Skip to content

Challenge creation fails on OpenShift after #7286 — missing issuers/finalizers RBAC #8636

Closed
#8654
Closed
Challenge creation fails on OpenShift after #7286 — missing issuers/finalizers RBAC#8636
#8654
Assignees
erikgb
Labels
kind/bugCategorizes issue or PR as related to a bug.
@rassie

Description

@rassie
rassie
opened on Mar 20, 2026

Describe the bug:

PR #7286 (commit 0a5bab898) added an Issuer/ClusterIssuer ownerReference with blockOwnerDeletion: true to Challenge resources created by the orders controller.

On clusters with OwnerReferencesPermissionEnforcement (default on OpenShift/OKD), this requires update permission on issuers/finalizers and clusterissuers/finalizers. The Helm chart RBAC does not include these, so Challenge creation fails:

cannot set blockOwnerDeletion if an ownerReference refers to a resource
you can't set finalizers on: , <nil>

Same class of issue as #2305, fixed in #2325 for certificaterequests/finalizers.

Expected behaviour:

Challenge creation should succeed on clusters with OwnerReferencesPermissionEnforcement enabled.

Steps to reproduce the bug:

  1. Install cert-manager v1.20.0 via Helm on OpenShift/OKD
  2. Create a Certificate using a ClusterIssuer
  3. Orders controller fails to create Challenges

Anything else we need to know?:

Fix: add to the controller-orders ClusterRole in deploy/charts/cert-manager/templates/rbac.yaml:

- apiGroups: ["cert-manager.io"]
  resources: ["issuers/finalizers", "clusterissuers/finalizers"]
  verbs: ["update"]

Environment details:

  • Kubernetes version: v1.34.5 (OKD)
  • Cloud-provider/provisioner: OKD (bare metal)
  • cert-manager version: v1.20.0
  • Install method: Helm

/kind bug

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions