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update cert-manager's ACME client, forked from golang/x/crypto ([#&#8203;8268](https://redirect.github.com/cert-manager/cert-manager/issues/8268),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Use the
          latest version of Kyverno (1.16.2) in the best-practice installation tests
          ([#&#8203;8389](https://redirect.github.com/cert-manager/cert-manager/issues/8389),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          We stopped testing with Coutour due to it not supporting the new XListenerSet
          resource, and moved to kgateway. ([#&#8203;8426](https://redirect.github.com/cert-manager/cert-manager/issues/8426),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n### [`v1.19.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.3...v1.19.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.19.4 is a simple patch release to fix some reported
          vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should
          upgrade.\n\n#### Changes by Kind\n\n##### Bug or Regression\n\n- Bump go
          to address CVE-2025-68121 ([#&#8203;8526](https://redirect.github.com/cert-manager/cert-manager/issues/8526),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Bump otel
          SDK to address GO-2026-4394 ([#&#8203;8531](https://redirect.github.com/cert-manager/cert-manager/issues/8531),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n#### Changes by Kind\n\n##### Bug
          or Regression\n\n- Fixed an infinite re-issuance loop that could occur when
          an issuer returns a certificate with a public key that doesn't match the
          CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contained
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.25.6 ([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.2`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.2)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.1...v1.19.2)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.19.1`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8283](https://redirect.github.com/cert-manager/cert-manager/issues/8283),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8294](https://redirect.github.com/cert-manager/cert-manager/issues/8294),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update `global.nodeSelector` to helm chart to perform a `merge` and allow
          for a single `nodeSelector` to be set across all services. ([#&#8203;8233](https://redirect.github.com/cert-manager/cert-manager/issues/8233),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8270](https://redirect.github.com/cert-manager/cert-manager/issues/8270),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8326](https://redirect.github.com/cert-manager/cert-manager/issues/8326),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.19.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.0...v1.19.1)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe reverted the CRD-based API defaults for `Certificate.Spec.IssuerRef`
          and `CertificateRequest.Spec.IssuerRef` after they were found to cause unexpected
          certificate renewals after upgrading to 1.19.0. We will try re-introducing
          these API defaults in cert-manager `1.20`.\nWe fixed a bug that caused certificates
          to be re-issued unexpectedly if the `issuerRef` kind or group was changed
          to one of the \"runtime\" default values.\nWe upgraded Go to `1.25.3` to
          address the following security vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`,
          `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`,
          `CVE-2025-58185`, `CVE-2025-58188`, and `CVE-2025-61725`.\n\n> \U0001F4D6
          Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.19.0`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the `issuerRef`
          of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the
          certificate to be renewed ([#&#8203;8175](https://redirect.github.com/cert-manager/cert-manager/issues/8175),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.25.3 to fix a backwards incompatible change to the validation
          of DNS names in X.509 SAN fields which prevented the use of DNS names with
          a trailing dot ([#&#8203;8177](https://redirect.github.com/cert-manager/cert-manager/issues/8177),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Revert API defaults for issuer reference kind and group introduced in 0.19.0
          ([#&#8203;8178](https://redirect.github.com/cert-manager/cert-manager/issues/8178),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n###
          [`v1.19.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.6...v1.19.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\n> \u26A0\uFE0F **Known issues**: The following known
          issues are fixed in [v1.19.1](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1):\n>\n>
          - [Unexpected certificate renewal after upgrading to 1.19.0](https://redirect.github.com/cert-manager/cert-manager/issues/8158)\n\nThis
          release focuses on expanding platform compatibility, improving deployment
          flexibility, enhancing observability, and addressing key reliability issues.\n\n>
          \U0001F4D6  Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19>\n\nChanges
          since `v1.18.0`:\n\n##### Feature\n\n- Add IPv6 rules to the default network
          policy ([#&#8203;7726](https://redirect.github.com/cert-manager/cert-manager/issues/7726),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Add `global.nodeSelector`
          to helm chart to allow for a single `nodeSelector` to be set across all
          services. ([#&#8203;7818](https://redirect.github.com/cert-manager/cert-manager/issues/7818),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Add a feature
          gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge
          solvers. ([#&#8203;7795](https://redirect.github.com/cert-manager/cert-manager/issues/7795),
          [@&#8203;sspreitzer](https://redirect.github.com/sspreitzer))\n- Add generated
          `applyconfigurations` allowing clients to make type-safe server-side apply
          requests for cert-manager resources. ([#&#8203;7866](https://redirect.github.com/cert-manager/cert-manager/issues/7866),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added API defaults
          to issuer references group (cert-manager.io) and kind (Issuer). ([#&#8203;7414](https://redirect.github.com/cert-manager/cert-manager/issues/7414),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added `certmanager_certificate_challenge_status`
          Prometheus metric. ([#&#8203;7736](https://redirect.github.com/cert-manager/cert-manager/issues/7736),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added `protocol`
          field for `rfc2136` DNS01 provider ([#&#8203;7881](https://redirect.github.com/cert-manager/cert-manager/issues/7881),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added experimental
          field `hostUsers` flag to all pods. Not set by default. ([#&#8203;7973](https://redirect.github.com/cert-manager/cert-manager/issues/7973),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Support configurable
          resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer
          and Issuer specifications, allowing granular resource management that overrides
          global `--acme-http01-solver-resource-*` settings. ([#&#8203;7972](https://redirect.github.com/cert-manager/cert-manager/issues/7972),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- The `CAInjectorMerging`
          feature has been promoted to BETA and is now enabled by default ([#&#8203;8017](https://redirect.github.com/cert-manager/cert-manager/issues/8017),
          [@&#8203;ThatsMrTalbot](https://redirect.github.com/ThatsMrTalbot))\n- The
          controller, webhook and ca-injector now log their version and git commit
          on startup for easier debugging and support. ([#&#8203;8072](https://redirect.github.com/cert-manager/cert-manager/issues/8072),
          [@&#8203;prasad89](https://redirect.github.com/prasad89))\n- Updated `certificate`
          metrics to the collector approach. ([#&#8203;7856](https://redirect.github.com/cert-manager/cert-manager/issues/7856),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Bug
          or Regression\n\n- ACME: Increased challenge authorization timeout to 2
          minutes to fix `error waiting for authorization` ([#&#8203;7796](https://redirect.github.com/cert-manager/cert-manager/issues/7796),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- BUGFIX: permitted
          URI domains were incorrectly used to set the excluded URI domains in the
          CSR's name constraints ([#&#8203;7816](https://redirect.github.com/cert-manager/cert-manager/issues/7816),
          [@&#8203;kinolaev](https://redirect.github.com/kinolaev))\n- Enforced ACME
          HTTP-01 solver validation to properly reject configurations when multiple
          ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously
          ([#&#8203;8021](https://redirect.github.com/cert-manager/cert-manager/issues/8021),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Increase
          maximum sizes of PEM certificates and chains which can be parsed in cert-manager,
          to handle leaf certificates with large numbers of DNS names or other identities
          ([#&#8203;7961](https://redirect.github.com/cert-manager/cert-manager/issues/7961),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Reverted
          adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#&#8203;7836](https://redirect.github.com/cert-manager/cert-manager/issues/7836),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- This change removes
          the `path` label of core ACME client metrics and will require users to update
          their monitoring dashboards and alerting rules if using those metrics. ([#&#8203;8109](https://redirect.github.com/cert-manager/cert-manager/issues/8109),
          [@&#8203;mladen-rusev-cyberark](https://redirect.github.com/mladen-rusev-cyberark))\n-
          Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility
          ([#&#8203;7792](https://redirect.github.com/cert-manager/cert-manager/issues/7792),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n\n##### Other (Cleanup
          or Flake)\n\n- Helm: Fix naming template of `tokenrequest` RoleBinding resource
          to improve consistency ([#&#8203;7761](https://redirect.github.com/cert-manager/cert-manager/issues/7761),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Improve
          error messages when certificates, CRLs or private keys fail admission due
          to malformed or missing PEM data ([#&#8203;7928](https://redirect.github.com/cert-manager/cert-manager/issues/7928),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Major upgrade
          of Akamai SDK. NOTE: The new version has not been fully tested end-to-end
          due to the lack of cloud infrastructure. ([#&#8203;8003](https://redirect.github.com/cert-manager/cert-manager/issues/8003),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Update kind
          images to include the Kubernetes 1.33 node image ([#&#8203;7786](https://redirect.github.com/cert-manager/cert-manager/issues/7786),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n- Use `maps.Copy`
          for cleaner map handling ([#&#8203;8092](https://redirect.github.com/cert-manager/cert-manager/issues/8092),
          [@&#8203;quantpoet](https://redirect.github.com/quantpoet))\n- Vault: Migrate
          Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api`
          client. ([#&#8203;8059](https://redirect.github.com/cert-manager/cert-manager/issues/8059),
          [@&#8203;armagankaratosun](https://redirect.github.com/armagankaratosun))\n\n###
          [`v1.18.6`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.6)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.5...v1.18.6)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.18.6 is a simple patch release to fix some reported
          vulnerabilities, most notably [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\nNB:
          We didn't attempt to patch [CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051)
          but that vulnerability affects macOS only, so cert-manager will be unaffected.\n\n#####
          Changes by Kind\n\n##### Bug or Regression\n\n- Bump Go to address CVE-2025-68121
          ([#&#8203;8525](https://redirect.github.com/cert-manager/cert-manager/issues/8525),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.5`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.5)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.4...v1.18.5)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n##### Changes by Kind\n\n#####
          Bug or Regression\n\n- Fixed an infinite re-issuance loop that could occur
          when an issuer returns a certificate with a public key that doesn't match
          the CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8414](https://redirect.github.com/cert-manager/cert-manager/issues/8414),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contains
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8437](https://redirect.github.com/cert-manager/cert-manager/issues/8437),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8467](https://redirect.github.com/cert-manager/cert-manager/issues/8467),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.24.12 ([#&#8203;8460](https://redirect.github.com/cert-manager/cert-manager/issues/8460),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.3...v1.18.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.18.3`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8282](https://redirect.github.com/cert-manager/cert-manager/issues/8282),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.24.11` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8295](https://redirect.github.com/cert-manager/cert-manager/issues/8295),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8271](https://redirect.github.com/cert-manager/cert-manager/issues/8271),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8328](https://redirect.github.com/cert-manager/cert-manager/issues/8328),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.18.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.2...v1.18.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe fixed a bug which caused certificates to be re-issued
          unexpectedly, if the issuerRef kind or group was changed to one of the \"runtime\"
          default values. We increased the size limit when parsing PEM certificate
          chains to handle leaf certificates with large numbers of DNS named or other
          identities. We upgraded Go to 1.24.9 to fix various non-critical security
          vulnerabilities.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.18.2`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the issuerRef of
          a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate
          to be renewed ([#&#8203;8174](https://redirect.github.com/cert-manager/cert-manager/issues/8174),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.24.9. Fixes the following vulnerabilities: CVE-2025-61724,
          CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186,
          CVE-2025-58185, CVE-2025-58188, CVE-2025-61725 ([#&#8203;8176](https://redirect.github.com/cert-manager/cert-manager/issues/8176),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Increase maximum sizes of PEM certificates and chains which can be parsed
          in cert-manager, to handle leaf certificates with large numbers of DNS names
          or other identities ([#&#8203;7966](https://redirect.github.com/cert-manager/cert-manager/issues/7966),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Improve error messages when certificates,
          CRLs or private keys fail admission due to malformed or missing PEM data
          ([#&#8203;7964](https://redirect.github.com/cert-manager/cert-manager/issues/7964),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Upgrades Go to v1.24.6 ([#&#8203;7974](https://redirect.github.com/cert-manager/cert-manager/issues/7974),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n</details>\n\n---\n\n###
          Configuration\n\n\U0001F4C5 **Schedule**: Branch creation - At any time
          (no schedule defined), Automerge - At any time (no schedule defined).\n\n\U0001F6A6
          **Automerge**: Disabled by config. Please merge this manually once you are
          satisfied.\n\n\u267B **Rebasing**: Whenever PR becomes conflicted, or you
          tick the rebase/retry checkbox.\n\n\U0001F515 **Ignore**: Close this PR
          and you won't be reminded about this update again.\n\n---\n\n - [ ] <!--
          rebase-check -->If you want to rebase/retry this PR, check this box\n\n---\n\nThis
          PR was generated by [Mend Renovate](https://mend.io/renovate/). View the
          [repository job log](https://developer.mend.io/github/vexxhost/atmosphere.common).\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQzLjk0LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->\n"
        change_url: https://github.com/vexxhost/atmosphere.common/pull/105
        commit_id: 31202f9a494ecda41fc228f97b0affb269c8586d
        patchset: 31202f9a494ecda41fc228f97b0affb269c8586d
        project:
          canonical_hostname: github.com
          canonical_name: github.com/vexxhost/atmosphere.common
          name: vexxhost/atmosphere.common
          short_name: atmosphere.common
          src_dir: src/github.com/vexxhost/atmosphere.common
        src_dir: src/github.com/vexxhost/atmosphere.common
        topic: null
      buildset: f94fa5b2be1c4842a4ca42d19de78f4a
      buildset_refs:
      - branch: main
        change: '105'
        change_message: "chore(deps): update helm release cert-manager to v1.20.1\n\nThis
          PR contains the following updates:\n\n| Package | Update | Change |\n|---|---|---|\n|
          [cert-manager](https://cert-manager.io) ([source](https://redirect.github.com/cert-manager/cert-manager))
          | minor | `1.18.2` \u2192 `1.20.1` |\n\n---\n\n### Release Notes\n\n<details>\n<summary>cert-manager/cert-manager
          (cert-manager)</summary>\n\n### [`v1.20.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.20.0...v1.20.1)\n\nv1.20.1
          fixes an issue for OpenShift users that has to do with the finalizer RBAC,
          bumps gRPC to address a reported non-affecting vulnerability, and fixes
          a duplicate `parentRef` bug when both issuer config and annotations are
          present (Gateway API).\n\n##### Bug or Regression\n\n- Fixed duplicate `parentRef`
          bug when both issuer config and annotations are present. ([#&#8203;8658](https://redirect.github.com/cert-manager/cert-manager/issues/8658),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Add missing
          issuer finalizer RBAC to the order controller to support owner references.
          This was preventing OpenShift users from being able to upgrade to v1.20.0.
          ([#&#8203;8655](https://redirect.github.com/cert-manager/cert-manager/issues/8655),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Bump google.golang.org/grpc
          to fix vulnerability reported by scanners. This isn't a vulnerability that
          affects cert-manager, but we are bumping it because it is reported by scanners.
          ([#&#8203;8657](https://redirect.github.com/cert-manager/cert-manager/issues/8657),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n\n### [`v1.20.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.4...v1.20.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.20.0 adds alpha support for the new ListenerSet
          resource, adds support for Azure Private DNS; parentRefs are no longer required
          when using ACME with Gateway API, and OtherNames was promoted to Beta.\n\n####
          Changes by Kind\n\n##### Feature\n\n- Added a set of flags to permit setting
          NetworkPolicy across all deployed containers. Remove redundant global IP
          ranges from example policies. ([#&#8203;8370](https://redirect.github.com/cert-manager/cert-manager/issues/8370),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Added selectable
          fields to custom resource definitions for .spec.issuerRef.{group, kind,
          name} ([#&#8203;8256](https://redirect.github.com/cert-manager/cert-manager/issues/8256),
          [@&#8203;tareksha](https://redirect.github.com/tareksha))\n- Added support
          for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template
          to enable pulling images from private registries. ([#&#8203;8186](https://redirect.github.com/cert-manager/cert-manager/issues/8186),
          [@&#8203;mathieu-clnk](https://redirect.github.com/mathieu-clnk))\n- Added
          'extraContainers' helm chart value, allowing the deployment of arbitrary
          sidecar containers within the cert-manager operator pod. This can be used
          to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification.
          ([#&#8203;8355](https://redirect.github.com/cert-manager/cert-manager/issues/8355),
          [@&#8203;dancmeyers](https://redirect.github.com/dancmeyers))\n- Added `parentRef`
          override annotations on the Certificate resource. ([#&#8203;8518](https://redirect.github.com/cert-manager/cert-manager/issues/8518),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for azure private zones for dns01 issuer. ([#&#8203;8494](https://redirect.github.com/cert-manager/cert-manager/issues/8494),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for configuring PEM decoding size limits, allowing operators to handle larger
          certificates and keys. ([#&#8203;7642](https://redirect.github.com/cert-manager/cert-manager/issues/7642),
          [@&#8203;robertlestak](https://redirect.github.com/robertlestak))\n- Added
          support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#&#8203;7728](https://redirect.github.com/cert-manager/cert-manager/issues/7728),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- For Venafi provider,
          read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer
          and use it as base with override/append capabilities on Certificate level.
          ([#&#8203;8301](https://redirect.github.com/cert-manager/cert-manager/issues/8301),
          [@&#8203;k0da](https://redirect.github.com/k0da))\n- Improve error message
          when CA issuers are misconfigured to use a clashing secret name ([#&#8203;8374](https://redirect.github.com/cert-manager/cert-manager/issues/8374),
          [@&#8203;majiayu000](https://redirect.github.com/majiayu000))\n- Introduce
          a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname`
          to override `http01.ingress.ingressClassName` field in HTTP-01 challenge
          solvers. ([#&#8203;8244](https://redirect.github.com/cert-manager/cert-manager/issues/8244),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Update
          `global.nodeSelector` to helm chart to perform a `merge` and allow for a
          single `nodeSelector` to be set across all services. ([#&#8203;8195](https://redirect.github.com/cert-manager/cert-manager/issues/8195),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Vault issuers
          will now include the Vault server address as one of the default audiences
          on generated service account tokens. ([#&#8203;8228](https://redirect.github.com/cert-manager/cert-manager/issues/8228),
          [@&#8203;terinjokes](https://redirect.github.com/terinjokes))\n- Added experimental
          `XListenerSets` feature gate ([#&#8203;8394](https://redirect.github.com/cert-manager/cert-manager/issues/8394),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Documentation\n\n-
          Add GWAPI documentation to NOTES.TXT in helm chart ([#&#8203;8353](https://redirect.github.com/cert-manager/cert-manager/issues/8353),
          [@&#8203;jaxels10](https://redirect.github.com/jaxels10))\n\n##### Bug or
          Regression\n\n- Adds logs for cases when acme server returns us a fatal
          error in the order controller ([#&#8203;8199](https://redirect.github.com/cert-manager/cert-manager/issues/8199),
          [@&#8203;Peac36](https://redirect.github.com/Peac36))\n- Fixed an issue
          where kind or group in the issuerRef of a Certificate was omitted, upgrading
          to 1.19.x incorrectly caused the certificate to be renewed ([#&#8203;8160](https://redirect.github.com/cert-manager/cert-manager/issues/8160),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- Changes to the
          Duration and RenewBefore annotations on ingress and gateway-api resources
          will now trigger certificate updates. ([#&#8203;8232](https://redirect.github.com/cert-manager/cert-manager/issues/8232),
          [@&#8203;eleanor-merry](https://redirect.github.com/eleanor-merry))\n- Fix
          an issue where ACME challenge TXT records are not cleaned up when there
          are many resource records in CloudDNS. ([#&#8203;8456](https://redirect.github.com/cert-manager/cert-manager/issues/8456),
          [@&#8203;tkna](https://redirect.github.com/tkna))\n- Fix unregulated retries
          with the DigitalOcean DNS-01 solver\n  Add full detailed DNS-01 errors to
          the events attached to the Challenge, for easier debugging ([#&#8203;8221](https://redirect.github.com/cert-manager/cert-manager/issues/8221),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Fixed an infinite re-issuance loop that could occur when an issuer returns
          a certificate with a public key that doesn't match the CSR. The issuing
          controller now validates the certificate before storing it and fails with
          backoff on mismatch. ([#&#8203;8403](https://redirect.github.com/cert-manager/cert-manager/issues/8403),
          [@&#8203;calm329](https://redirect.github.com/calm329))\n- Fixed an issue
          where HTTP-01 challenges failed when the Host header contains an IPv6 address.
          This means that users can now issue IP address certificates for IPv6 address
          subjects. ([#&#8203;8424](https://redirect.github.com/cert-manager/cert-manager/issues/8424),
          [@&#8203;SlashNephy](https://redirect.github.com/SlashNephy))\n- Fixed the
          HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames
          when the challenge DNSName is an IP address. ([#&#8203;8443](https://redirect.github.com/cert-manager/cert-manager/issues/8443),
          [@&#8203;alviss7](https://redirect.github.com/alviss7))\n- Revert API defaults
          for issuer reference kind and group introduced in 0.19.0 ([#&#8203;8173](https://redirect.github.com/cert-manager/cert-manager/issues/8173),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Security (MODERATE):
          Fix a potential panic in the cert-manager controller when a DNS response
          in an unexpected order was cached. If an attacker was able to modify DNS
          responses (or if they controlled the DNS server) it was possible to cause
          denial of service for the cert-manager controller. ([#&#8203;8469](https://redirect.github.com/cert-manager/cert-manager/issues/8469),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8290](https://redirect.github.com/cert-manager/cert-manager/issues/8290),
          [@&#8203;octo-sts](https://redirect.github.com/octo-sts)\\[bot])\n- When
          Prometheus monitoring is enabled, the metrics label is now set to the intended
          value of `cert-manager`. Previously, it was set depending on various factors
          (namespace cert-manager is installed in and/or Helm release name). ([#&#8203;8162](https://redirect.github.com/cert-manager/cert-manager/issues/8162),
          [@&#8203;LiquidPL](https://redirect.github.com/LiquidPL))\n\n##### Other
          (Cleanup or Flake)\n\n- Promoted the OtherNames feature to Beta and enabled
          it by default ([#&#8203;8288](https://redirect.github.com/cert-manager/cert-manager/issues/8288),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Promoting `XListenerSets` feature gate to `ListenerSets` ([#&#8203;8501](https://redirect.github.com/cert-manager/cert-manager/issues/8501),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Rebranding
          of the Venafi Issuer to CyberArk ([#&#8203;8215](https://redirect.github.com/cert-manager/cert-manager/issues/8215),
          [@&#8203;iossifbenbassat123](https://redirect.github.com/iossifbenbassat123))\n-
          Switched to SSA for challenge finalizer updates ([#&#8203;8519](https://redirect.github.com/cert-manager/cert-manager/issues/8519),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- The default container
          user (UID) is now 65532 (previously 1000) and the default container group
          (GID) is now 65532 (previously 0) ([#&#8203;8408](https://redirect.github.com/cert-manager/cert-manager/issues/8408),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to
          GA and can no longer be disabled. ([#&#8203;8287](https://redirect.github.com/cert-manager/cert-manager/issues/8287),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update cert-manager's ACME client, forked from golang/x/crypto ([#&#8203;8268](https://redirect.github.com/cert-manager/cert-manager/issues/8268),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Use the
          latest version of Kyverno (1.16.2) in the best-practice installation tests
          ([#&#8203;8389](https://redirect.github.com/cert-manager/cert-manager/issues/8389),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          We stopped testing with Coutour due to it not supporting the new XListenerSet
          resource, and moved to kgateway. ([#&#8203;8426](https://redirect.github.com/cert-manager/cert-manager/issues/8426),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n### [`v1.19.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.3...v1.19.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.19.4 is a simple patch release to fix some reported
          vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should
          upgrade.\n\n#### Changes by Kind\n\n##### Bug or Regression\n\n- Bump go
          to address CVE-2025-68121 ([#&#8203;8526](https://redirect.github.com/cert-manager/cert-manager/issues/8526),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Bump otel
          SDK to address GO-2026-4394 ([#&#8203;8531](https://redirect.github.com/cert-manager/cert-manager/issues/8531),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n#### Changes by Kind\n\n##### Bug
          or Regression\n\n- Fixed an infinite re-issuance loop that could occur when
          an issuer returns a certificate with a public key that doesn't match the
          CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contained
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.25.6 ([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.2`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.2)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.1...v1.19.2)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.19.1`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8283](https://redirect.github.com/cert-manager/cert-manager/issues/8283),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8294](https://redirect.github.com/cert-manager/cert-manager/issues/8294),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update `global.nodeSelector` to helm chart to perform a `merge` and allow
          for a single `nodeSelector` to be set across all services. ([#&#8203;8233](https://redirect.github.com/cert-manager/cert-manager/issues/8233),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8270](https://redirect.github.com/cert-manager/cert-manager/issues/8270),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8326](https://redirect.github.com/cert-manager/cert-manager/issues/8326),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.19.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.0...v1.19.1)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe reverted the CRD-based API defaults for `Certificate.Spec.IssuerRef`
          and `CertificateRequest.Spec.IssuerRef` after they were found to cause unexpected
          certificate renewals after upgrading to 1.19.0. We will try re-introducing
          these API defaults in cert-manager `1.20`.\nWe fixed a bug that caused certificates
          to be re-issued unexpectedly if the `issuerRef` kind or group was changed
          to one of the \"runtime\" default values.\nWe upgraded Go to `1.25.3` to
          address the following security vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`,
          `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`,
          `CVE-2025-58185`, `CVE-2025-58188`, and `CVE-2025-61725`.\n\n> \U0001F4D6
          Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.19.0`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the `issuerRef`
          of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the
          certificate to be renewed ([#&#8203;8175](https://redirect.github.com/cert-manager/cert-manager/issues/8175),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.25.3 to fix a backwards incompatible change to the validation
          of DNS names in X.509 SAN fields which prevented the use of DNS names with
          a trailing dot ([#&#8203;8177](https://redirect.github.com/cert-manager/cert-manager/issues/8177),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Revert API defaults for issuer reference kind and group introduced in 0.19.0
          ([#&#8203;8178](https://redirect.github.com/cert-manager/cert-manager/issues/8178),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n###
          [`v1.19.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.6...v1.19.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\n> \u26A0\uFE0F **Known issues**: The following known
          issues are fixed in [v1.19.1](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1):\n>\n>
          - [Unexpected certificate renewal after upgrading to 1.19.0](https://redirect.github.com/cert-manager/cert-manager/issues/8158)\n\nThis
          release focuses on expanding platform compatibility, improving deployment
          flexibility, enhancing observability, and addressing key reliability issues.\n\n>
          \U0001F4D6  Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19>\n\nChanges
          since `v1.18.0`:\n\n##### Feature\n\n- Add IPv6 rules to the default network
          policy ([#&#8203;7726](https://redirect.github.com/cert-manager/cert-manager/issues/7726),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Add `global.nodeSelector`
          to helm chart to allow for a single `nodeSelector` to be set across all
          services. ([#&#8203;7818](https://redirect.github.com/cert-manager/cert-manager/issues/7818),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Add a feature
          gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge
          solvers. ([#&#8203;7795](https://redirect.github.com/cert-manager/cert-manager/issues/7795),
          [@&#8203;sspreitzer](https://redirect.github.com/sspreitzer))\n- Add generated
          `applyconfigurations` allowing clients to make type-safe server-side apply
          requests for cert-manager resources. ([#&#8203;7866](https://redirect.github.com/cert-manager/cert-manager/issues/7866),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added API defaults
          to issuer references group (cert-manager.io) and kind (Issuer). ([#&#8203;7414](https://redirect.github.com/cert-manager/cert-manager/issues/7414),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added `certmanager_certificate_challenge_status`
          Prometheus metric. ([#&#8203;7736](https://redirect.github.com/cert-manager/cert-manager/issues/7736),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added `protocol`
          field for `rfc2136` DNS01 provider ([#&#8203;7881](https://redirect.github.com/cert-manager/cert-manager/issues/7881),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added experimental
          field `hostUsers` flag to all pods. Not set by default. ([#&#8203;7973](https://redirect.github.com/cert-manager/cert-manager/issues/7973),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Support configurable
          resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer
          and Issuer specifications, allowing granular resource management that overrides
          global `--acme-http01-solver-resource-*` settings. ([#&#8203;7972](https://redirect.github.com/cert-manager/cert-manager/issues/7972),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- The `CAInjectorMerging`
          feature has been promoted to BETA and is now enabled by default ([#&#8203;8017](https://redirect.github.com/cert-manager/cert-manager/issues/8017),
          [@&#8203;ThatsMrTalbot](https://redirect.github.com/ThatsMrTalbot))\n- The
          controller, webhook and ca-injector now log their version and git commit
          on startup for easier debugging and support. ([#&#8203;8072](https://redirect.github.com/cert-manager/cert-manager/issues/8072),
          [@&#8203;prasad89](https://redirect.github.com/prasad89))\n- Updated `certificate`
          metrics to the collector approach. ([#&#8203;7856](https://redirect.github.com/cert-manager/cert-manager/issues/7856),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Bug
          or Regression\n\n- ACME: Increased challenge authorization timeout to 2
          minutes to fix `error waiting for authorization` ([#&#8203;7796](https://redirect.github.com/cert-manager/cert-manager/issues/7796),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- BUGFIX: permitted
          URI domains were incorrectly used to set the excluded URI domains in the
          CSR's name constraints ([#&#8203;7816](https://redirect.github.com/cert-manager/cert-manager/issues/7816),
          [@&#8203;kinolaev](https://redirect.github.com/kinolaev))\n- Enforced ACME
          HTTP-01 solver validation to properly reject configurations when multiple
          ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously
          ([#&#8203;8021](https://redirect.github.com/cert-manager/cert-manager/issues/8021),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Increase
          maximum sizes of PEM certificates and chains which can be parsed in cert-manager,
          to handle leaf certificates with large numbers of DNS names or other identities
          ([#&#8203;7961](https://redirect.github.com/cert-manager/cert-manager/issues/7961),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Reverted
          adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#&#8203;7836](https://redirect.github.com/cert-manager/cert-manager/issues/7836),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- This change removes
          the `path` label of core ACME client metrics and will require users to update
          their monitoring dashboards and alerting rules if using those metrics. ([#&#8203;8109](https://redirect.github.com/cert-manager/cert-manager/issues/8109),
          [@&#8203;mladen-rusev-cyberark](https://redirect.github.com/mladen-rusev-cyberark))\n-
          Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility
          ([#&#8203;7792](https://redirect.github.com/cert-manager/cert-manager/issues/7792),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n\n##### Other (Cleanup
          or Flake)\n\n- Helm: Fix naming template of `tokenrequest` RoleBinding resource
          to improve consistency ([#&#8203;7761](https://redirect.github.com/cert-manager/cert-manager/issues/7761),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Improve
          error messages when certificates, CRLs or private keys fail admission due
          to malformed or missing PEM data ([#&#8203;7928](https://redirect.github.com/cert-manager/cert-manager/issues/7928),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Major upgrade
          of Akamai SDK. NOTE: The new version has not been fully tested end-to-end
          due to the lack of cloud infrastructure. ([#&#8203;8003](https://redirect.github.com/cert-manager/cert-manager/issues/8003),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Update kind
          images to include the Kubernetes 1.33 node image ([#&#8203;7786](https://redirect.github.com/cert-manager/cert-manager/issues/7786),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n- Use `maps.Copy`
          for cleaner map handling ([#&#8203;8092](https://redirect.github.com/cert-manager/cert-manager/issues/8092),
          [@&#8203;quantpoet](https://redirect.github.com/quantpoet))\n- Vault: Migrate
          Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api`
          client. ([#&#8203;8059](https://redirect.github.com/cert-manager/cert-manager/issues/8059),
          [@&#8203;armagankaratosun](https://redirect.github.com/armagankaratosun))\n\n###
          [`v1.18.6`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.6)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.5...v1.18.6)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.18.6 is a simple patch release to fix some reported
          vulnerabilities, most notably [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\nNB:
          We didn't attempt to patch [CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051)
          but that vulnerability affects macOS only, so cert-manager will be unaffected.\n\n#####
          Changes by Kind\n\n##### Bug or Regression\n\n- Bump Go to address CVE-2025-68121
          ([#&#8203;8525](https://redirect.github.com/cert-manager/cert-manager/issues/8525),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.5`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.5)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.4...v1.18.5)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n##### Changes by Kind\n\n#####
          Bug or Regression\n\n- Fixed an infinite re-issuance loop that could occur
          when an issuer returns a certificate with a public key that doesn't match
          the CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8414](https://redirect.github.com/cert-manager/cert-manager/issues/8414),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contains
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8437](https://redirect.github.com/cert-manager/cert-manager/issues/8437),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8467](https://redirect.github.com/cert-manager/cert-manager/issues/8467),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.24.12 ([#&#8203;8460](https://redirect.github.com/cert-manager/cert-manager/issues/8460),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.3...v1.18.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.18.3`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8282](https://redirect.github.com/cert-manager/cert-manager/issues/8282),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.24.11` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8295](https://redirect.github.com/cert-manager/cert-manager/issues/8295),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8271](https://redirect.github.com/cert-manager/cert-manager/issues/8271),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8328](https://redirect.github.com/cert-manager/cert-manager/issues/8328),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.18.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.2...v1.18.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe fixed a bug which caused certificates to be re-issued
          unexpectedly, if the issuerRef kind or group was changed to one of the \"runtime\"
          default values. We increased the size limit when parsing PEM certificate
          chains to handle leaf certificates with large numbers of DNS named or other
          identities. We upgraded Go to 1.24.9 to fix various non-critical security
          vulnerabilities.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.18.2`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the issuerRef of
          a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate
          to be renewed ([#&#8203;8174](https://redirect.github.com/cert-manager/cert-manager/issues/8174),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.24.9. Fixes the following vulnerabilities: CVE-2025-61724,
          CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186,
          CVE-2025-58185, CVE-2025-58188, CVE-2025-61725 ([#&#8203;8176](https://redirect.github.com/cert-manager/cert-manager/issues/8176),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Increase maximum sizes of PEM certificates and chains which can be parsed
          in cert-manager, to handle leaf certificates with large numbers of DNS names
          or other identities ([#&#8203;7966](https://redirect.github.com/cert-manager/cert-manager/issues/7966),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Improve error messages when certificates,
          CRLs or private keys fail admission due to malformed or missing PEM data
          ([#&#8203;7964](https://redirect.github.com/cert-manager/cert-manager/issues/7964),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Upgrades Go to v1.24.6 ([#&#8203;7974](https://redirect.github.com/cert-manager/cert-manager/issues/7974),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n</details>\n\n---\n\n###
          Configuration\n\n\U0001F4C5 **Schedule**: Branch creation - At any time
          (no schedule defined), Automerge - At any time (no schedule defined).\n\n\U0001F6A6
          **Automerge**: Disabled by config. Please merge this manually once you are
          satisfied.\n\n\u267B **Rebasing**: Whenever PR becomes conflicted, or you
          tick the rebase/retry checkbox.\n\n\U0001F515 **Ignore**: Close this PR
          and you won't be reminded about this update again.\n\n---\n\n - [ ] <!--
          rebase-check -->If you want to rebase/retry this PR, check this box\n\n---\n\nThis
          PR was generated by [Mend Renovate](https://mend.io/renovate/). View the
          [repository job log](https://developer.mend.io/github/vexxhost/atmosphere.common).\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQzLjk0LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->\n"
        change_url: https://github.com/vexxhost/atmosphere.common/pull/105
        commit_id: 31202f9a494ecda41fc228f97b0affb269c8586d
        patchset: 31202f9a494ecda41fc228f97b0affb269c8586d
        project:
          canonical_hostname: github.com
          canonical_name: github.com/vexxhost/atmosphere.common
          name: vexxhost/atmosphere.common
          short_name: atmosphere.common
          src_dir: src/github.com/vexxhost/atmosphere.common
        src_dir: src/github.com/vexxhost/atmosphere.common
        topic: null
      change: '105'
      change_message: "chore(deps): update helm release cert-manager to v1.20.1\n\nThis
        PR contains the following updates:\n\n| Package | Update | Change |\n|---|---|---|\n|
        [cert-manager](https://cert-manager.io) ([source](https://redirect.github.com/cert-manager/cert-manager))
        | minor | `1.18.2` \u2192 `1.20.1` |\n\n---\n\n### Release Notes\n\n<details>\n<summary>cert-manager/cert-manager
        (cert-manager)</summary>\n\n### [`v1.20.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.1)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.20.0...v1.20.1)\n\nv1.20.1
        fixes an issue for OpenShift users that has to do with the finalizer RBAC,
        bumps gRPC to address a reported non-affecting vulnerability, and fixes a
        duplicate `parentRef` bug when both issuer config and annotations are present
        (Gateway API).\n\n##### Bug or Regression\n\n- Fixed duplicate `parentRef`
        bug when both issuer config and annotations are present. ([#&#8203;8658](https://redirect.github.com/cert-manager/cert-manager/issues/8658),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Add missing
        issuer finalizer RBAC to the order controller to support owner references.
        This was preventing OpenShift users from being able to upgrade to v1.20.0.
        ([#&#8203;8655](https://redirect.github.com/cert-manager/cert-manager/issues/8655),
        [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Bump google.golang.org/grpc
        to fix vulnerability reported by scanners. This isn't a vulnerability that
        affects cert-manager, but we are bumping it because it is reported by scanners.
        ([#&#8203;8657](https://redirect.github.com/cert-manager/cert-manager/issues/8657),
        [@&#8203;erikgb](https://redirect.github.com/erikgb))\n\n### [`v1.20.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.0)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.4...v1.20.0)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nv1.20.0 adds alpha support for the new ListenerSet
        resource, adds support for Azure Private DNS; parentRefs are no longer required
        when using ACME with Gateway API, and OtherNames was promoted to Beta.\n\n####
        Changes by Kind\n\n##### Feature\n\n- Added a set of flags to permit setting
        NetworkPolicy across all deployed containers. Remove redundant global IP ranges
        from example policies. ([#&#8203;8370](https://redirect.github.com/cert-manager/cert-manager/issues/8370),
        [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Added selectable
        fields to custom resource definitions for .spec.issuerRef.{group, kind, name}
        ([#&#8203;8256](https://redirect.github.com/cert-manager/cert-manager/issues/8256),
        [@&#8203;tareksha](https://redirect.github.com/tareksha))\n- Added support
        for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template
        to enable pulling images from private registries. ([#&#8203;8186](https://redirect.github.com/cert-manager/cert-manager/issues/8186),
        [@&#8203;mathieu-clnk](https://redirect.github.com/mathieu-clnk))\n- Added
        'extraContainers' helm chart value, allowing the deployment of arbitrary sidecar
        containers within the cert-manager operator pod. This can be used to support,
        for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification. ([#&#8203;8355](https://redirect.github.com/cert-manager/cert-manager/issues/8355),
        [@&#8203;dancmeyers](https://redirect.github.com/dancmeyers))\n- Added `parentRef`
        override annotations on the Certificate resource. ([#&#8203;8518](https://redirect.github.com/cert-manager/cert-manager/issues/8518),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
        for azure private zones for dns01 issuer. ([#&#8203;8494](https://redirect.github.com/cert-manager/cert-manager/issues/8494),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
        for configuring PEM decoding size limits, allowing operators to handle larger
        certificates and keys. ([#&#8203;7642](https://redirect.github.com/cert-manager/cert-manager/issues/7642),
        [@&#8203;robertlestak](https://redirect.github.com/robertlestak))\n- Added
        support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#&#8203;7728](https://redirect.github.com/cert-manager/cert-manager/issues/7728),
        [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- For Venafi provider,
        read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer
        and use it as base with override/append capabilities on Certificate level.
        ([#&#8203;8301](https://redirect.github.com/cert-manager/cert-manager/issues/8301),
        [@&#8203;k0da](https://redirect.github.com/k0da))\n- Improve error message
        when CA issuers are misconfigured to use a clashing secret name ([#&#8203;8374](https://redirect.github.com/cert-manager/cert-manager/issues/8374),
        [@&#8203;majiayu000](https://redirect.github.com/majiayu000))\n- Introduce
        a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname`
        to override `http01.ingress.ingressClassName` field in HTTP-01 challenge solvers.
        ([#&#8203;8244](https://redirect.github.com/cert-manager/cert-manager/issues/8244),
        [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Update `global.nodeSelector`
        to helm chart to perform a `merge` and allow for a single `nodeSelector` to
        be set across all services. ([#&#8203;8195](https://redirect.github.com/cert-manager/cert-manager/issues/8195),
        [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Vault issuers
        will now include the Vault server address as one of the default audiences
        on generated service account tokens. ([#&#8203;8228](https://redirect.github.com/cert-manager/cert-manager/issues/8228),
        [@&#8203;terinjokes](https://redirect.github.com/terinjokes))\n- Added experimental
        `XListenerSets` feature gate ([#&#8203;8394](https://redirect.github.com/cert-manager/cert-manager/issues/8394),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Documentation\n\n-
        Add GWAPI documentation to NOTES.TXT in helm chart ([#&#8203;8353](https://redirect.github.com/cert-manager/cert-manager/issues/8353),
        [@&#8203;jaxels10](https://redirect.github.com/jaxels10))\n\n##### Bug or
        Regression\n\n- Adds logs for cases when acme server returns us a fatal error
        in the order controller ([#&#8203;8199](https://redirect.github.com/cert-manager/cert-manager/issues/8199),
        [@&#8203;Peac36](https://redirect.github.com/Peac36))\n- Fixed an issue where
        kind or group in the issuerRef of a Certificate was omitted, upgrading to
        1.19.x incorrectly caused the certificate to be renewed ([#&#8203;8160](https://redirect.github.com/cert-manager/cert-manager/issues/8160),
        [@&#8203;inteon](https://redirect.github.com/inteon))\n- Changes to the Duration
        and RenewBefore annotations on ingress and gateway-api resources will now
        trigger certificate updates. ([#&#8203;8232](https://redirect.github.com/cert-manager/cert-manager/issues/8232),
        [@&#8203;eleanor-merry](https://redirect.github.com/eleanor-merry))\n- Fix
        an issue where ACME challenge TXT records are not cleaned up when there are
        many resource records in CloudDNS. ([#&#8203;8456](https://redirect.github.com/cert-manager/cert-manager/issues/8456),
        [@&#8203;tkna](https://redirect.github.com/tkna))\n- Fix unregulated retries
        with the DigitalOcean DNS-01 solver\n  Add full detailed DNS-01 errors to
        the events attached to the Challenge, for easier debugging ([#&#8203;8221](https://redirect.github.com/cert-manager/cert-manager/issues/8221),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Fixed an infinite re-issuance loop that could occur when an issuer returns
        a certificate with a public key that doesn't match the CSR. The issuing controller
        now validates the certificate before storing it and fails with backoff on
        mismatch. ([#&#8203;8403](https://redirect.github.com/cert-manager/cert-manager/issues/8403),
        [@&#8203;calm329](https://redirect.github.com/calm329))\n- Fixed an issue
        where HTTP-01 challenges failed when the Host header contains an IPv6 address.
        This means that users can now issue IP address certificates for IPv6 address
        subjects. ([#&#8203;8424](https://redirect.github.com/cert-manager/cert-manager/issues/8424),
        [@&#8203;SlashNephy](https://redirect.github.com/SlashNephy))\n- Fixed the
        HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames
        when the challenge DNSName is an IP address. ([#&#8203;8443](https://redirect.github.com/cert-manager/cert-manager/issues/8443),
        [@&#8203;alviss7](https://redirect.github.com/alviss7))\n- Revert API defaults
        for issuer reference kind and group introduced in 0.19.0 ([#&#8203;8173](https://redirect.github.com/cert-manager/cert-manager/issues/8173),
        [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Security (MODERATE):
        Fix a potential panic in the cert-manager controller when a DNS response in
        an unexpected order was cached. If an attacker was able to modify DNS responses
        (or if they controlled the DNS server) it was possible to cause denial of
        service for the cert-manager controller. ([#&#8203;8469](https://redirect.github.com/cert-manager/cert-manager/issues/8469),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update Go
        to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8290](https://redirect.github.com/cert-manager/cert-manager/issues/8290),
        [@&#8203;octo-sts](https://redirect.github.com/octo-sts)\\[bot])\n- When Prometheus
        monitoring is enabled, the metrics label is now set to the intended value
        of `cert-manager`. Previously, it was set depending on various factors (namespace
        cert-manager is installed in and/or Helm release name). ([#&#8203;8162](https://redirect.github.com/cert-manager/cert-manager/issues/8162),
        [@&#8203;LiquidPL](https://redirect.github.com/LiquidPL))\n\n##### Other (Cleanup
        or Flake)\n\n- Promoted the OtherNames feature to Beta and enabled it by default
        ([#&#8203;8288](https://redirect.github.com/cert-manager/cert-manager/issues/8288),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Promoting `XListenerSets` feature gate to `ListenerSets` ([#&#8203;8501](https://redirect.github.com/cert-manager/cert-manager/issues/8501),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Rebranding
        of the Venafi Issuer to CyberArk ([#&#8203;8215](https://redirect.github.com/cert-manager/cert-manager/issues/8215),
        [@&#8203;iossifbenbassat123](https://redirect.github.com/iossifbenbassat123))\n-
        Switched to SSA for challenge finalizer updates ([#&#8203;8519](https://redirect.github.com/cert-manager/cert-manager/issues/8519),
        [@&#8203;inteon](https://redirect.github.com/inteon))\n- The default container
        user (UID) is now 65532 (previously 1000) and the default container group
        (GID) is now 65532 (previously 0) ([#&#8203;8408](https://redirect.github.com/cert-manager/cert-manager/issues/8408),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to
        GA and can no longer be disabled. ([#&#8203;8287](https://redirect.github.com/cert-manager/cert-manager/issues/8287),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Update cert-manager's ACME client, forked from golang/x/crypto ([#&#8203;8268](https://redirect.github.com/cert-manager/cert-manager/issues/8268),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Use the latest
        version of Kyverno (1.16.2) in the best-practice installation tests ([#&#8203;8389](https://redirect.github.com/cert-manager/cert-manager/issues/8389),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        We stopped testing with Coutour due to it not supporting the new XListenerSet
        resource, and moved to kgateway. ([#&#8203;8426](https://redirect.github.com/cert-manager/cert-manager/issues/8426),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n### [`v1.19.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.4)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.3...v1.19.4)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nv1.19.4 is a simple patch release to fix some reported
        vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should
        upgrade.\n\n#### Changes by Kind\n\n##### Bug or Regression\n\n- Bump go to
        address CVE-2025-68121 ([#&#8203;8526](https://redirect.github.com/cert-manager/cert-manager/issues/8526),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Bump otel
        SDK to address GO-2026-4394 ([#&#8203;8531](https://redirect.github.com/cert-manager/cert-manager/issues/8531),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nThis release contains three bug fixes, including a
        fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
        should upgrade to the latest release.\n\n#### Changes by Kind\n\n##### Bug
        or Regression\n\n- Fixed an infinite re-issuance loop that could occur when
        an issuer returns a certificate with a public key that doesn't match the CSR.
        The issuing controller now validates the certificate before storing it and
        fails with backoff on mismatch. ([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Fixed an issue where HTTP-01 challenges failed when the Host header contained
        an IPv6 address. This means that users can now issue IP address certificates
        for IPv6 address subjects. ([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Security (MODERATE): Fix a potential panic in the cert-manager controller
        when a DNS response in an unexpected order was cached. If an attacker was
        able to modify DNS responses (or if they controlled the DNS server) it was
        possible to cause denial of service for the cert-manager controller. ([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
        (Cleanup or Flake)\n\n- Bump go to 1.25.6 ([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.2`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.2)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.1...v1.19.2)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the standard
        library.\n\n> \U0001F4D6 Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
        on the cert-manager.io website before upgrading.\n\n##### Changes since `v1.19.1`\n\n#####
        Bug or Regression\n\n- Address false positive vulnerabilities `CVE-2025-47914`
        and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8283](https://redirect.github.com/cert-manager/cert-manager/issues/8283),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update Go
        to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8294](https://redirect.github.com/cert-manager/cert-manager/issues/8294),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Update `global.nodeSelector` to helm chart to perform a `merge` and allow
        for a single `nodeSelector` to be set across all services. ([#&#8203;8233](https://redirect.github.com/cert-manager/cert-manager/issues/8233),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
        Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked from
        `golang/x/crypto` ([#&#8203;8270](https://redirect.github.com/cert-manager/cert-manager/issues/8270),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated Debian
        12 distroless base images ([#&#8203;8326](https://redirect.github.com/cert-manager/cert-manager/issues/8326),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
        [`v1.19.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.0...v1.19.1)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nWe reverted the CRD-based API defaults for `Certificate.Spec.IssuerRef`
        and `CertificateRequest.Spec.IssuerRef` after they were found to cause unexpected
        certificate renewals after upgrading to 1.19.0. We will try re-introducing
        these API defaults in cert-manager `1.20`.\nWe fixed a bug that caused certificates
        to be re-issued unexpectedly if the `issuerRef` kind or group was changed
        to one of the \"runtime\" default values.\nWe upgraded Go to `1.25.3` to address
        the following security vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`,
        `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`, `CVE-2025-58185`,
        `CVE-2025-58188`, and `CVE-2025-61725`.\n\n> \U0001F4D6 Read the [full 1.19
        release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
        on the cert-manager.io website before upgrading.\n\nChanges since `v1.19.0`:\n\n#####
        Bug or Regression\n\n- BUGFIX: in case kind or group in the `issuerRef` of
        a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the certificate
        to be renewed ([#&#8203;8175](https://redirect.github.com/cert-manager/cert-manager/issues/8175),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Bump Go to 1.25.3 to fix a backwards incompatible change to the validation
        of DNS names in X.509 SAN fields which prevented the use of DNS names with
        a trailing dot ([#&#8203;8177](https://redirect.github.com/cert-manager/cert-manager/issues/8177),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Revert API defaults for issuer reference kind and group introduced in 0.19.0
        ([#&#8203;8178](https://redirect.github.com/cert-manager/cert-manager/issues/8178),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n###
        [`v1.19.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.0)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.6...v1.19.0)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\n> \u26A0\uFE0F **Known issues**: The following known
        issues are fixed in [v1.19.1](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1):\n>\n>
        - [Unexpected certificate renewal after upgrading to 1.19.0](https://redirect.github.com/cert-manager/cert-manager/issues/8158)\n\nThis
        release focuses on expanding platform compatibility, improving deployment
        flexibility, enhancing observability, and addressing key reliability issues.\n\n>
        \U0001F4D6  Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19>\n\nChanges
        since `v1.18.0`:\n\n##### Feature\n\n- Add IPv6 rules to the default network
        policy ([#&#8203;7726](https://redirect.github.com/cert-manager/cert-manager/issues/7726),
        [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Add `global.nodeSelector`
        to helm chart to allow for a single `nodeSelector` to be set across all services.
        ([#&#8203;7818](https://redirect.github.com/cert-manager/cert-manager/issues/7818),
        [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Add a feature
        gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge
        solvers. ([#&#8203;7795](https://redirect.github.com/cert-manager/cert-manager/issues/7795),
        [@&#8203;sspreitzer](https://redirect.github.com/sspreitzer))\n- Add generated
        `applyconfigurations` allowing clients to make type-safe server-side apply
        requests for cert-manager resources. ([#&#8203;7866](https://redirect.github.com/cert-manager/cert-manager/issues/7866),
        [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added API defaults
        to issuer references group (cert-manager.io) and kind (Issuer). ([#&#8203;7414](https://redirect.github.com/cert-manager/cert-manager/issues/7414),
        [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added `certmanager_certificate_challenge_status`
        Prometheus metric. ([#&#8203;7736](https://redirect.github.com/cert-manager/cert-manager/issues/7736),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added `protocol`
        field for `rfc2136` DNS01 provider ([#&#8203;7881](https://redirect.github.com/cert-manager/cert-manager/issues/7881),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added experimental
        field `hostUsers` flag to all pods. Not set by default. ([#&#8203;7973](https://redirect.github.com/cert-manager/cert-manager/issues/7973),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Support configurable
        resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer
        and Issuer specifications, allowing granular resource management that overrides
        global `--acme-http01-solver-resource-*` settings. ([#&#8203;7972](https://redirect.github.com/cert-manager/cert-manager/issues/7972),
        [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- The `CAInjectorMerging`
        feature has been promoted to BETA and is now enabled by default ([#&#8203;8017](https://redirect.github.com/cert-manager/cert-manager/issues/8017),
        [@&#8203;ThatsMrTalbot](https://redirect.github.com/ThatsMrTalbot))\n- The
        controller, webhook and ca-injector now log their version and git commit on
        startup for easier debugging and support. ([#&#8203;8072](https://redirect.github.com/cert-manager/cert-manager/issues/8072),
        [@&#8203;prasad89](https://redirect.github.com/prasad89))\n- Updated `certificate`
        metrics to the collector approach. ([#&#8203;7856](https://redirect.github.com/cert-manager/cert-manager/issues/7856),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Bug or
        Regression\n\n- ACME: Increased challenge authorization timeout to 2 minutes
        to fix `error waiting for authorization` ([#&#8203;7796](https://redirect.github.com/cert-manager/cert-manager/issues/7796),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- BUGFIX: permitted
        URI domains were incorrectly used to set the excluded URI domains in the CSR's
        name constraints ([#&#8203;7816](https://redirect.github.com/cert-manager/cert-manager/issues/7816),
        [@&#8203;kinolaev](https://redirect.github.com/kinolaev))\n- Enforced ACME
        HTTP-01 solver validation to properly reject configurations when multiple
        ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously
        ([#&#8203;8021](https://redirect.github.com/cert-manager/cert-manager/issues/8021),
        [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Increase
        maximum sizes of PEM certificates and chains which can be parsed in cert-manager,
        to handle leaf certificates with large numbers of DNS names or other identities
        ([#&#8203;7961](https://redirect.github.com/cert-manager/cert-manager/issues/7961),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Reverted
        adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#&#8203;7836](https://redirect.github.com/cert-manager/cert-manager/issues/7836),
        [@&#8203;inteon](https://redirect.github.com/inteon))\n- This change removes
        the `path` label of core ACME client metrics and will require users to update
        their monitoring dashboards and alerting rules if using those metrics. ([#&#8203;8109](https://redirect.github.com/cert-manager/cert-manager/issues/8109),
        [@&#8203;mladen-rusev-cyberark](https://redirect.github.com/mladen-rusev-cyberark))\n-
        Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility
        ([#&#8203;7792](https://redirect.github.com/cert-manager/cert-manager/issues/7792),
        [@&#8203;wallrj](https://redirect.github.com/wallrj))\n\n##### Other (Cleanup
        or Flake)\n\n- Helm: Fix naming template of `tokenrequest` RoleBinding resource
        to improve consistency ([#&#8203;7761](https://redirect.github.com/cert-manager/cert-manager/issues/7761),
        [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Improve error
        messages when certificates, CRLs or private keys fail admission due to malformed
        or missing PEM data ([#&#8203;7928](https://redirect.github.com/cert-manager/cert-manager/issues/7928),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Major upgrade
        of Akamai SDK. NOTE: The new version has not been fully tested end-to-end
        due to the lack of cloud infrastructure. ([#&#8203;8003](https://redirect.github.com/cert-manager/cert-manager/issues/8003),
        [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Update kind
        images to include the Kubernetes 1.33 node image ([#&#8203;7786](https://redirect.github.com/cert-manager/cert-manager/issues/7786),
        [@&#8203;wallrj](https://redirect.github.com/wallrj))\n- Use `maps.Copy` for
        cleaner map handling ([#&#8203;8092](https://redirect.github.com/cert-manager/cert-manager/issues/8092),
        [@&#8203;quantpoet](https://redirect.github.com/quantpoet))\n- Vault: Migrate
        Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api`
        client. ([#&#8203;8059](https://redirect.github.com/cert-manager/cert-manager/issues/8059),
        [@&#8203;armagankaratosun](https://redirect.github.com/armagankaratosun))\n\n###
        [`v1.18.6`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.6)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.5...v1.18.6)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nv1.18.6 is a simple patch release to fix some reported
        vulnerabilities, most notably [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\nNB:
        We didn't attempt to patch [CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051)
        but that vulnerability affects macOS only, so cert-manager will be unaffected.\n\n#####
        Changes by Kind\n\n##### Bug or Regression\n\n- Bump Go to address CVE-2025-68121
        ([#&#8203;8525](https://redirect.github.com/cert-manager/cert-manager/issues/8525),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.5`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.5)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.4...v1.18.5)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nThis release contains three bug fixes, including a
        fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
        should upgrade to the latest release.\n\n##### Changes by Kind\n\n##### Bug
        or Regression\n\n- Fixed an infinite re-issuance loop that could occur when
        an issuer returns a certificate with a public key that doesn't match the CSR.
        The issuing controller now validates the certificate before storing it and
        fails with backoff on mismatch. ([#&#8203;8414](https://redirect.github.com/cert-manager/cert-manager/issues/8414),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Fixed an issue where HTTP-01 challenges failed when the Host header contains
        an IPv6 address. This means that users can now issue IP address certificates
        for IPv6 address subjects. ([#&#8203;8437](https://redirect.github.com/cert-manager/cert-manager/issues/8437),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Security (MODERATE): Fix a potential panic in the cert-manager controller
        when a DNS response in an unexpected order was cached. If an attacker was
        able to modify DNS responses (or if they controlled the DNS server) it was
        possible to cause denial of service for the cert-manager controller. ([#&#8203;8467](https://redirect.github.com/cert-manager/cert-manager/issues/8467),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
        (Cleanup or Flake)\n\n- Bump go to 1.24.12 ([#&#8203;8460](https://redirect.github.com/cert-manager/cert-manager/issues/8460),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.4)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.3...v1.18.4)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the standard
        library.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
        on the cert-manager.io website before upgrading.\n\n##### Changes since `v1.18.3`\n\n#####
        Bug or Regression\n\n- Address false positive vulnerabilities `CVE-2025-47914`
        and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8282](https://redirect.github.com/cert-manager/cert-manager/issues/8282),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update Go
        to `v1.24.11` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8295](https://redirect.github.com/cert-manager/cert-manager/issues/8295),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n#####
        Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked from
        `golang/x/crypto` ([#&#8203;8271](https://redirect.github.com/cert-manager/cert-manager/issues/8271),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated Debian
        12 distroless base images ([#&#8203;8328](https://redirect.github.com/cert-manager/cert-manager/issues/8328),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
        [`v1.18.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.3)\n\n[Compare
        Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.2...v1.18.3)\n\ncert-manager
        is the easiest way to automatically manage certificates in Kubernetes and
        OpenShift clusters.\n\nWe fixed a bug which caused certificates to be re-issued
        unexpectedly, if the issuerRef kind or group was changed to one of the \"runtime\"
        default values. We increased the size limit when parsing PEM certificate chains
        to handle leaf certificates with large numbers of DNS named or other identities.
        We upgraded Go to 1.24.9 to fix various non-critical security vulnerabilities.\n\n>
        \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
        on the cert-manager.io website before upgrading.\n\nChanges since `v1.18.2`:\n\n#####
        Bug or Regression\n\n- BUGFIX: in case kind or group in the issuerRef of a
        Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate
        to be renewed ([#&#8203;8174](https://redirect.github.com/cert-manager/cert-manager/issues/8174),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Bump Go to 1.24.9. Fixes the following vulnerabilities: CVE-2025-61724, CVE-2025-58187,
        CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185,
        CVE-2025-58188, CVE-2025-61725 ([#&#8203;8176](https://redirect.github.com/cert-manager/cert-manager/issues/8176),
        [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
        Increase maximum sizes of PEM certificates and chains which can be parsed
        in cert-manager, to handle leaf certificates with large numbers of DNS names
        or other identities ([#&#8203;7966](https://redirect.github.com/cert-manager/cert-manager/issues/7966),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
        Other (Cleanup or Flake)\n\n- Improve error messages when certificates, CRLs
        or private keys fail admission due to malformed or missing PEM data ([#&#8203;7964](https://redirect.github.com/cert-manager/cert-manager/issues/7964),
        [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
        Upgrades Go to v1.24.6 ([#&#8203;7974](https://redirect.github.com/cert-manager/cert-manager/issues/7974),
        [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n</details>\n\n---\n\n###
        Configuration\n\n\U0001F4C5 **Schedule**: Branch creation - At any time (no
        schedule defined), Automerge - At any time (no schedule defined).\n\n\U0001F6A6
        **Automerge**: Disabled by config. Please merge this manually once you are
        satisfied.\n\n\u267B **Rebasing**: Whenever PR becomes conflicted, or you
        tick the rebase/retry checkbox.\n\n\U0001F515 **Ignore**: Close this PR and
        you won't be reminded about this update again.\n\n---\n\n - [ ] <!-- rebase-check
        -->If you want to rebase/retry this PR, check this box\n\n---\n\nThis PR was
        generated by [Mend Renovate](https://mend.io/renovate/). View the [repository
        job log](https://developer.mend.io/github/vexxhost/atmosphere.common).\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQzLjk0LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->\n"
      change_url: https://github.com/vexxhost/atmosphere.common/pull/105
      child_jobs: []
      commit_id: 31202f9a494ecda41fc228f97b0affb269c8586d
      event_id: 56146d70-2a22-11f1-804b-ead1e8c8dc22
      executor:
        hostname: 0a8996d2b663
        inventory_file: /var/lib/zuul/builds/c4d3d1b5b0744a2a9a7e786f640d8460/ansible/inventory.yaml
        log_root: /var/lib/zuul/builds/c4d3d1b5b0744a2a9a7e786f640d8460/work/logs
        result_data_file: /var/lib/zuul/builds/c4d3d1b5b0744a2a9a7e786f640d8460/work/results.json
        src_root: /var/lib/zuul/builds/c4d3d1b5b0744a2a9a7e786f640d8460/work/src
        work_root: /var/lib/zuul/builds/c4d3d1b5b0744a2a9a7e786f640d8460/work
      include_vars: []
      items:
      - branch: main
        change: '105'
        change_message: "chore(deps): update helm release cert-manager to v1.20.1\n\nThis
          PR contains the following updates:\n\n| Package | Update | Change |\n|---|---|---|\n|
          [cert-manager](https://cert-manager.io) ([source](https://redirect.github.com/cert-manager/cert-manager))
          | minor | `1.18.2` \u2192 `1.20.1` |\n\n---\n\n### Release Notes\n\n<details>\n<summary>cert-manager/cert-manager
          (cert-manager)</summary>\n\n### [`v1.20.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.20.0...v1.20.1)\n\nv1.20.1
          fixes an issue for OpenShift users that has to do with the finalizer RBAC,
          bumps gRPC to address a reported non-affecting vulnerability, and fixes
          a duplicate `parentRef` bug when both issuer config and annotations are
          present (Gateway API).\n\n##### Bug or Regression\n\n- Fixed duplicate `parentRef`
          bug when both issuer config and annotations are present. ([#&#8203;8658](https://redirect.github.com/cert-manager/cert-manager/issues/8658),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Add missing
          issuer finalizer RBAC to the order controller to support owner references.
          This was preventing OpenShift users from being able to upgrade to v1.20.0.
          ([#&#8203;8655](https://redirect.github.com/cert-manager/cert-manager/issues/8655),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Bump google.golang.org/grpc
          to fix vulnerability reported by scanners. This isn't a vulnerability that
          affects cert-manager, but we are bumping it because it is reported by scanners.
          ([#&#8203;8657](https://redirect.github.com/cert-manager/cert-manager/issues/8657),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n\n### [`v1.20.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.20.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.4...v1.20.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.20.0 adds alpha support for the new ListenerSet
          resource, adds support for Azure Private DNS; parentRefs are no longer required
          when using ACME with Gateway API, and OtherNames was promoted to Beta.\n\n####
          Changes by Kind\n\n##### Feature\n\n- Added a set of flags to permit setting
          NetworkPolicy across all deployed containers. Remove redundant global IP
          ranges from example policies. ([#&#8203;8370](https://redirect.github.com/cert-manager/cert-manager/issues/8370),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Added selectable
          fields to custom resource definitions for .spec.issuerRef.{group, kind,
          name} ([#&#8203;8256](https://redirect.github.com/cert-manager/cert-manager/issues/8256),
          [@&#8203;tareksha](https://redirect.github.com/tareksha))\n- Added support
          for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template
          to enable pulling images from private registries. ([#&#8203;8186](https://redirect.github.com/cert-manager/cert-manager/issues/8186),
          [@&#8203;mathieu-clnk](https://redirect.github.com/mathieu-clnk))\n- Added
          'extraContainers' helm chart value, allowing the deployment of arbitrary
          sidecar containers within the cert-manager operator pod. This can be used
          to support, for e.g., AWS IAM Roles Anywhere for Route53 DNS01 verification.
          ([#&#8203;8355](https://redirect.github.com/cert-manager/cert-manager/issues/8355),
          [@&#8203;dancmeyers](https://redirect.github.com/dancmeyers))\n- Added `parentRef`
          override annotations on the Certificate resource. ([#&#8203;8518](https://redirect.github.com/cert-manager/cert-manager/issues/8518),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for azure private zones for dns01 issuer. ([#&#8203;8494](https://redirect.github.com/cert-manager/cert-manager/issues/8494),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added support
          for configuring PEM decoding size limits, allowing operators to handle larger
          certificates and keys. ([#&#8203;7642](https://redirect.github.com/cert-manager/cert-manager/issues/7642),
          [@&#8203;robertlestak](https://redirect.github.com/robertlestak))\n- Added
          support for unhealthyPodEvictionPolicy in PodDisruptionBudget ([#&#8203;7728](https://redirect.github.com/cert-manager/cert-manager/issues/7728),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- For Venafi provider,
          read `venafi.cert-manager.io/custom-fields` annotation on Issuer/ClusterIssuer
          and use it as base with override/append capabilities on Certificate level.
          ([#&#8203;8301](https://redirect.github.com/cert-manager/cert-manager/issues/8301),
          [@&#8203;k0da](https://redirect.github.com/k0da))\n- Improve error message
          when CA issuers are misconfigured to use a clashing secret name ([#&#8203;8374](https://redirect.github.com/cert-manager/cert-manager/issues/8374),
          [@&#8203;majiayu000](https://redirect.github.com/majiayu000))\n- Introduce
          a new Ingress annotation `acme.cert-manager.io/http01-ingress-ingressclassname`
          to override `http01.ingress.ingressClassName` field in HTTP-01 challenge
          solvers. ([#&#8203;8244](https://redirect.github.com/cert-manager/cert-manager/issues/8244),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Update
          `global.nodeSelector` to helm chart to perform a `merge` and allow for a
          single `nodeSelector` to be set across all services. ([#&#8203;8195](https://redirect.github.com/cert-manager/cert-manager/issues/8195),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Vault issuers
          will now include the Vault server address as one of the default audiences
          on generated service account tokens. ([#&#8203;8228](https://redirect.github.com/cert-manager/cert-manager/issues/8228),
          [@&#8203;terinjokes](https://redirect.github.com/terinjokes))\n- Added experimental
          `XListenerSets` feature gate ([#&#8203;8394](https://redirect.github.com/cert-manager/cert-manager/issues/8394),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Documentation\n\n-
          Add GWAPI documentation to NOTES.TXT in helm chart ([#&#8203;8353](https://redirect.github.com/cert-manager/cert-manager/issues/8353),
          [@&#8203;jaxels10](https://redirect.github.com/jaxels10))\n\n##### Bug or
          Regression\n\n- Adds logs for cases when acme server returns us a fatal
          error in the order controller ([#&#8203;8199](https://redirect.github.com/cert-manager/cert-manager/issues/8199),
          [@&#8203;Peac36](https://redirect.github.com/Peac36))\n- Fixed an issue
          where kind or group in the issuerRef of a Certificate was omitted, upgrading
          to 1.19.x incorrectly caused the certificate to be renewed ([#&#8203;8160](https://redirect.github.com/cert-manager/cert-manager/issues/8160),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- Changes to the
          Duration and RenewBefore annotations on ingress and gateway-api resources
          will now trigger certificate updates. ([#&#8203;8232](https://redirect.github.com/cert-manager/cert-manager/issues/8232),
          [@&#8203;eleanor-merry](https://redirect.github.com/eleanor-merry))\n- Fix
          an issue where ACME challenge TXT records are not cleaned up when there
          are many resource records in CloudDNS. ([#&#8203;8456](https://redirect.github.com/cert-manager/cert-manager/issues/8456),
          [@&#8203;tkna](https://redirect.github.com/tkna))\n- Fix unregulated retries
          with the DigitalOcean DNS-01 solver\n  Add full detailed DNS-01 errors to
          the events attached to the Challenge, for easier debugging ([#&#8203;8221](https://redirect.github.com/cert-manager/cert-manager/issues/8221),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Fixed an infinite re-issuance loop that could occur when an issuer returns
          a certificate with a public key that doesn't match the CSR. The issuing
          controller now validates the certificate before storing it and fails with
          backoff on mismatch. ([#&#8203;8403](https://redirect.github.com/cert-manager/cert-manager/issues/8403),
          [@&#8203;calm329](https://redirect.github.com/calm329))\n- Fixed an issue
          where HTTP-01 challenges failed when the Host header contains an IPv6 address.
          This means that users can now issue IP address certificates for IPv6 address
          subjects. ([#&#8203;8424](https://redirect.github.com/cert-manager/cert-manager/issues/8424),
          [@&#8203;SlashNephy](https://redirect.github.com/SlashNephy))\n- Fixed the
          HTTP-01 Gateway solver creating invalid HTTPRoutes by not setting spec.hostnames
          when the challenge DNSName is an IP address. ([#&#8203;8443](https://redirect.github.com/cert-manager/cert-manager/issues/8443),
          [@&#8203;alviss7](https://redirect.github.com/alviss7))\n- Revert API defaults
          for issuer reference kind and group introduced in 0.19.0 ([#&#8203;8173](https://redirect.github.com/cert-manager/cert-manager/issues/8173),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Security (MODERATE):
          Fix a potential panic in the cert-manager controller when a DNS response
          in an unexpected order was cached. If an attacker was able to modify DNS
          responses (or if they controlled the DNS server) it was possible to cause
          denial of service for the cert-manager controller. ([#&#8203;8469](https://redirect.github.com/cert-manager/cert-manager/issues/8469),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8290](https://redirect.github.com/cert-manager/cert-manager/issues/8290),
          [@&#8203;octo-sts](https://redirect.github.com/octo-sts)\\[bot])\n- When
          Prometheus monitoring is enabled, the metrics label is now set to the intended
          value of `cert-manager`. Previously, it was set depending on various factors
          (namespace cert-manager is installed in and/or Helm release name). ([#&#8203;8162](https://redirect.github.com/cert-manager/cert-manager/issues/8162),
          [@&#8203;LiquidPL](https://redirect.github.com/LiquidPL))\n\n##### Other
          (Cleanup or Flake)\n\n- Promoted the OtherNames feature to Beta and enabled
          it by default ([#&#8203;8288](https://redirect.github.com/cert-manager/cert-manager/issues/8288),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Promoting `XListenerSets` feature gate to `ListenerSets` ([#&#8203;8501](https://redirect.github.com/cert-manager/cert-manager/issues/8501),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Rebranding
          of the Venafi Issuer to CyberArk ([#&#8203;8215](https://redirect.github.com/cert-manager/cert-manager/issues/8215),
          [@&#8203;iossifbenbassat123](https://redirect.github.com/iossifbenbassat123))\n-
          Switched to SSA for challenge finalizer updates ([#&#8203;8519](https://redirect.github.com/cert-manager/cert-manager/issues/8519),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- The default container
          user (UID) is now 65532 (previously 1000) and the default container group
          (GID) is now 65532 (previously 0) ([#&#8203;8408](https://redirect.github.com/cert-manager/cert-manager/issues/8408),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          The feature-gate DefaultPrivateKeyRotationPolicyAlways moved from Beta to
          GA and can no longer be disabled. ([#&#8203;8287](https://redirect.github.com/cert-manager/cert-manager/issues/8287),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update cert-manager's ACME client, forked from golang/x/crypto ([#&#8203;8268](https://redirect.github.com/cert-manager/cert-manager/issues/8268),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Use the
          latest version of Kyverno (1.16.2) in the best-practice installation tests
          ([#&#8203;8389](https://redirect.github.com/cert-manager/cert-manager/issues/8389),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          We stopped testing with Coutour due to it not supporting the new XListenerSet
          resource, and moved to kgateway. ([#&#8203;8426](https://redirect.github.com/cert-manager/cert-manager/issues/8426),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n### [`v1.19.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.3...v1.19.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.19.4 is a simple patch release to fix some reported
          vulnerabilities - notably CVE-2026-24051 and CVE-2025-68121. All users should
          upgrade.\n\n#### Changes by Kind\n\n##### Bug or Regression\n\n- Bump go
          to address CVE-2025-68121 ([#&#8203;8526](https://redirect.github.com/cert-manager/cert-manager/issues/8526),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Bump otel
          SDK to address GO-2026-4394 ([#&#8203;8531](https://redirect.github.com/cert-manager/cert-manager/issues/8531),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n#### Changes by Kind\n\n##### Bug
          or Regression\n\n- Fixed an infinite re-issuance loop that could occur when
          an issuer returns a certificate with a public key that doesn't match the
          CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contained
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.25.6 ([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.19.2`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.2)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.1...v1.19.2)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.19.1`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8283](https://redirect.github.com/cert-manager/cert-manager/issues/8283),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.25.5` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8294](https://redirect.github.com/cert-manager/cert-manager/issues/8294),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Update `global.nodeSelector` to helm chart to perform a `merge` and allow
          for a single `nodeSelector` to be set across all services. ([#&#8203;8233](https://redirect.github.com/cert-manager/cert-manager/issues/8233),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8270](https://redirect.github.com/cert-manager/cert-manager/issues/8270),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8326](https://redirect.github.com/cert-manager/cert-manager/issues/8326),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.19.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.0...v1.19.1)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe reverted the CRD-based API defaults for `Certificate.Spec.IssuerRef`
          and `CertificateRequest.Spec.IssuerRef` after they were found to cause unexpected
          certificate renewals after upgrading to 1.19.0. We will try re-introducing
          these API defaults in cert-manager `1.20`.\nWe fixed a bug that caused certificates
          to be re-issued unexpectedly if the `issuerRef` kind or group was changed
          to one of the \"runtime\" default values.\nWe upgraded Go to `1.25.3` to
          address the following security vulnerabilities: `CVE-2025-61724`, `CVE-2025-58187`,
          `CVE-2025-47912`, `CVE-2025-58183`, `CVE-2025-61723`, `CVE-2025-58186`,
          `CVE-2025-58185`, `CVE-2025-58188`, and `CVE-2025-61725`.\n\n> \U0001F4D6
          Read the [full 1.19 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.19)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.19.0`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the `issuerRef`
          of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the
          certificate to be renewed ([#&#8203;8175](https://redirect.github.com/cert-manager/cert-manager/issues/8175),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.25.3 to fix a backwards incompatible change to the validation
          of DNS names in X.509 SAN fields which prevented the use of DNS names with
          a trailing dot ([#&#8203;8177](https://redirect.github.com/cert-manager/cert-manager/issues/8177),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Revert API defaults for issuer reference kind and group introduced in 0.19.0
          ([#&#8203;8178](https://redirect.github.com/cert-manager/cert-manager/issues/8178),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n###
          [`v1.19.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.0)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.6...v1.19.0)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\n> \u26A0\uFE0F **Known issues**: The following known
          issues are fixed in [v1.19.1](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.1):\n>\n>
          - [Unexpected certificate renewal after upgrading to 1.19.0](https://redirect.github.com/cert-manager/cert-manager/issues/8158)\n\nThis
          release focuses on expanding platform compatibility, improving deployment
          flexibility, enhancing observability, and addressing key reliability issues.\n\n>
          \U0001F4D6  Read the full release notes at cert-manager.io: <https://cert-manager.io/docs/releases/release-notes/release-notes-1.19>\n\nChanges
          since `v1.18.0`:\n\n##### Feature\n\n- Add IPv6 rules to the default network
          policy ([#&#8203;7726](https://redirect.github.com/cert-manager/cert-manager/issues/7726),
          [@&#8203;jcpunk](https://redirect.github.com/jcpunk))\n- Add `global.nodeSelector`
          to helm chart to allow for a single `nodeSelector` to be set across all
          services. ([#&#8203;7818](https://redirect.github.com/cert-manager/cert-manager/issues/7818),
          [@&#8203;StingRayZA](https://redirect.github.com/StingRayZA))\n- Add a feature
          gate to default to Ingress `pathType` `Exact` in ACME HTTP01 Ingress challenge
          solvers. ([#&#8203;7795](https://redirect.github.com/cert-manager/cert-manager/issues/7795),
          [@&#8203;sspreitzer](https://redirect.github.com/sspreitzer))\n- Add generated
          `applyconfigurations` allowing clients to make type-safe server-side apply
          requests for cert-manager resources. ([#&#8203;7866](https://redirect.github.com/cert-manager/cert-manager/issues/7866),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added API defaults
          to issuer references group (cert-manager.io) and kind (Issuer). ([#&#8203;7414](https://redirect.github.com/cert-manager/cert-manager/issues/7414),
          [@&#8203;erikgb](https://redirect.github.com/erikgb))\n- Added `certmanager_certificate_challenge_status`
          Prometheus metric. ([#&#8203;7736](https://redirect.github.com/cert-manager/cert-manager/issues/7736),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added `protocol`
          field for `rfc2136` DNS01 provider ([#&#8203;7881](https://redirect.github.com/cert-manager/cert-manager/issues/7881),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Added experimental
          field `hostUsers` flag to all pods. Not set by default. ([#&#8203;7973](https://redirect.github.com/cert-manager/cert-manager/issues/7973),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Support configurable
          resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer
          and Issuer specifications, allowing granular resource management that overrides
          global `--acme-http01-solver-resource-*` settings. ([#&#8203;7972](https://redirect.github.com/cert-manager/cert-manager/issues/7972),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- The `CAInjectorMerging`
          feature has been promoted to BETA and is now enabled by default ([#&#8203;8017](https://redirect.github.com/cert-manager/cert-manager/issues/8017),
          [@&#8203;ThatsMrTalbot](https://redirect.github.com/ThatsMrTalbot))\n- The
          controller, webhook and ca-injector now log their version and git commit
          on startup for easier debugging and support. ([#&#8203;8072](https://redirect.github.com/cert-manager/cert-manager/issues/8072),
          [@&#8203;prasad89](https://redirect.github.com/prasad89))\n- Updated `certificate`
          metrics to the collector approach. ([#&#8203;7856](https://redirect.github.com/cert-manager/cert-manager/issues/7856),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n\n##### Bug
          or Regression\n\n- ACME: Increased challenge authorization timeout to 2
          minutes to fix `error waiting for authorization` ([#&#8203;7796](https://redirect.github.com/cert-manager/cert-manager/issues/7796),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- BUGFIX: permitted
          URI domains were incorrectly used to set the excluded URI domains in the
          CSR's name constraints ([#&#8203;7816](https://redirect.github.com/cert-manager/cert-manager/issues/7816),
          [@&#8203;kinolaev](https://redirect.github.com/kinolaev))\n- Enforced ACME
          HTTP-01 solver validation to properly reject configurations when multiple
          ingress options (`class`, `ingressClassName`, `name`) are specified simultaneously
          ([#&#8203;8021](https://redirect.github.com/cert-manager/cert-manager/issues/8021),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Increase
          maximum sizes of PEM certificates and chains which can be parsed in cert-manager,
          to handle leaf certificates with large numbers of DNS names or other identities
          ([#&#8203;7961](https://redirect.github.com/cert-manager/cert-manager/issues/7961),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Reverted
          adding the `global.rbac.disableHTTPChallengesRole` Helm option. ([#&#8203;7836](https://redirect.github.com/cert-manager/cert-manager/issues/7836),
          [@&#8203;inteon](https://redirect.github.com/inteon))\n- This change removes
          the `path` label of core ACME client metrics and will require users to update
          their monitoring dashboards and alerting rules if using those metrics. ([#&#8203;8109](https://redirect.github.com/cert-manager/cert-manager/issues/8109),
          [@&#8203;mladen-rusev-cyberark](https://redirect.github.com/mladen-rusev-cyberark))\n-
          Use the latest version of `ingress-nginx` in E2E tests to ensure compatibility
          ([#&#8203;7792](https://redirect.github.com/cert-manager/cert-manager/issues/7792),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n\n##### Other (Cleanup
          or Flake)\n\n- Helm: Fix naming template of `tokenrequest` RoleBinding resource
          to improve consistency ([#&#8203;7761](https://redirect.github.com/cert-manager/cert-manager/issues/7761),
          [@&#8203;lunarwhite](https://redirect.github.com/lunarwhite))\n- Improve
          error messages when certificates, CRLs or private keys fail admission due
          to malformed or missing PEM data ([#&#8203;7928](https://redirect.github.com/cert-manager/cert-manager/issues/7928),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Major upgrade
          of Akamai SDK. NOTE: The new version has not been fully tested end-to-end
          due to the lack of cloud infrastructure. ([#&#8203;8003](https://redirect.github.com/cert-manager/cert-manager/issues/8003),
          [@&#8203;hjoshi123](https://redirect.github.com/hjoshi123))\n- Update kind
          images to include the Kubernetes 1.33 node image ([#&#8203;7786](https://redirect.github.com/cert-manager/cert-manager/issues/7786),
          [@&#8203;wallrj](https://redirect.github.com/wallrj))\n- Use `maps.Copy`
          for cleaner map handling ([#&#8203;8092](https://redirect.github.com/cert-manager/cert-manager/issues/8092),
          [@&#8203;quantpoet](https://redirect.github.com/quantpoet))\n- Vault: Migrate
          Vault E2E add-on tests from deprecated `vault-client-go` to the new `vault/api`
          client. ([#&#8203;8059](https://redirect.github.com/cert-manager/cert-manager/issues/8059),
          [@&#8203;armagankaratosun](https://redirect.github.com/armagankaratosun))\n\n###
          [`v1.18.6`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.6)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.5...v1.18.6)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nv1.18.6 is a simple patch release to fix some reported
          vulnerabilities, most notably [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\nNB:
          We didn't attempt to patch [CVE-2026-24051](https://nvd.nist.gov/vuln/detail/CVE-2026-24051)
          but that vulnerability affects macOS only, so cert-manager will be unaffected.\n\n#####
          Changes by Kind\n\n##### Bug or Regression\n\n- Bump Go to address CVE-2025-68121
          ([#&#8203;8525](https://redirect.github.com/cert-manager/cert-manager/issues/8525),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.5`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.5)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.4...v1.18.5)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nThis release contains three bug fixes, including
          a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users
          should upgrade to the latest release.\n\n##### Changes by Kind\n\n#####
          Bug or Regression\n\n- Fixed an infinite re-issuance loop that could occur
          when an issuer returns a certificate with a public key that doesn't match
          the CSR. The issuing controller now validates the certificate before storing
          it and fails with backoff on mismatch. ([#&#8203;8414](https://redirect.github.com/cert-manager/cert-manager/issues/8414),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Fixed an issue where HTTP-01 challenges failed when the Host header contains
          an IPv6 address. This means that users can now issue IP address certificates
          for IPv6 address subjects. ([#&#8203;8437](https://redirect.github.com/cert-manager/cert-manager/issues/8437),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Security (MODERATE): Fix a potential panic in the cert-manager controller
          when a DNS response in an unexpected order was cached. If an attacker was
          able to modify DNS responses (or if they controlled the DNS server) it was
          possible to cause denial of service for the cert-manager controller. ([#&#8203;8467](https://redirect.github.com/cert-manager/cert-manager/issues/8467),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n##### Other
          (Cleanup or Flake)\n\n- Bump go to 1.24.12 ([#&#8203;8460](https://redirect.github.com/cert-manager/cert-manager/issues/8460),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n### [`v1.18.4`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.4)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.3...v1.18.4)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe updated Go to fix some vulnerabilities in the
          standard library.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\n##### Changes since
          `v1.18.3`\n\n##### Bug or Regression\n\n- Address false positive vulnerabilities
          `CVE-2025-47914` and `CVE-2025-58181` which were reported by Trivy. ([#&#8203;8282](https://redirect.github.com/cert-manager/cert-manager/issues/8282),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Update
          Go to `v1.24.11` to fix `CVE-2025-61727` and `CVE-2025-61729` ([#&#8203;8295](https://redirect.github.com/cert-manager/cert-manager/issues/8295),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n#####
          Other (Cleanup or Flake)\n\n- Update cert-manager's ACME client, forked
          from `golang/x/crypto` ([#&#8203;8271](https://redirect.github.com/cert-manager/cert-manager/issues/8271),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n- Updated
          Debian 12 distroless base images ([#&#8203;8328](https://redirect.github.com/cert-manager/cert-manager/issues/8328),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n\n###
          [`v1.18.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.18.3)\n\n[Compare
          Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.18.2...v1.18.3)\n\ncert-manager
          is the easiest way to automatically manage certificates in Kubernetes and
          OpenShift clusters.\n\nWe fixed a bug which caused certificates to be re-issued
          unexpectedly, if the issuerRef kind or group was changed to one of the \"runtime\"
          default values. We increased the size limit when parsing PEM certificate
          chains to handle leaf certificates with large numbers of DNS named or other
          identities. We upgraded Go to 1.24.9 to fix various non-critical security
          vulnerabilities.\n\n> \U0001F4D6 Read the [full 1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18)
          on the cert-manager.io website before upgrading.\n\nChanges since `v1.18.2`:\n\n#####
          Bug or Regression\n\n- BUGFIX: in case kind or group in the issuerRef of
          a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate
          to be renewed ([#&#8203;8174](https://redirect.github.com/cert-manager/cert-manager/issues/8174),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Bump Go to 1.24.9. Fixes the following vulnerabilities: CVE-2025-61724,
          CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186,
          CVE-2025-58185, CVE-2025-58188, CVE-2025-61725 ([#&#8203;8176](https://redirect.github.com/cert-manager/cert-manager/issues/8176),
          [@&#8203;wallrj-cyberark](https://redirect.github.com/wallrj-cyberark))\n-
          Increase maximum sizes of PEM certificates and chains which can be parsed
          in cert-manager, to handle leaf certificates with large numbers of DNS names
          or other identities ([#&#8203;7966](https://redirect.github.com/cert-manager/cert-manager/issues/7966),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n\n#####
          Other (Cleanup or Flake)\n\n- Improve error messages when certificates,
          CRLs or private keys fail admission due to malformed or missing PEM data
          ([#&#8203;7964](https://redirect.github.com/cert-manager/cert-manager/issues/7964),
          [@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))\n-
          Upgrades Go to v1.24.6 ([#&#8203;7974](https://redirect.github.com/cert-manager/cert-manager/issues/7974),
          [@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))\n\n</details>\n\n---\n\n###
          Configuration\n\n\U0001F4C5 **Schedule**: Branch creation - At any time
          (no schedule defined), Automerge - At any time (no schedule defined).\n\n\U0001F6A6
          **Automerge**: Disabled by config. Please merge this manually once you are
          satisfied.\n\n\u267B **Rebasing**: Whenever PR becomes conflicted, or you
          tick the rebase/retry checkbox.\n\n\U0001F515 **Ignore**: Close this PR
          and you won't be reminded about this update again.\n\n---\n\n - [ ] <!--
          rebase-check -->If you want to rebase/retry this PR, check this box\n\n---\n\nThis
          PR was generated by [Mend Renovate](https://mend.io/renovate/). View the
          [repository job log](https://developer.mend.io/github/vexxhost/atmosphere.common).\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQzLjk0LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->\n"
        change_url: https://github.com/vexxhost/atmosphere.common/pull/105
        commit_id: 31202f9a494ecda41fc228f97b0affb269c8586d
        patchset: 31202f9a494ecda41fc228f97b0affb269c8586d
        project:
          canonical_hostname: github.com
          canonical_name: github.com/vexxhost/atmosphere.common
          name: vexxhost/atmosphere.common
          short_name: atmosphere.common
          src_dir: src/github.com/vexxhost/atmosphere.common
        topic: null
      job: atmosphere-common-molecule-secretgen-controller
      jobtags: []
      max_attempts: 3
      message: Y2hvcmUoZGVwcyk6IHVwZGF0ZSBoZWxtIHJlbGVhc2UgY2VydC1tYW5hZ2VyIHRvIHYxLjIwLjEKClRoaXMgUFIgY29udGFpbnMgdGhlIGZvbGxvd2luZyB1cGRhdGVzOgoKfCBQYWNrYWdlIHwgVXBkYXRlIHwgQ2hhbmdlIHwKfC0tLXwtLS18LS0tfAp8IFtjZXJ0LW1hbmFnZXJdKGh0dHBzOi8vY2VydC1tYW5hZ2VyLmlvKSAoW3NvdXJjZV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIpKSB8IG1pbm9yIHwgYDEuMTguMmAg4oaSIGAxLjIwLjFgIHwKCi0tLQoKIyMjIFJlbGVhc2UgTm90ZXMKCjxkZXRhaWxzPgo8c3VtbWFyeT5jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyIChjZXJ0LW1hbmFnZXIpPC9zdW1tYXJ5PgoKIyMjIFtgdjEuMjAuMWBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4yMC4xKQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjIwLjAuLi52MS4yMC4xKQoKdjEuMjAuMSBmaXhlcyBhbiBpc3N1ZSBmb3IgT3BlblNoaWZ0IHVzZXJzIHRoYXQgaGFzIHRvIGRvIHdpdGggdGhlIGZpbmFsaXplciBSQkFDLCBidW1wcyBnUlBDIHRvIGFkZHJlc3MgYSByZXBvcnRlZCBub24tYWZmZWN0aW5nIHZ1bG5lcmFiaWxpdHksIGFuZCBmaXhlcyBhIGR1cGxpY2F0ZSBgcGFyZW50UmVmYCBidWcgd2hlbiBib3RoIGlzc3VlciBjb25maWcgYW5kIGFubm90YXRpb25zIGFyZSBwcmVzZW50IChHYXRld2F5IEFQSSkuCgojIyMjIyBCdWcgb3IgUmVncmVzc2lvbgoKLSBGaXhlZCBkdXBsaWNhdGUgYHBhcmVudFJlZmAgYnVnIHdoZW4gYm90aCBpc3N1ZXIgY29uZmlnIGFuZCBhbm5vdGF0aW9ucyBhcmUgcHJlc2VudC4gKFsjJiM4MjAzOzg2NThdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NjU4KSwgW0AmIzgyMDM7aGpvc2hpMTIzXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vaGpvc2hpMTIzKSkKLSBBZGQgbWlzc2luZyBpc3N1ZXIgZmluYWxpemVyIFJCQUMgdG8gdGhlIG9yZGVyIGNvbnRyb2xsZXIgdG8gc3VwcG9ydCBvd25lciByZWZlcmVuY2VzLiBUaGlzIHdhcyBwcmV2ZW50aW5nIE9wZW5TaGlmdCB1c2VycyBmcm9tIGJlaW5nIGFibGUgdG8gdXBncmFkZSB0byB2MS4yMC4wLiAoWyMmIzgyMDM7ODY1NV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg2NTUpLCBbQCYjODIwMztlcmlrZ2JdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9lcmlrZ2IpKQotIEJ1bXAgZ29vZ2xlLmdvbGFuZy5vcmcvZ3JwYyB0byBmaXggdnVsbmVyYWJpbGl0eSByZXBvcnRlZCBieSBzY2FubmVycy4gVGhpcyBpc24ndCBhIHZ1bG5lcmFiaWxpdHkgdGhhdCBhZmZlY3RzIGNlcnQtbWFuYWdlciwgYnV0IHdlIGFyZSBidW1waW5nIGl0IGJlY2F1c2UgaXQgaXMgcmVwb3J0ZWQgYnkgc2Nhbm5lcnMuIChbIyYjODIwMzs4NjU3XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODY1NyksIFtAJiM4MjAzO2VyaWtnYl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2VyaWtnYikpCgojIyMgW2B2MS4yMC4wYF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvcmVsZWFzZXMvdGFnL3YxLjIwLjApCgpbQ29tcGFyZSBTb3VyY2VdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2NvbXBhcmUvdjEuMTkuNC4uLnYxLjIwLjApCgpjZXJ0LW1hbmFnZXIgaXMgdGhlIGVhc2llc3Qgd2F5IHRvIGF1dG9tYXRpY2FsbHkgbWFuYWdlIGNlcnRpZmljYXRlcyBpbiBLdWJlcm5ldGVzIGFuZCBPcGVuU2hpZnQgY2x1c3RlcnMuCgp2MS4yMC4wIGFkZHMgYWxwaGEgc3VwcG9ydCBmb3IgdGhlIG5ldyBMaXN0ZW5lclNldCByZXNvdXJjZSwgYWRkcyBzdXBwb3J0IGZvciBBenVyZSBQcml2YXRlIEROUzsgcGFyZW50UmVmcyBhcmUgbm8gbG9uZ2VyIHJlcXVpcmVkIHdoZW4gdXNpbmcgQUNNRSB3aXRoIEdhdGV3YXkgQVBJLCBhbmQgT3RoZXJOYW1lcyB3YXMgcHJvbW90ZWQgdG8gQmV0YS4KCiMjIyMgQ2hhbmdlcyBieSBLaW5kCgojIyMjIyBGZWF0dXJlCgotIEFkZGVkIGEgc2V0IG9mIGZsYWdzIHRvIHBlcm1pdCBzZXR0aW5nIE5ldHdvcmtQb2xpY3kgYWNyb3NzIGFsbCBkZXBsb3llZCBjb250YWluZXJzLiBSZW1vdmUgcmVkdW5kYW50IGdsb2JhbCBJUCByYW5nZXMgZnJvbSBleGFtcGxlIHBvbGljaWVzLiAoWyMmIzgyMDM7ODM3MF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgzNzApLCBbQCYjODIwMztqY3B1bmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9qY3B1bmspKQotIEFkZGVkIHNlbGVjdGFibGUgZmllbGRzIHRvIGN1c3RvbSByZXNvdXJjZSBkZWZpbml0aW9ucyBmb3IgLnNwZWMuaXNzdWVyUmVmLntncm91cCwga2luZCwgbmFtZX0gKFsjJiM4MjAzOzgyNTZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjU2KSwgW0AmIzgyMDM7dGFyZWtzaGFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS90YXJla3NoYSkpCi0gQWRkZWQgc3VwcG9ydCBmb3Igc3BlY2lmeWluZyBgaW1hZ2VQdWxsU2VjcmV0c2AgaW4gdGhlIGBzdGFydHVwYXBpY2hlY2stam9iYCBIZWxtIHRlbXBsYXRlIHRvIGVuYWJsZSBwdWxsaW5nIGltYWdlcyBmcm9tIHByaXZhdGUgcmVnaXN0cmllcy4gKFsjJiM4MjAzOzgxODZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MTg2KSwgW0AmIzgyMDM7bWF0aGlldS1jbG5rXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vbWF0aGlldS1jbG5rKSkKLSBBZGRlZCAnZXh0cmFDb250YWluZXJzJyBoZWxtIGNoYXJ0IHZhbHVlLCBhbGxvd2luZyB0aGUgZGVwbG95bWVudCBvZiBhcmJpdHJhcnkgc2lkZWNhciBjb250YWluZXJzIHdpdGhpbiB0aGUgY2VydC1tYW5hZ2VyIG9wZXJhdG9yIHBvZC4gVGhpcyBjYW4gYmUgdXNlZCB0byBzdXBwb3J0LCBmb3IgZS5nLiwgQVdTIElBTSBSb2xlcyBBbnl3aGVyZSBmb3IgUm91dGU1MyBETlMwMSB2ZXJpZmljYXRpb24uIChbIyYjODIwMzs4MzU1XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODM1NSksIFtAJiM4MjAzO2RhbmNtZXllcnNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9kYW5jbWV5ZXJzKSkKLSBBZGRlZCBgcGFyZW50UmVmYCBvdmVycmlkZSBhbm5vdGF0aW9ucyBvbiB0aGUgQ2VydGlmaWNhdGUgcmVzb3VyY2UuIChbIyYjODIwMzs4NTE4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODUxOCksIFtAJiM4MjAzO2hqb3NoaTEyM10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2hqb3NoaTEyMykpCi0gQWRkZWQgc3VwcG9ydCBmb3IgYXp1cmUgcHJpdmF0ZSB6b25lcyBmb3IgZG5zMDEgaXNzdWVyLiAoWyMmIzgyMDM7ODQ5NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0OTQpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQotIEFkZGVkIHN1cHBvcnQgZm9yIGNvbmZpZ3VyaW5nIFBFTSBkZWNvZGluZyBzaXplIGxpbWl0cywgYWxsb3dpbmcgb3BlcmF0b3JzIHRvIGhhbmRsZSBsYXJnZXIgY2VydGlmaWNhdGVzIGFuZCBrZXlzLiAoWyMmIzgyMDM7NzY0Ml0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc2NDIpLCBbQCYjODIwMztyb2JlcnRsZXN0YWtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9yb2JlcnRsZXN0YWspKQotIEFkZGVkIHN1cHBvcnQgZm9yIHVuaGVhbHRoeVBvZEV2aWN0aW9uUG9saWN5IGluIFBvZERpc3J1cHRpb25CdWRnZXQgKFsjJiM4MjAzOzc3MjhdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83NzI4KSwgW0AmIzgyMDM7amNwdW5rXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vamNwdW5rKSkKLSBGb3IgVmVuYWZpIHByb3ZpZGVyLCByZWFkIGB2ZW5hZmkuY2VydC1tYW5hZ2VyLmlvL2N1c3RvbS1maWVsZHNgIGFubm90YXRpb24gb24gSXNzdWVyL0NsdXN0ZXJJc3N1ZXIgYW5kIHVzZSBpdCBhcyBiYXNlIHdpdGggb3ZlcnJpZGUvYXBwZW5kIGNhcGFiaWxpdGllcyBvbiBDZXJ0aWZpY2F0ZSBsZXZlbC4gKFsjJiM4MjAzOzgzMDFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MzAxKSwgW0AmIzgyMDM7azBkYV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2swZGEpKQotIEltcHJvdmUgZXJyb3IgbWVzc2FnZSB3aGVuIENBIGlzc3VlcnMgYXJlIG1pc2NvbmZpZ3VyZWQgdG8gdXNlIGEgY2xhc2hpbmcgc2VjcmV0IG5hbWUgKFsjJiM4MjAzOzgzNzRdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84Mzc0KSwgW0AmIzgyMDM7bWFqaWF5dTAwMF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL21hamlheXUwMDApKQotIEludHJvZHVjZSBhIG5ldyBJbmdyZXNzIGFubm90YXRpb24gYGFjbWUuY2VydC1tYW5hZ2VyLmlvL2h0dHAwMS1pbmdyZXNzLWluZ3Jlc3NjbGFzc25hbWVgIHRvIG92ZXJyaWRlIGBodHRwMDEuaW5ncmVzcy5pbmdyZXNzQ2xhc3NOYW1lYCBmaWVsZCBpbiBIVFRQLTAxIGNoYWxsZW5nZSBzb2x2ZXJzLiAoWyMmIzgyMDM7ODI0NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyNDQpLCBbQCYjODIwMztsdW5hcndoaXRlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vbHVuYXJ3aGl0ZSkpCi0gVXBkYXRlIGBnbG9iYWwubm9kZVNlbGVjdG9yYCB0byBoZWxtIGNoYXJ0IHRvIHBlcmZvcm0gYSBgbWVyZ2VgIGFuZCBhbGxvdyBmb3IgYSBzaW5nbGUgYG5vZGVTZWxlY3RvcmAgdG8gYmUgc2V0IGFjcm9zcyBhbGwgc2VydmljZXMuIChbIyYjODIwMzs4MTk1XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODE5NSksIFtAJiM4MjAzO1N0aW5nUmF5WkFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TdGluZ1JheVpBKSkKLSBWYXVsdCBpc3N1ZXJzIHdpbGwgbm93IGluY2x1ZGUgdGhlIFZhdWx0IHNlcnZlciBhZGRyZXNzIGFzIG9uZSBvZiB0aGUgZGVmYXVsdCBhdWRpZW5jZXMgb24gZ2VuZXJhdGVkIHNlcnZpY2UgYWNjb3VudCB0b2tlbnMuIChbIyYjODIwMzs4MjI4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODIyOCksIFtAJiM4MjAzO3Rlcmluam9rZXNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS90ZXJpbmpva2VzKSkKLSBBZGRlZCBleHBlcmltZW50YWwgYFhMaXN0ZW5lclNldHNgIGZlYXR1cmUgZ2F0ZSAoWyMmIzgyMDM7ODM5NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgzOTQpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQoKIyMjIyMgRG9jdW1lbnRhdGlvbgoKLSBBZGQgR1dBUEkgZG9jdW1lbnRhdGlvbiB0byBOT1RFUy5UWFQgaW4gaGVsbSBjaGFydCAoWyMmIzgyMDM7ODM1M10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgzNTMpLCBbQCYjODIwMztqYXhlbHMxMF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2pheGVsczEwKSkKCiMjIyMjIEJ1ZyBvciBSZWdyZXNzaW9uCgotIEFkZHMgbG9ncyBmb3IgY2FzZXMgd2hlbiBhY21lIHNlcnZlciByZXR1cm5zIHVzIGEgZmF0YWwgZXJyb3IgaW4gdGhlIG9yZGVyIGNvbnRyb2xsZXIgKFsjJiM4MjAzOzgxOTldKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MTk5KSwgW0AmIzgyMDM7UGVhYzM2XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vUGVhYzM2KSkKLSBGaXhlZCBhbiBpc3N1ZSB3aGVyZSBraW5kIG9yIGdyb3VwIGluIHRoZSBpc3N1ZXJSZWYgb2YgYSBDZXJ0aWZpY2F0ZSB3YXMgb21pdHRlZCwgdXBncmFkaW5nIHRvIDEuMTkueCBpbmNvcnJlY3RseSBjYXVzZWQgdGhlIGNlcnRpZmljYXRlIHRvIGJlIHJlbmV3ZWQgKFsjJiM4MjAzOzgxNjBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MTYwKSwgW0AmIzgyMDM7aW50ZW9uXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vaW50ZW9uKSkKLSBDaGFuZ2VzIHRvIHRoZSBEdXJhdGlvbiBhbmQgUmVuZXdCZWZvcmUgYW5ub3RhdGlvbnMgb24gaW5ncmVzcyBhbmQgZ2F0ZXdheS1hcGkgcmVzb3VyY2VzIHdpbGwgbm93IHRyaWdnZXIgY2VydGlmaWNhdGUgdXBkYXRlcy4gKFsjJiM4MjAzOzgyMzJdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjMyKSwgW0AmIzgyMDM7ZWxlYW5vci1tZXJyeV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2VsZWFub3ItbWVycnkpKQotIEZpeCBhbiBpc3N1ZSB3aGVyZSBBQ01FIGNoYWxsZW5nZSBUWFQgcmVjb3JkcyBhcmUgbm90IGNsZWFuZWQgdXAgd2hlbiB0aGVyZSBhcmUgbWFueSByZXNvdXJjZSByZWNvcmRzIGluIENsb3VkRE5TLiAoWyMmIzgyMDM7ODQ1Nl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0NTYpLCBbQCYjODIwMzt0a25hXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vdGtuYSkpCi0gRml4IHVucmVndWxhdGVkIHJldHJpZXMgd2l0aCB0aGUgRGlnaXRhbE9jZWFuIEROUy0wMSBzb2x2ZXIKICBBZGQgZnVsbCBkZXRhaWxlZCBETlMtMDEgZXJyb3JzIHRvIHRoZSBldmVudHMgYXR0YWNoZWQgdG8gdGhlIENoYWxsZW5nZSwgZm9yIGVhc2llciBkZWJ1Z2dpbmcgKFsjJiM4MjAzOzgyMjFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjIxKSwgW0AmIzgyMDM7d2FsbHJqLWN5YmVyYXJrXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vd2FsbHJqLWN5YmVyYXJrKSkKLSBGaXhlZCBhbiBpbmZpbml0ZSByZS1pc3N1YW5jZSBsb29wIHRoYXQgY291bGQgb2NjdXIgd2hlbiBhbiBpc3N1ZXIgcmV0dXJucyBhIGNlcnRpZmljYXRlIHdpdGggYSBwdWJsaWMga2V5IHRoYXQgZG9lc24ndCBtYXRjaCB0aGUgQ1NSLiBUaGUgaXNzdWluZyBjb250cm9sbGVyIG5vdyB2YWxpZGF0ZXMgdGhlIGNlcnRpZmljYXRlIGJlZm9yZSBzdG9yaW5nIGl0IGFuZCBmYWlscyB3aXRoIGJhY2tvZmYgb24gbWlzbWF0Y2guIChbIyYjODIwMzs4NDAzXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODQwMyksIFtAJiM4MjAzO2NhbG0zMjldKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jYWxtMzI5KSkKLSBGaXhlZCBhbiBpc3N1ZSB3aGVyZSBIVFRQLTAxIGNoYWxsZW5nZXMgZmFpbGVkIHdoZW4gdGhlIEhvc3QgaGVhZGVyIGNvbnRhaW5zIGFuIElQdjYgYWRkcmVzcy4gVGhpcyBtZWFucyB0aGF0IHVzZXJzIGNhbiBub3cgaXNzdWUgSVAgYWRkcmVzcyBjZXJ0aWZpY2F0ZXMgZm9yIElQdjYgYWRkcmVzcyBzdWJqZWN0cy4gKFsjJiM4MjAzOzg0MjRdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NDI0KSwgW0AmIzgyMDM7U2xhc2hOZXBoeV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NsYXNoTmVwaHkpKQotIEZpeGVkIHRoZSBIVFRQLTAxIEdhdGV3YXkgc29sdmVyIGNyZWF0aW5nIGludmFsaWQgSFRUUFJvdXRlcyBieSBub3Qgc2V0dGluZyBzcGVjLmhvc3RuYW1lcyB3aGVuIHRoZSBjaGFsbGVuZ2UgRE5TTmFtZSBpcyBhbiBJUCBhZGRyZXNzLiAoWyMmIzgyMDM7ODQ0M10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0NDMpLCBbQCYjODIwMzthbHZpc3M3XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vYWx2aXNzNykpCi0gUmV2ZXJ0IEFQSSBkZWZhdWx0cyBmb3IgaXNzdWVyIHJlZmVyZW5jZSBraW5kIGFuZCBncm91cCBpbnRyb2R1Y2VkIGluIDAuMTkuMCAoWyMmIzgyMDM7ODE3M10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxNzMpLCBbQCYjODIwMztlcmlrZ2JdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9lcmlrZ2IpKQotIFNlY3VyaXR5IChNT0RFUkFURSk6IEZpeCBhIHBvdGVudGlhbCBwYW5pYyBpbiB0aGUgY2VydC1tYW5hZ2VyIGNvbnRyb2xsZXIgd2hlbiBhIEROUyByZXNwb25zZSBpbiBhbiB1bmV4cGVjdGVkIG9yZGVyIHdhcyBjYWNoZWQuIElmIGFuIGF0dGFja2VyIHdhcyBhYmxlIHRvIG1vZGlmeSBETlMgcmVzcG9uc2VzIChvciBpZiB0aGV5IGNvbnRyb2xsZWQgdGhlIEROUyBzZXJ2ZXIpIGl0IHdhcyBwb3NzaWJsZSB0byBjYXVzZSBkZW5pYWwgb2Ygc2VydmljZSBmb3IgdGhlIGNlcnQtbWFuYWdlciBjb250cm9sbGVyLiAoWyMmIzgyMDM7ODQ2OV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0NjkpLCBbQCYjODIwMztTZ3RDb0RGaXNoXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vU2d0Q29ERmlzaCkpCi0gVXBkYXRlIEdvIHRvIGB2MS4yNS41YCB0byBmaXggYENWRS0yMDI1LTYxNzI3YCBhbmQgYENWRS0yMDI1LTYxNzI5YCAoWyMmIzgyMDM7ODI5MF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyOTApLCBbQCYjODIwMztvY3RvLXN0c10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL29jdG8tc3RzKVxbYm90XSkKLSBXaGVuIFByb21ldGhldXMgbW9uaXRvcmluZyBpcyBlbmFibGVkLCB0aGUgbWV0cmljcyBsYWJlbCBpcyBub3cgc2V0IHRvIHRoZSBpbnRlbmRlZCB2YWx1ZSBvZiBgY2VydC1tYW5hZ2VyYC4gUHJldmlvdXNseSwgaXQgd2FzIHNldCBkZXBlbmRpbmcgb24gdmFyaW91cyBmYWN0b3JzIChuYW1lc3BhY2UgY2VydC1tYW5hZ2VyIGlzIGluc3RhbGxlZCBpbiBhbmQvb3IgSGVsbSByZWxlYXNlIG5hbWUpLiAoWyMmIzgyMDM7ODE2Ml0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxNjIpLCBbQCYjODIwMztMaXF1aWRQTF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL0xpcXVpZFBMKSkKCiMjIyMjIE90aGVyIChDbGVhbnVwIG9yIEZsYWtlKQoKLSBQcm9tb3RlZCB0aGUgT3RoZXJOYW1lcyBmZWF0dXJlIHRvIEJldGEgYW5kIGVuYWJsZWQgaXQgYnkgZGVmYXVsdCAoWyMmIzgyMDM7ODI4OF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyODgpLCBbQCYjODIwMzt3YWxscmotY3liZXJhcmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmotY3liZXJhcmspKQotIFByb21vdGluZyBgWExpc3RlbmVyU2V0c2AgZmVhdHVyZSBnYXRlIHRvIGBMaXN0ZW5lclNldHNgIChbIyYjODIwMzs4NTAxXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODUwMSksIFtAJiM4MjAzO2hqb3NoaTEyM10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2hqb3NoaTEyMykpCi0gUmVicmFuZGluZyBvZiB0aGUgVmVuYWZpIElzc3VlciB0byBDeWJlckFyayAoWyMmIzgyMDM7ODIxNV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyMTUpLCBbQCYjODIwMztpb3NzaWZiZW5iYXNzYXQxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9pb3NzaWZiZW5iYXNzYXQxMjMpKQotIFN3aXRjaGVkIHRvIFNTQSBmb3IgY2hhbGxlbmdlIGZpbmFsaXplciB1cGRhdGVzIChbIyYjODIwMzs4NTE5XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODUxOSksIFtAJiM4MjAzO2ludGVvbl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2ludGVvbikpCi0gVGhlIGRlZmF1bHQgY29udGFpbmVyIHVzZXIgKFVJRCkgaXMgbm93IDY1NTMyIChwcmV2aW91c2x5IDEwMDApIGFuZCB0aGUgZGVmYXVsdCBjb250YWluZXIgZ3JvdXAgKEdJRCkgaXMgbm93IDY1NTMyIChwcmV2aW91c2x5IDApIChbIyYjODIwMzs4NDA4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODQwOCksIFtAJiM4MjAzO3dhbGxyai1jeWJlcmFya10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL3dhbGxyai1jeWJlcmFyaykpCi0gVGhlIGZlYXR1cmUtZ2F0ZSBEZWZhdWx0UHJpdmF0ZUtleVJvdGF0aW9uUG9saWN5QWx3YXlzIG1vdmVkIGZyb20gQmV0YSB0byBHQSBhbmQgY2FuIG5vIGxvbmdlciBiZSBkaXNhYmxlZC4gKFsjJiM4MjAzOzgyODddKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84Mjg3KSwgW0AmIzgyMDM7d2FsbHJqLWN5YmVyYXJrXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vd2FsbHJqLWN5YmVyYXJrKSkKLSBVcGRhdGUgY2VydC1tYW5hZ2VyJ3MgQUNNRSBjbGllbnQsIGZvcmtlZCBmcm9tIGdvbGFuZy94L2NyeXB0byAoWyMmIzgyMDM7ODI2OF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyNjgpLCBbQCYjODIwMztTZ3RDb0RGaXNoXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vU2d0Q29ERmlzaCkpCi0gVXNlIHRoZSBsYXRlc3QgdmVyc2lvbiBvZiBLeXZlcm5vICgxLjE2LjIpIGluIHRoZSBiZXN0LXByYWN0aWNlIGluc3RhbGxhdGlvbiB0ZXN0cyAoWyMmIzgyMDM7ODM4OV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgzODkpLCBbQCYjODIwMzt3YWxscmotY3liZXJhcmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmotY3liZXJhcmspKQotIFdlIHN0b3BwZWQgdGVzdGluZyB3aXRoIENvdXRvdXIgZHVlIHRvIGl0IG5vdCBzdXBwb3J0aW5nIHRoZSBuZXcgWExpc3RlbmVyU2V0IHJlc291cmNlLCBhbmQgbW92ZWQgdG8ga2dhdGV3YXkuIChbIyYjODIwMzs4NDI2XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODQyNiksIFtAJiM4MjAzO2hqb3NoaTEyM10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2hqb3NoaTEyMykpCgojIyMgW2B2MS4xOS40YF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvcmVsZWFzZXMvdGFnL3YxLjE5LjQpCgpbQ29tcGFyZSBTb3VyY2VdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2NvbXBhcmUvdjEuMTkuMy4uLnYxLjE5LjQpCgpjZXJ0LW1hbmFnZXIgaXMgdGhlIGVhc2llc3Qgd2F5IHRvIGF1dG9tYXRpY2FsbHkgbWFuYWdlIGNlcnRpZmljYXRlcyBpbiBLdWJlcm5ldGVzIGFuZCBPcGVuU2hpZnQgY2x1c3RlcnMuCgp2MS4xOS40IGlzIGEgc2ltcGxlIHBhdGNoIHJlbGVhc2UgdG8gZml4IHNvbWUgcmVwb3J0ZWQgdnVsbmVyYWJpbGl0aWVzIC0gbm90YWJseSBDVkUtMjAyNi0yNDA1MSBhbmQgQ1ZFLTIwMjUtNjgxMjEuIEFsbCB1c2VycyBzaG91bGQgdXBncmFkZS4KCiMjIyMgQ2hhbmdlcyBieSBLaW5kCgojIyMjIyBCdWcgb3IgUmVncmVzc2lvbgoKLSBCdW1wIGdvIHRvIGFkZHJlc3MgQ1ZFLTIwMjUtNjgxMjEgKFsjJiM4MjAzOzg1MjZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NTI2KSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQotIEJ1bXAgb3RlbCBTREsgdG8gYWRkcmVzcyBHTy0yMDI2LTQzOTQgKFsjJiM4MjAzOzg1MzFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NTMxKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQoKIyMjIFtgdjEuMTkuM2BdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4xOS4zKQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjE5LjIuLi52MS4xOS4zKQoKY2VydC1tYW5hZ2VyIGlzIHRoZSBlYXNpZXN0IHdheSB0byBhdXRvbWF0aWNhbGx5IG1hbmFnZSBjZXJ0aWZpY2F0ZXMgaW4gS3ViZXJuZXRlcyBhbmQgT3BlblNoaWZ0IGNsdXN0ZXJzLgoKVGhpcyByZWxlYXNlIGNvbnRhaW5zIHRocmVlIGJ1ZyBmaXhlcywgaW5jbHVkaW5nIGEgZml4IGZvciB0aGUgTU9ERVJBVEUgc2V2ZXJpdHkgRG9TIGlzc3VlIGluIEdIU0EtZ3gzeC12cTRwLW1oaHYuIEFsbCB1c2VycyBzaG91bGQgdXBncmFkZSB0byB0aGUgbGF0ZXN0IHJlbGVhc2UuCgojIyMjIENoYW5nZXMgYnkgS2luZAoKIyMjIyMgQnVnIG9yIFJlZ3Jlc3Npb24KCi0gRml4ZWQgYW4gaW5maW5pdGUgcmUtaXNzdWFuY2UgbG9vcCB0aGF0IGNvdWxkIG9jY3VyIHdoZW4gYW4gaXNzdWVyIHJldHVybnMgYSBjZXJ0aWZpY2F0ZSB3aXRoIGEgcHVibGljIGtleSB0aGF0IGRvZXNuJ3QgbWF0Y2ggdGhlIENTUi4gVGhlIGlzc3VpbmcgY29udHJvbGxlciBub3cgdmFsaWRhdGVzIHRoZSBjZXJ0aWZpY2F0ZSBiZWZvcmUgc3RvcmluZyBpdCBhbmQgZmFpbHMgd2l0aCBiYWNrb2ZmIG9uIG1pc21hdGNoLiAoWyMmIzgyMDM7ODQxNV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0MTUpLCBbQCYjODIwMztjZXJ0LW1hbmFnZXItYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyLWJvdCkpCi0gRml4ZWQgYW4gaXNzdWUgd2hlcmUgSFRUUC0wMSBjaGFsbGVuZ2VzIGZhaWxlZCB3aGVuIHRoZSBIb3N0IGhlYWRlciBjb250YWluZWQgYW4gSVB2NiBhZGRyZXNzLiBUaGlzIG1lYW5zIHRoYXQgdXNlcnMgY2FuIG5vdyBpc3N1ZSBJUCBhZGRyZXNzIGNlcnRpZmljYXRlcyBmb3IgSVB2NiBhZGRyZXNzIHN1YmplY3RzLiAoWyMmIzgyMDM7ODQzNl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0MzYpLCBbQCYjODIwMztjZXJ0LW1hbmFnZXItYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyLWJvdCkpCi0gU2VjdXJpdHkgKE1PREVSQVRFKTogRml4IGEgcG90ZW50aWFsIHBhbmljIGluIHRoZSBjZXJ0LW1hbmFnZXIgY29udHJvbGxlciB3aGVuIGEgRE5TIHJlc3BvbnNlIGluIGFuIHVuZXhwZWN0ZWQgb3JkZXIgd2FzIGNhY2hlZC4gSWYgYW4gYXR0YWNrZXIgd2FzIGFibGUgdG8gbW9kaWZ5IEROUyByZXNwb25zZXMgKG9yIGlmIHRoZXkgY29udHJvbGxlZCB0aGUgRE5TIHNlcnZlcikgaXQgd2FzIHBvc3NpYmxlIHRvIGNhdXNlIGRlbmlhbCBvZiBzZXJ2aWNlIGZvciB0aGUgY2VydC1tYW5hZ2VyIGNvbnRyb2xsZXIuIChbIyYjODIwMzs4NDY4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODQ2OCksIFtAJiM4MjAzO1NndENvREZpc2hdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TZ3RDb0RGaXNoKSkKCiMjIyMjIE90aGVyIChDbGVhbnVwIG9yIEZsYWtlKQoKLSBCdW1wIGdvIHRvIDEuMjUuNiAoWyMmIzgyMDM7ODQ1OV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0NTkpLCBbQCYjODIwMztTZ3RDb0RGaXNoXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vU2d0Q29ERmlzaCkpCgojIyMgW2B2MS4xOS4yYF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvcmVsZWFzZXMvdGFnL3YxLjE5LjIpCgpbQ29tcGFyZSBTb3VyY2VdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2NvbXBhcmUvdjEuMTkuMS4uLnYxLjE5LjIpCgpjZXJ0LW1hbmFnZXIgaXMgdGhlIGVhc2llc3Qgd2F5IHRvIGF1dG9tYXRpY2FsbHkgbWFuYWdlIGNlcnRpZmljYXRlcyBpbiBLdWJlcm5ldGVzIGFuZCBPcGVuU2hpZnQgY2x1c3RlcnMuCgpXZSB1cGRhdGVkIEdvIHRvIGZpeCBzb21lIHZ1bG5lcmFiaWxpdGllcyBpbiB0aGUgc3RhbmRhcmQgbGlicmFyeS4KCj4g8J+TliBSZWFkIHRoZSBbZnVsbCAxLjE5IHJlbGVhc2Ugbm90ZXNdKGh0dHBzOi8vY2VydC1tYW5hZ2VyLmlvL2RvY3MvcmVsZWFzZXMvcmVsZWFzZS1ub3Rlcy9yZWxlYXNlLW5vdGVzLTEuMTkpIG9uIHRoZSBjZXJ0LW1hbmFnZXIuaW8gd2Vic2l0ZSBiZWZvcmUgdXBncmFkaW5nLgoKIyMjIyMgQ2hhbmdlcyBzaW5jZSBgdjEuMTkuMWAKCiMjIyMjIEJ1ZyBvciBSZWdyZXNzaW9uCgotIEFkZHJlc3MgZmFsc2UgcG9zaXRpdmUgdnVsbmVyYWJpbGl0aWVzIGBDVkUtMjAyNS00NzkxNGAgYW5kIGBDVkUtMjAyNS01ODE4MWAgd2hpY2ggd2VyZSByZXBvcnRlZCBieSBUcml2eS4gKFsjJiM4MjAzOzgyODNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjgzKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQotIFVwZGF0ZSBHbyB0byBgdjEuMjUuNWAgdG8gZml4IGBDVkUtMjAyNS02MTcyN2AgYW5kIGBDVkUtMjAyNS02MTcyOWAgKFsjJiM4MjAzOzgyOTRdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84Mjk0KSwgW0AmIzgyMDM7d2FsbHJqLWN5YmVyYXJrXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vd2FsbHJqLWN5YmVyYXJrKSkKLSBVcGRhdGUgYGdsb2JhbC5ub2RlU2VsZWN0b3JgIHRvIGhlbG0gY2hhcnQgdG8gcGVyZm9ybSBhIGBtZXJnZWAgYW5kIGFsbG93IGZvciBhIHNpbmdsZSBgbm9kZVNlbGVjdG9yYCB0byBiZSBzZXQgYWNyb3NzIGFsbCBzZXJ2aWNlcy4gKFsjJiM4MjAzOzgyMzNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjMzKSwgW0AmIzgyMDM7Y2VydC1tYW5hZ2VyLWJvdF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci1ib3QpKQoKIyMjIyMgT3RoZXIgKENsZWFudXAgb3IgRmxha2UpCgotIFVwZGF0ZSBjZXJ0LW1hbmFnZXIncyBBQ01FIGNsaWVudCwgZm9ya2VkIGZyb20gYGdvbGFuZy94L2NyeXB0b2AgKFsjJiM4MjAzOzgyNzBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjcwKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQotIFVwZGF0ZWQgRGViaWFuIDEyIGRpc3Ryb2xlc3MgYmFzZSBpbWFnZXMgKFsjJiM4MjAzOzgzMjZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MzI2KSwgW0AmIzgyMDM7d2FsbHJqLWN5YmVyYXJrXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vd2FsbHJqLWN5YmVyYXJrKSkKCiMjIyBbYHYxLjE5LjFgXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9yZWxlYXNlcy90YWcvdjEuMTkuMSkKCltDb21wYXJlIFNvdXJjZV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvY29tcGFyZS92MS4xOS4wLi4udjEuMTkuMSkKCmNlcnQtbWFuYWdlciBpcyB0aGUgZWFzaWVzdCB3YXkgdG8gYXV0b21hdGljYWxseSBtYW5hZ2UgY2VydGlmaWNhdGVzIGluIEt1YmVybmV0ZXMgYW5kIE9wZW5TaGlmdCBjbHVzdGVycy4KCldlIHJldmVydGVkIHRoZSBDUkQtYmFzZWQgQVBJIGRlZmF1bHRzIGZvciBgQ2VydGlmaWNhdGUuU3BlYy5Jc3N1ZXJSZWZgIGFuZCBgQ2VydGlmaWNhdGVSZXF1ZXN0LlNwZWMuSXNzdWVyUmVmYCBhZnRlciB0aGV5IHdlcmUgZm91bmQgdG8gY2F1c2UgdW5leHBlY3RlZCBjZXJ0aWZpY2F0ZSByZW5ld2FscyBhZnRlciB1cGdyYWRpbmcgdG8gMS4xOS4wLiBXZSB3aWxsIHRyeSByZS1pbnRyb2R1Y2luZyB0aGVzZSBBUEkgZGVmYXVsdHMgaW4gY2VydC1tYW5hZ2VyIGAxLjIwYC4KV2UgZml4ZWQgYSBidWcgdGhhdCBjYXVzZWQgY2VydGlmaWNhdGVzIHRvIGJlIHJlLWlzc3VlZCB1bmV4cGVjdGVkbHkgaWYgdGhlIGBpc3N1ZXJSZWZgIGtpbmQgb3IgZ3JvdXAgd2FzIGNoYW5nZWQgdG8gb25lIG9mIHRoZSAicnVudGltZSIgZGVmYXVsdCB2YWx1ZXMuCldlIHVwZ3JhZGVkIEdvIHRvIGAxLjI1LjNgIHRvIGFkZHJlc3MgdGhlIGZvbGxvd2luZyBzZWN1cml0eSB2dWxuZXJhYmlsaXRpZXM6IGBDVkUtMjAyNS02MTcyNGAsIGBDVkUtMjAyNS01ODE4N2AsIGBDVkUtMjAyNS00NzkxMmAsIGBDVkUtMjAyNS01ODE4M2AsIGBDVkUtMjAyNS02MTcyM2AsIGBDVkUtMjAyNS01ODE4NmAsIGBDVkUtMjAyNS01ODE4NWAsIGBDVkUtMjAyNS01ODE4OGAsIGFuZCBgQ1ZFLTIwMjUtNjE3MjVgLgoKPiDwn5OWIFJlYWQgdGhlIFtmdWxsIDEuMTkgcmVsZWFzZSBub3Rlc10oaHR0cHM6Ly9jZXJ0LW1hbmFnZXIuaW8vZG9jcy9yZWxlYXNlcy9yZWxlYXNlLW5vdGVzL3JlbGVhc2Utbm90ZXMtMS4xOSkgb24gdGhlIGNlcnQtbWFuYWdlci5pbyB3ZWJzaXRlIGJlZm9yZSB1cGdyYWRpbmcuCgpDaGFuZ2VzIHNpbmNlIGB2MS4xOS4wYDoKCiMjIyMjIEJ1ZyBvciBSZWdyZXNzaW9uCgotIEJVR0ZJWDogaW4gY2FzZSBraW5kIG9yIGdyb3VwIGluIHRoZSBgaXNzdWVyUmVmYCBvZiBhIENlcnRpZmljYXRlIHdhcyBvbWl0dGVkLCB1cGdyYWRpbmcgdG8gYDEuMTkueGAgaW5jb3JyZWN0bHkgY2F1c2VkIHRoZSBjZXJ0aWZpY2F0ZSB0byBiZSByZW5ld2VkIChbIyYjODIwMzs4MTc1XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODE3NSksIFtAJiM4MjAzO2NlcnQtbWFuYWdlci1ib3RdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXItYm90KSkKLSBCdW1wIEdvIHRvIDEuMjUuMyB0byBmaXggYSBiYWNrd2FyZHMgaW5jb21wYXRpYmxlIGNoYW5nZSB0byB0aGUgdmFsaWRhdGlvbiBvZiBETlMgbmFtZXMgaW4gWC41MDkgU0FOIGZpZWxkcyB3aGljaCBwcmV2ZW50ZWQgdGhlIHVzZSBvZiBETlMgbmFtZXMgd2l0aCBhIHRyYWlsaW5nIGRvdCAoWyMmIzgyMDM7ODE3N10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxNzcpLCBbQCYjODIwMzt3YWxscmotY3liZXJhcmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmotY3liZXJhcmspKQotIFJldmVydCBBUEkgZGVmYXVsdHMgZm9yIGlzc3VlciByZWZlcmVuY2Uga2luZCBhbmQgZ3JvdXAgaW50cm9kdWNlZCBpbiAwLjE5LjAgKFsjJiM4MjAzOzgxNzhdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MTc4KSwgW0AmIzgyMDM7Y2VydC1tYW5hZ2VyLWJvdF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci1ib3QpKQoKIyMjIFtgdjEuMTkuMGBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4xOS4wKQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjE4LjYuLi52MS4xOS4wKQoKY2VydC1tYW5hZ2VyIGlzIHRoZSBlYXNpZXN0IHdheSB0byBhdXRvbWF0aWNhbGx5IG1hbmFnZSBjZXJ0aWZpY2F0ZXMgaW4gS3ViZXJuZXRlcyBhbmQgT3BlblNoaWZ0IGNsdXN0ZXJzLgoKPiDimqDvuI8gKipLbm93biBpc3N1ZXMqKjogVGhlIGZvbGxvd2luZyBrbm93biBpc3N1ZXMgYXJlIGZpeGVkIGluIFt2MS4xOS4xXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9yZWxlYXNlcy90YWcvdjEuMTkuMSk6Cj4KPiAtIFtVbmV4cGVjdGVkIGNlcnRpZmljYXRlIHJlbmV3YWwgYWZ0ZXIgdXBncmFkaW5nIHRvIDEuMTkuMF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxNTgpCgpUaGlzIHJlbGVhc2UgZm9jdXNlcyBvbiBleHBhbmRpbmcgcGxhdGZvcm0gY29tcGF0aWJpbGl0eSwgaW1wcm92aW5nIGRlcGxveW1lbnQgZmxleGliaWxpdHksIGVuaGFuY2luZyBvYnNlcnZhYmlsaXR5LCBhbmQgYWRkcmVzc2luZyBrZXkgcmVsaWFiaWxpdHkgaXNzdWVzLgoKPiDwn5OWICBSZWFkIHRoZSBmdWxsIHJlbGVhc2Ugbm90ZXMgYXQgY2VydC1tYW5hZ2VyLmlvOiA8aHR0cHM6Ly9jZXJ0LW1hbmFnZXIuaW8vZG9jcy9yZWxlYXNlcy9yZWxlYXNlLW5vdGVzL3JlbGVhc2Utbm90ZXMtMS4xOT4KCkNoYW5nZXMgc2luY2UgYHYxLjE4LjBgOgoKIyMjIyMgRmVhdHVyZQoKLSBBZGQgSVB2NiBydWxlcyB0byB0aGUgZGVmYXVsdCBuZXR3b3JrIHBvbGljeSAoWyMmIzgyMDM7NzcyNl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3MjYpLCBbQCYjODIwMztqY3B1bmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9qY3B1bmspKQotIEFkZCBgZ2xvYmFsLm5vZGVTZWxlY3RvcmAgdG8gaGVsbSBjaGFydCB0byBhbGxvdyBmb3IgYSBzaW5nbGUgYG5vZGVTZWxlY3RvcmAgdG8gYmUgc2V0IGFjcm9zcyBhbGwgc2VydmljZXMuIChbIyYjODIwMzs3ODE4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvNzgxOCksIFtAJiM4MjAzO1N0aW5nUmF5WkFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TdGluZ1JheVpBKSkKLSBBZGQgYSBmZWF0dXJlIGdhdGUgdG8gZGVmYXVsdCB0byBJbmdyZXNzIGBwYXRoVHlwZWAgYEV4YWN0YCBpbiBBQ01FIEhUVFAwMSBJbmdyZXNzIGNoYWxsZW5nZSBzb2x2ZXJzLiAoWyMmIzgyMDM7Nzc5NV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3OTUpLCBbQCYjODIwMztzc3ByZWl0emVyXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vc3NwcmVpdHplcikpCi0gQWRkIGdlbmVyYXRlZCBgYXBwbHljb25maWd1cmF0aW9uc2AgYWxsb3dpbmcgY2xpZW50cyB0byBtYWtlIHR5cGUtc2FmZSBzZXJ2ZXItc2lkZSBhcHBseSByZXF1ZXN0cyBmb3IgY2VydC1tYW5hZ2VyIHJlc291cmNlcy4gKFsjJiM4MjAzOzc4NjZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83ODY2KSwgW0AmIzgyMDM7ZXJpa2diXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vZXJpa2diKSkKLSBBZGRlZCBBUEkgZGVmYXVsdHMgdG8gaXNzdWVyIHJlZmVyZW5jZXMgZ3JvdXAgKGNlcnQtbWFuYWdlci5pbykgYW5kIGtpbmQgKElzc3VlcikuIChbIyYjODIwMzs3NDE0XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvNzQxNCksIFtAJiM4MjAzO2VyaWtnYl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2VyaWtnYikpCi0gQWRkZWQgYGNlcnRtYW5hZ2VyX2NlcnRpZmljYXRlX2NoYWxsZW5nZV9zdGF0dXNgIFByb21ldGhldXMgbWV0cmljLiAoWyMmIzgyMDM7NzczNl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3MzYpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQotIEFkZGVkIGBwcm90b2NvbGAgZmllbGQgZm9yIGByZmMyMTM2YCBETlMwMSBwcm92aWRlciAoWyMmIzgyMDM7Nzg4MV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc4ODEpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQotIEFkZGVkIGV4cGVyaW1lbnRhbCBmaWVsZCBgaG9zdFVzZXJzYCBmbGFnIHRvIGFsbCBwb2RzLiBOb3Qgc2V0IGJ5IGRlZmF1bHQuIChbIyYjODIwMzs3OTczXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvNzk3MyksIFtAJiM4MjAzO2hqb3NoaTEyM10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2hqb3NoaTEyMykpCi0gU3VwcG9ydCBjb25maWd1cmFibGUgcmVzb3VyY2UgcmVxdWVzdHMgYW5kIGxpbWl0cyBmb3IgQUNNRSBIVFRQMDEgc29sdmVyIHBvZHMgdGhyb3VnaCBDbHVzdGVySXNzdWVyIGFuZCBJc3N1ZXIgc3BlY2lmaWNhdGlvbnMsIGFsbG93aW5nIGdyYW51bGFyIHJlc291cmNlIG1hbmFnZW1lbnQgdGhhdCBvdmVycmlkZXMgZ2xvYmFsIGAtLWFjbWUtaHR0cDAxLXNvbHZlci1yZXNvdXJjZS0qYCBzZXR0aW5ncy4gKFsjJiM4MjAzOzc5NzJdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83OTcyKSwgW0AmIzgyMDM7bHVuYXJ3aGl0ZV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2x1bmFyd2hpdGUpKQotIFRoZSBgQ0FJbmplY3Rvck1lcmdpbmdgIGZlYXR1cmUgaGFzIGJlZW4gcHJvbW90ZWQgdG8gQkVUQSBhbmQgaXMgbm93IGVuYWJsZWQgYnkgZGVmYXVsdCAoWyMmIzgyMDM7ODAxN10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgwMTcpLCBbQCYjODIwMztUaGF0c01yVGFsYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vVGhhdHNNclRhbGJvdCkpCi0gVGhlIGNvbnRyb2xsZXIsIHdlYmhvb2sgYW5kIGNhLWluamVjdG9yIG5vdyBsb2cgdGhlaXIgdmVyc2lvbiBhbmQgZ2l0IGNvbW1pdCBvbiBzdGFydHVwIGZvciBlYXNpZXIgZGVidWdnaW5nIGFuZCBzdXBwb3J0LiAoWyMmIzgyMDM7ODA3Ml0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgwNzIpLCBbQCYjODIwMztwcmFzYWQ4OV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL3ByYXNhZDg5KSkKLSBVcGRhdGVkIGBjZXJ0aWZpY2F0ZWAgbWV0cmljcyB0byB0aGUgY29sbGVjdG9yIGFwcHJvYWNoLiAoWyMmIzgyMDM7Nzg1Nl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc4NTYpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQoKIyMjIyMgQnVnIG9yIFJlZ3Jlc3Npb24KCi0gQUNNRTogSW5jcmVhc2VkIGNoYWxsZW5nZSBhdXRob3JpemF0aW9uIHRpbWVvdXQgdG8gMiBtaW51dGVzIHRvIGZpeCBgZXJyb3Igd2FpdGluZyBmb3IgYXV0aG9yaXphdGlvbmAgKFsjJiM4MjAzOzc3OTZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83Nzk2KSwgW0AmIzgyMDM7aGpvc2hpMTIzXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vaGpvc2hpMTIzKSkKLSBCVUdGSVg6IHBlcm1pdHRlZCBVUkkgZG9tYWlucyB3ZXJlIGluY29ycmVjdGx5IHVzZWQgdG8gc2V0IHRoZSBleGNsdWRlZCBVUkkgZG9tYWlucyBpbiB0aGUgQ1NSJ3MgbmFtZSBjb25zdHJhaW50cyAoWyMmIzgyMDM7NzgxNl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc4MTYpLCBbQCYjODIwMztraW5vbGFldl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2tpbm9sYWV2KSkKLSBFbmZvcmNlZCBBQ01FIEhUVFAtMDEgc29sdmVyIHZhbGlkYXRpb24gdG8gcHJvcGVybHkgcmVqZWN0IGNvbmZpZ3VyYXRpb25zIHdoZW4gbXVsdGlwbGUgaW5ncmVzcyBvcHRpb25zIChgY2xhc3NgLCBgaW5ncmVzc0NsYXNzTmFtZWAsIGBuYW1lYCkgYXJlIHNwZWNpZmllZCBzaW11bHRhbmVvdXNseSAoWyMmIzgyMDM7ODAyMV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgwMjEpLCBbQCYjODIwMztsdW5hcndoaXRlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vbHVuYXJ3aGl0ZSkpCi0gSW5jcmVhc2UgbWF4aW11bSBzaXplcyBvZiBQRU0gY2VydGlmaWNhdGVzIGFuZCBjaGFpbnMgd2hpY2ggY2FuIGJlIHBhcnNlZCBpbiBjZXJ0LW1hbmFnZXIsIHRvIGhhbmRsZSBsZWFmIGNlcnRpZmljYXRlcyB3aXRoIGxhcmdlIG51bWJlcnMgb2YgRE5TIG5hbWVzIG9yIG90aGVyIGlkZW50aXRpZXMgKFsjJiM4MjAzOzc5NjFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83OTYxKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQotIFJldmVydGVkIGFkZGluZyB0aGUgYGdsb2JhbC5yYmFjLmRpc2FibGVIVFRQQ2hhbGxlbmdlc1JvbGVgIEhlbG0gb3B0aW9uLiAoWyMmIzgyMDM7NzgzNl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc4MzYpLCBbQCYjODIwMztpbnRlb25dKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9pbnRlb24pKQotIFRoaXMgY2hhbmdlIHJlbW92ZXMgdGhlIGBwYXRoYCBsYWJlbCBvZiBjb3JlIEFDTUUgY2xpZW50IG1ldHJpY3MgYW5kIHdpbGwgcmVxdWlyZSB1c2VycyB0byB1cGRhdGUgdGhlaXIgbW9uaXRvcmluZyBkYXNoYm9hcmRzIGFuZCBhbGVydGluZyBydWxlcyBpZiB1c2luZyB0aG9zZSBtZXRyaWNzLiAoWyMmIzgyMDM7ODEwOV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxMDkpLCBbQCYjODIwMzttbGFkZW4tcnVzZXYtY3liZXJhcmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9tbGFkZW4tcnVzZXYtY3liZXJhcmspKQotIFVzZSB0aGUgbGF0ZXN0IHZlcnNpb24gb2YgYGluZ3Jlc3MtbmdpbnhgIGluIEUyRSB0ZXN0cyB0byBlbnN1cmUgY29tcGF0aWJpbGl0eSAoWyMmIzgyMDM7Nzc5Ml0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3OTIpLCBbQCYjODIwMzt3YWxscmpdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmopKQoKIyMjIyMgT3RoZXIgKENsZWFudXAgb3IgRmxha2UpCgotIEhlbG06IEZpeCBuYW1pbmcgdGVtcGxhdGUgb2YgYHRva2VucmVxdWVzdGAgUm9sZUJpbmRpbmcgcmVzb3VyY2UgdG8gaW1wcm92ZSBjb25zaXN0ZW5jeSAoWyMmIzgyMDM7Nzc2MV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3NjEpLCBbQCYjODIwMztsdW5hcndoaXRlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vbHVuYXJ3aGl0ZSkpCi0gSW1wcm92ZSBlcnJvciBtZXNzYWdlcyB3aGVuIGNlcnRpZmljYXRlcywgQ1JMcyBvciBwcml2YXRlIGtleXMgZmFpbCBhZG1pc3Npb24gZHVlIHRvIG1hbGZvcm1lZCBvciBtaXNzaW5nIFBFTSBkYXRhIChbIyYjODIwMzs3OTI4XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvNzkyOCksIFtAJiM4MjAzO1NndENvREZpc2hdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TZ3RDb0RGaXNoKSkKLSBNYWpvciB1cGdyYWRlIG9mIEFrYW1haSBTREsuIE5PVEU6IFRoZSBuZXcgdmVyc2lvbiBoYXMgbm90IGJlZW4gZnVsbHkgdGVzdGVkIGVuZC10by1lbmQgZHVlIHRvIHRoZSBsYWNrIG9mIGNsb3VkIGluZnJhc3RydWN0dXJlLiAoWyMmIzgyMDM7ODAwM10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgwMDMpLCBbQCYjODIwMztoam9zaGkxMjNdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9oam9zaGkxMjMpKQotIFVwZGF0ZSBraW5kIGltYWdlcyB0byBpbmNsdWRlIHRoZSBLdWJlcm5ldGVzIDEuMzMgbm9kZSBpbWFnZSAoWyMmIzgyMDM7Nzc4Nl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc3ODYpLCBbQCYjODIwMzt3YWxscmpdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmopKQotIFVzZSBgbWFwcy5Db3B5YCBmb3IgY2xlYW5lciBtYXAgaGFuZGxpbmcgKFsjJiM4MjAzOzgwOTJdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MDkyKSwgW0AmIzgyMDM7cXVhbnRwb2V0XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vcXVhbnRwb2V0KSkKLSBWYXVsdDogTWlncmF0ZSBWYXVsdCBFMkUgYWRkLW9uIHRlc3RzIGZyb20gZGVwcmVjYXRlZCBgdmF1bHQtY2xpZW50LWdvYCB0byB0aGUgbmV3IGB2YXVsdC9hcGlgIGNsaWVudC4gKFsjJiM4MjAzOzgwNTldKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MDU5KSwgW0AmIzgyMDM7YXJtYWdhbmthcmF0b3N1bl0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2FybWFnYW5rYXJhdG9zdW4pKQoKIyMjIFtgdjEuMTguNmBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4xOC42KQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjE4LjUuLi52MS4xOC42KQoKY2VydC1tYW5hZ2VyIGlzIHRoZSBlYXNpZXN0IHdheSB0byBhdXRvbWF0aWNhbGx5IG1hbmFnZSBjZXJ0aWZpY2F0ZXMgaW4gS3ViZXJuZXRlcyBhbmQgT3BlblNoaWZ0IGNsdXN0ZXJzLgoKdjEuMTguNiBpcyBhIHNpbXBsZSBwYXRjaCByZWxlYXNlIHRvIGZpeCBzb21lIHJlcG9ydGVkIHZ1bG5lcmFiaWxpdGllcywgbW9zdCBub3RhYmx5IFtDVkUtMjAyNS02ODEyMV0oaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMjUtNjgxMjEpLgoKTkI6IFdlIGRpZG4ndCBhdHRlbXB0IHRvIHBhdGNoIFtDVkUtMjAyNi0yNDA1MV0oaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMjYtMjQwNTEpIGJ1dCB0aGF0IHZ1bG5lcmFiaWxpdHkgYWZmZWN0cyBtYWNPUyBvbmx5LCBzbyBjZXJ0LW1hbmFnZXIgd2lsbCBiZSB1bmFmZmVjdGVkLgoKIyMjIyMgQ2hhbmdlcyBieSBLaW5kCgojIyMjIyBCdWcgb3IgUmVncmVzc2lvbgoKLSBCdW1wIEdvIHRvIGFkZHJlc3MgQ1ZFLTIwMjUtNjgxMjEgKFsjJiM4MjAzOzg1MjVdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NTI1KSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQoKIyMjIFtgdjEuMTguNWBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4xOC41KQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjE4LjQuLi52MS4xOC41KQoKY2VydC1tYW5hZ2VyIGlzIHRoZSBlYXNpZXN0IHdheSB0byBhdXRvbWF0aWNhbGx5IG1hbmFnZSBjZXJ0aWZpY2F0ZXMgaW4gS3ViZXJuZXRlcyBhbmQgT3BlblNoaWZ0IGNsdXN0ZXJzLgoKVGhpcyByZWxlYXNlIGNvbnRhaW5zIHRocmVlIGJ1ZyBmaXhlcywgaW5jbHVkaW5nIGEgZml4IGZvciB0aGUgTU9ERVJBVEUgc2V2ZXJpdHkgRG9TIGlzc3VlIGluIEdIU0EtZ3gzeC12cTRwLW1oaHYuIEFsbCB1c2VycyBzaG91bGQgdXBncmFkZSB0byB0aGUgbGF0ZXN0IHJlbGVhc2UuCgojIyMjIyBDaGFuZ2VzIGJ5IEtpbmQKCiMjIyMjIEJ1ZyBvciBSZWdyZXNzaW9uCgotIEZpeGVkIGFuIGluZmluaXRlIHJlLWlzc3VhbmNlIGxvb3AgdGhhdCBjb3VsZCBvY2N1ciB3aGVuIGFuIGlzc3VlciByZXR1cm5zIGEgY2VydGlmaWNhdGUgd2l0aCBhIHB1YmxpYyBrZXkgdGhhdCBkb2Vzbid0IG1hdGNoIHRoZSBDU1IuIFRoZSBpc3N1aW5nIGNvbnRyb2xsZXIgbm93IHZhbGlkYXRlcyB0aGUgY2VydGlmaWNhdGUgYmVmb3JlIHN0b3JpbmcgaXQgYW5kIGZhaWxzIHdpdGggYmFja29mZiBvbiBtaXNtYXRjaC4gKFsjJiM4MjAzOzg0MTRdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NDE0KSwgW0AmIzgyMDM7Y2VydC1tYW5hZ2VyLWJvdF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci1ib3QpKQotIEZpeGVkIGFuIGlzc3VlIHdoZXJlIEhUVFAtMDEgY2hhbGxlbmdlcyBmYWlsZWQgd2hlbiB0aGUgSG9zdCBoZWFkZXIgY29udGFpbnMgYW4gSVB2NiBhZGRyZXNzLiBUaGlzIG1lYW5zIHRoYXQgdXNlcnMgY2FuIG5vdyBpc3N1ZSBJUCBhZGRyZXNzIGNlcnRpZmljYXRlcyBmb3IgSVB2NiBhZGRyZXNzIHN1YmplY3RzLiAoWyMmIzgyMDM7ODQzN10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzg0MzcpLCBbQCYjODIwMztjZXJ0LW1hbmFnZXItYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyLWJvdCkpCi0gU2VjdXJpdHkgKE1PREVSQVRFKTogRml4IGEgcG90ZW50aWFsIHBhbmljIGluIHRoZSBjZXJ0LW1hbmFnZXIgY29udHJvbGxlciB3aGVuIGEgRE5TIHJlc3BvbnNlIGluIGFuIHVuZXhwZWN0ZWQgb3JkZXIgd2FzIGNhY2hlZC4gSWYgYW4gYXR0YWNrZXIgd2FzIGFibGUgdG8gbW9kaWZ5IEROUyByZXNwb25zZXMgKG9yIGlmIHRoZXkgY29udHJvbGxlZCB0aGUgRE5TIHNlcnZlcikgaXQgd2FzIHBvc3NpYmxlIHRvIGNhdXNlIGRlbmlhbCBvZiBzZXJ2aWNlIGZvciB0aGUgY2VydC1tYW5hZ2VyIGNvbnRyb2xsZXIuIChbIyYjODIwMzs4NDY3XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODQ2NyksIFtAJiM4MjAzO1NndENvREZpc2hdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TZ3RDb0RGaXNoKSkKCiMjIyMjIE90aGVyIChDbGVhbnVwIG9yIEZsYWtlKQoKLSBCdW1wIGdvIHRvIDEuMjQuMTIgKFsjJiM4MjAzOzg0NjBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84NDYwKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQoKIyMjIFtgdjEuMTguNGBdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL3JlbGVhc2VzL3RhZy92MS4xOC40KQoKW0NvbXBhcmUgU291cmNlXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9jb21wYXJlL3YxLjE4LjMuLi52MS4xOC40KQoKY2VydC1tYW5hZ2VyIGlzIHRoZSBlYXNpZXN0IHdheSB0byBhdXRvbWF0aWNhbGx5IG1hbmFnZSBjZXJ0aWZpY2F0ZXMgaW4gS3ViZXJuZXRlcyBhbmQgT3BlblNoaWZ0IGNsdXN0ZXJzLgoKV2UgdXBkYXRlZCBHbyB0byBmaXggc29tZSB2dWxuZXJhYmlsaXRpZXMgaW4gdGhlIHN0YW5kYXJkIGxpYnJhcnkuCgo+IPCfk5YgUmVhZCB0aGUgW2Z1bGwgMS4xOCByZWxlYXNlIG5vdGVzXShodHRwczovL2NlcnQtbWFuYWdlci5pby9kb2NzL3JlbGVhc2VzL3JlbGVhc2Utbm90ZXMvcmVsZWFzZS1ub3Rlcy0xLjE4KSBvbiB0aGUgY2VydC1tYW5hZ2VyLmlvIHdlYnNpdGUgYmVmb3JlIHVwZ3JhZGluZy4KCiMjIyMjIENoYW5nZXMgc2luY2UgYHYxLjE4LjNgCgojIyMjIyBCdWcgb3IgUmVncmVzc2lvbgoKLSBBZGRyZXNzIGZhbHNlIHBvc2l0aXZlIHZ1bG5lcmFiaWxpdGllcyBgQ1ZFLTIwMjUtNDc5MTRgIGFuZCBgQ1ZFLTIwMjUtNTgxODFgIHdoaWNoIHdlcmUgcmVwb3J0ZWQgYnkgVHJpdnkuIChbIyYjODIwMzs4MjgyXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODI4MiksIFtAJiM4MjAzO1NndENvREZpc2hdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9TZ3RDb0RGaXNoKSkKLSBVcGRhdGUgR28gdG8gYHYxLjI0LjExYCB0byBmaXggYENWRS0yMDI1LTYxNzI3YCBhbmQgYENWRS0yMDI1LTYxNzI5YCAoWyMmIzgyMDM7ODI5NV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgyOTUpLCBbQCYjODIwMzt3YWxscmotY3liZXJhcmtdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS93YWxscmotY3liZXJhcmspKQoKIyMjIyMgT3RoZXIgKENsZWFudXAgb3IgRmxha2UpCgotIFVwZGF0ZSBjZXJ0LW1hbmFnZXIncyBBQ01FIGNsaWVudCwgZm9ya2VkIGZyb20gYGdvbGFuZy94L2NyeXB0b2AgKFsjJiM4MjAzOzgyNzFdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MjcxKSwgW0AmIzgyMDM7U2d0Q29ERmlzaF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL1NndENvREZpc2gpKQotIFVwZGF0ZWQgRGViaWFuIDEyIGRpc3Ryb2xlc3MgYmFzZSBpbWFnZXMgKFsjJiM4MjAzOzgzMjhdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy84MzI4KSwgW0AmIzgyMDM7d2FsbHJqLWN5YmVyYXJrXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vd2FsbHJqLWN5YmVyYXJrKSkKCiMjIyBbYHYxLjE4LjNgXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9yZWxlYXNlcy90YWcvdjEuMTguMykKCltDb21wYXJlIFNvdXJjZV0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvY29tcGFyZS92MS4xOC4yLi4udjEuMTguMykKCmNlcnQtbWFuYWdlciBpcyB0aGUgZWFzaWVzdCB3YXkgdG8gYXV0b21hdGljYWxseSBtYW5hZ2UgY2VydGlmaWNhdGVzIGluIEt1YmVybmV0ZXMgYW5kIE9wZW5TaGlmdCBjbHVzdGVycy4KCldlIGZpeGVkIGEgYnVnIHdoaWNoIGNhdXNlZCBjZXJ0aWZpY2F0ZXMgdG8gYmUgcmUtaXNzdWVkIHVuZXhwZWN0ZWRseSwgaWYgdGhlIGlzc3VlclJlZiBraW5kIG9yIGdyb3VwIHdhcyBjaGFuZ2VkIHRvIG9uZSBvZiB0aGUgInJ1bnRpbWUiIGRlZmF1bHQgdmFsdWVzLiBXZSBpbmNyZWFzZWQgdGhlIHNpemUgbGltaXQgd2hlbiBwYXJzaW5nIFBFTSBjZXJ0aWZpY2F0ZSBjaGFpbnMgdG8gaGFuZGxlIGxlYWYgY2VydGlmaWNhdGVzIHdpdGggbGFyZ2UgbnVtYmVycyBvZiBETlMgbmFtZWQgb3Igb3RoZXIgaWRlbnRpdGllcy4gV2UgdXBncmFkZWQgR28gdG8gMS4yNC45IHRvIGZpeCB2YXJpb3VzIG5vbi1jcml0aWNhbCBzZWN1cml0eSB2dWxuZXJhYmlsaXRpZXMuCgo+IPCfk5YgUmVhZCB0aGUgW2Z1bGwgMS4xOCByZWxlYXNlIG5vdGVzXShodHRwczovL2NlcnQtbWFuYWdlci5pby9kb2NzL3JlbGVhc2VzL3JlbGVhc2Utbm90ZXMvcmVsZWFzZS1ub3Rlcy0xLjE4KSBvbiB0aGUgY2VydC1tYW5hZ2VyLmlvIHdlYnNpdGUgYmVmb3JlIHVwZ3JhZGluZy4KCkNoYW5nZXMgc2luY2UgYHYxLjE4LjJgOgoKIyMjIyMgQnVnIG9yIFJlZ3Jlc3Npb24KCi0gQlVHRklYOiBpbiBjYXNlIGtpbmQgb3IgZ3JvdXAgaW4gdGhlIGlzc3VlclJlZiBvZiBhIENlcnRpZmljYXRlIHdhcyBvbWl0dGVkLCB1cGdyYWRpbmcgdG8gMS4xOS54IGluY29ycmVjdGx5IGNhdXNlZCB0aGUgY2VydGlmaWNhdGUgdG8gYmUgcmVuZXdlZCAoWyMmIzgyMDM7ODE3NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzgxNzQpLCBbQCYjODIwMztjZXJ0LW1hbmFnZXItYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyLWJvdCkpCi0gQnVtcCBHbyB0byAxLjI0LjkuIEZpeGVzIHRoZSBmb2xsb3dpbmcgdnVsbmVyYWJpbGl0aWVzOiBDVkUtMjAyNS02MTcyNCwgQ1ZFLTIwMjUtNTgxODcsIENWRS0yMDI1LTQ3OTEyLCBDVkUtMjAyNS01ODE4MywgQ1ZFLTIwMjUtNjE3MjMsIENWRS0yMDI1LTU4MTg2LCBDVkUtMjAyNS01ODE4NSwgQ1ZFLTIwMjUtNTgxODgsIENWRS0yMDI1LTYxNzI1IChbIyYjODIwMzs4MTc2XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyL2NlcnQtbWFuYWdlci9pc3N1ZXMvODE3NiksIFtAJiM4MjAzO3dhbGxyai1jeWJlcmFya10oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL3dhbGxyai1jeWJlcmFyaykpCi0gSW5jcmVhc2UgbWF4aW11bSBzaXplcyBvZiBQRU0gY2VydGlmaWNhdGVzIGFuZCBjaGFpbnMgd2hpY2ggY2FuIGJlIHBhcnNlZCBpbiBjZXJ0LW1hbmFnZXIsIHRvIGhhbmRsZSBsZWFmIGNlcnRpZmljYXRlcyB3aXRoIGxhcmdlIG51bWJlcnMgb2YgRE5TIG5hbWVzIG9yIG90aGVyIGlkZW50aXRpZXMgKFsjJiM4MjAzOzc5NjZdKGh0dHBzOi8vcmVkaXJlY3QuZ2l0aHViLmNvbS9jZXJ0LW1hbmFnZXIvY2VydC1tYW5hZ2VyL2lzc3Vlcy83OTY2KSwgW0AmIzgyMDM7Y2VydC1tYW5hZ2VyLWJvdF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci1ib3QpKQoKIyMjIyMgT3RoZXIgKENsZWFudXAgb3IgRmxha2UpCgotIEltcHJvdmUgZXJyb3IgbWVzc2FnZXMgd2hlbiBjZXJ0aWZpY2F0ZXMsIENSTHMgb3IgcHJpdmF0ZSBrZXlzIGZhaWwgYWRtaXNzaW9uIGR1ZSB0byBtYWxmb3JtZWQgb3IgbWlzc2luZyBQRU0gZGF0YSAoWyMmIzgyMDM7Nzk2NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc5NjQpLCBbQCYjODIwMztjZXJ0LW1hbmFnZXItYm90XShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vY2VydC1tYW5hZ2VyLWJvdCkpCi0gVXBncmFkZXMgR28gdG8gdjEuMjQuNiAoWyMmIzgyMDM7Nzk3NF0oaHR0cHM6Ly9yZWRpcmVjdC5naXRodWIuY29tL2NlcnQtbWFuYWdlci9jZXJ0LW1hbmFnZXIvaXNzdWVzLzc5NzQpLCBbQCYjODIwMztTZ3RDb0RGaXNoXShodHRwczovL3JlZGlyZWN0LmdpdGh1Yi5jb20vU2d0Q29ERmlzaCkpCgo8L2RldGFpbHM+CgotLS0KCiMjIyBDb25maWd1cmF0aW9uCgrwn5OFICoqU2NoZWR1bGUqKjogQnJhbmNoIGNyZWF0aW9uIC0gQXQgYW55IHRpbWUgKG5vIHNjaGVkdWxlIGRlZmluZWQpLCBBdXRvbWVyZ2UgLSBBdCBhbnkgdGltZSAobm8gc2NoZWR1bGUgZGVmaW5lZCkuCgrwn5qmICoqQXV0b21lcmdlKio6IERpc2FibGVkIGJ5IGNvbmZpZy4gUGxlYXNlIG1lcmdlIHRoaXMgbWFudWFsbHkgb25jZSB5b3UgYXJlIHNhdGlzZmllZC4KCuKZuyAqKlJlYmFzaW5nKio6IFdoZW5ldmVyIFBSIGJlY29tZXMgY29uZmxpY3RlZCwgb3IgeW91IHRpY2sgdGhlIHJlYmFzZS9yZXRyeSBjaGVja2JveC4KCvCflJUgKipJZ25vcmUqKjogQ2xvc2UgdGhpcyBQUiBhbmQgeW91IHdvbid0IGJlIHJlbWluZGVkIGFib3V0IHRoaXMgdXBkYXRlIGFnYWluLgoKLS0tCgogLSBbIF0gPCEtLSByZWJhc2UtY2hlY2sgLS0+SWYgeW91IHdhbnQgdG8gcmViYXNlL3JldHJ5IHRoaXMgUFIsIGNoZWNrIHRoaXMgYm94CgotLS0KClRoaXMgUFIgd2FzIGdlbmVyYXRlZCBieSBbTWVuZCBSZW5vdmF0ZV0oaHR0cHM6Ly9tZW5kLmlvL3Jlbm92YXRlLykuIFZpZXcgdGhlIFtyZXBvc2l0b3J5IGpvYiBsb2ddKGh0dHBzOi8vZGV2ZWxvcGVyLm1lbmQuaW8vZ2l0aHViL3ZleHhob3N0L2F0bW9zcGhlcmUuY29tbW9uKS4KPCEtLXJlbm92YXRlLWRlYnVnOmV5SmpjbVZoZEdWa1NXNVdaWElpT2lJME1TNHhNekV1T1NJc0luVndaR0YwWldSSmJsWmxjaUk2SWpRekxqazBMakVpTENKMFlYSm5aWFJDY21GdVkyZ2lPaUp0WVdsdUlpd2liR0ZpWld4eklqcGJYWDA9LS0+Cg==
      patchset: 31202f9a494ecda41fc228f97b0affb269c8586d
      pipeline: check
      playbook_context:
        playbook_projects:
          trusted/project_0/github.com/vexxhost/zuul-config:
            canonical_name: github.com/vexxhost/zuul-config
            checkout: main
            commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b
          trusted/project_1/opendev.org/zuul/zuul-jobs:
            canonical_name: opendev.org/zuul/zuul-jobs
            checkout: master
            commit: c75fe6ef19c05b98349573c971950c51bbf24758
          trusted/project_2/github.com/vexxhost/zuul-jobs:
            canonical_name: github.com/vexxhost/zuul-jobs
            checkout: main
            commit: a6e68243e02ef030ce5e75f8b67630880c475f33
          untrusted/project_0/github.com/vexxhost/zuul-jobs:
            canonical_name: github.com/vexxhost/zuul-jobs
            checkout: main
            commit: a6e68243e02ef030ce5e75f8b67630880c475f33
          untrusted/project_1/github.com/vexxhost/zuul-config:
            canonical_name: github.com/vexxhost/zuul-config
            checkout: main
            commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b
          untrusted/project_2/opendev.org/zuul/zuul-jobs:
            canonical_name: opendev.org/zuul/zuul-jobs
            checkout: master
            commit: c75fe6ef19c05b98349573c971950c51bbf24758
        playbooks:
        - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml
          roles:
          - checkout: master
            checkout_description: project default branch
            link_name: ansible/playbook_0/role_1/zuul-jobs
            link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs
            role_path: ansible/playbook_0/role_1/zuul-jobs/roles
          - checkout: main
            checkout_description: playbook branch
            link_name: ansible/playbook_0/role_2/zuul-jobs
            link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs
            role_path: ansible/playbook_0/role_2/zuul-jobs/roles
        post_playbooks:
        - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml
          roles:
          - checkout: master
            checkout_description: project default branch
            link_name: ansible/post_playbook_0/role_1/zuul-jobs
            link_target: trusted/project_1/opendev.org/zuul/zuul-jobs
            role_path: ansible/post_playbook_0/role_1/zuul-jobs/roles
          - checkout: main
            checkout_description: zuul branch
            link_name: ansible/post_playbook_0/role_2/zuul-jobs
            link_target: trusted/project_2/github.com/vexxhost/zuul-jobs
            role_path: ansible/post_playbook_0/role_2/zuul-jobs/roles
        - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml
          roles:
          - checkout: master
            checkout_description: project default branch
            link_name: ansible/post_playbook_1/role_1/zuul-jobs
            link_target: trusted/project_1/opendev.org/zuul/zuul-jobs
            role_path: ansible/post_playbook_1/role_1/zuul-jobs/roles
          - checkout: main
            checkout_description: zuul branch
            link_name: ansible/post_playbook_1/role_2/zuul-jobs
            link_target: trusted/project_2/github.com/vexxhost/zuul-jobs
            role_path: ansible/post_playbook_1/role_2/zuul-jobs/roles
        pre_playbooks:
        - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml
          roles:
          - checkout: master
            checkout_description: project default branch
            link_name: ansible/pre_playbook_0/role_1/zuul-jobs
            link_target: trusted/project_1/opendev.org/zuul/zuul-jobs
            role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles
          - checkout: main
            checkout_description: zuul branch
            link_name: ansible/pre_playbook_0/role_2/zuul-jobs
            link_target: trusted/project_2/github.com/vexxhost/zuul-jobs
            role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles
        - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/pre.yaml
          roles:
          - checkout: master
            checkout_description: project default branch
            link_name: ansible/pre_playbook_1/role_1/zuul-jobs
            link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs
            role_path: ansible/pre_playbook_1/role_1/zuul-jobs/roles
          - checkout: main
            checkout_description: playbook branch
            link_name: ansible/pre_playbook_1/role_2/zuul-jobs
            link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs
            role_path: ansible/pre_playbook_1/role_2/zuul-jobs/roles
      post_review: false
      post_timeout: null
      pre_timeout: null
      project:
        canonical_hostname: github.com
        canonical_name: github.com/vexxhost/atmosphere.common
        name: vexxhost/atmosphere.common
        short_name: atmosphere.common
        src_dir: src/github.com/vexxhost/atmosphere.common
      projects:
        github.com/vexxhost/atmosphere.common:
          canonical_hostname: github.com
          canonical_name: github.com/vexxhost/atmosphere.common
          checkout: main
          checkout_description: zuul branch
          commit: 1fb5aa207f21cd5ec2cd2c3a96aad4bb6a368bfc
          name: vexxhost/atmosphere.common
          required: false
          short_name: atmosphere.common
          src_dir: src/github.com/vexxhost/atmosphere.common
      ref: refs/pull/105/head
      resources: {}
      tenant: oss
      timeout: 1800
      topic: null
      voting: true
