openshift · snarayan-redhat · Oct 30, 2025
diff --git a/security/cert_manager_operator/cert-manager-operator-release-notes.adoc b/security/cert_manager_operator/cert-manager-operator-release-notes.adoc
@@ -12,6 +12,47 @@ These release notes track the development of {cert-manager-operator}.
 
 For more information, see xref:../../security/cert_manager_operator/index.adoc#cert-manager-operator-about[About the {cert-manager-operator}].
 
+
+[id="cert-manager-operator-release-notes-1-18-0_{context}"]
+== {cert-manager-operator} 1.18.0
+
+Issued: 2025-11-
+
+The following advisories are available for the {cert-manager-operator} 1.18.0:
+
+* link:https://access.redhat.com/errata/RH[RH]
+
+Version `1.18.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.18.3`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.18#v1183[cert-manager project release notes for v1.18.3].
+
+[id="cert-manager-operator-1-18-0-features-enhancements_{context}"]
+=== New features and enhancements
+
+*Istio-CSR integration with {cert-manager-operator} (Generally Available)*
+
+With this release, the integration of the {cert-manager-operator} with Istio-CSR, which was previously provided as a Technology Preview feature, is fully supported. This feature offers enhanced support for securing workloads and control plane components within Red Hat OpenShift Service Mesh or Istio environments. By utilizing the {cert-manager-operator} managed Istio-CSR agent, Istio can obtain, sign, deliver, and renew certificates required for mutual TLS (mTLS).
+For more information, see xref:../../security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc#cert-manager-operator-istio-csr-installing_cert-manager-operator-integrating-istio[Integrating the cert-manager Operator with Istio-CSR].
+
+*Replica count configuration for {cert-manager-operator} operands*
+
+With this release, you can override the default replica counts for the {cert-manager-operator} `controller`, `webhook`, and `cainjector` operands. To configure these values, specify the new `overrideReplicas` fields in the CertManager custom resource. With this enhancement, you can configure high availability (HA) and scale operands based on your specific operational requirements. For more information, see ---.
+
+*Root filesystem is read-only for {cert-manager-operator} containers*
+
+With this release, to improve security, the {cert-manager-operator} and all its operands have the `readOnlyRootFilesystem` security context set to `true` by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container's root file system.
+
+*Network policy hardening is now available for cert-manager Operator components*
+
+With this release, the {cert-manager-operator} includes predefined `NetworkPolicy` resources to enhance security by controlling Ingress and Egress traffic for its components. These policies cover essential internal traffic, such as Ingress to metrics and webhook servers, and Egress to the OpenShift API and DNS servers.
+
+By default, this feature is disabled to prevent connectivity issues during upgrades. You must explicitly enable it in the `CertManager` custom resource. For more information, see ---.
+
+
+[id="cert-manager-operator-1-18-0-known-issues_{context}"]
+=== Known issues
+
+* The upstream cert-manager `v1.18` release updated the ACME HTTP-01 challenge Ingress path type from `ImplementationSpecific` to `Exact`. The OpenShift Route API does not have an equivalent for the `Exact` path type, which prevents the ingress-to-route controller from supporting it. As a result, Ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error.
+To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.
+
 [id="cert-manager-operator-release-notes-1-17-0_{context}"]
 == {cert-manager-operator} 1.17.0