Update Helm release cert-manager to v1.13.5

[vshn-renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager (source)	patch	v1.13.2 -> v1.13.5

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.13.5

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

• ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations

ℹ️ Documentation

Release notes
Upgrade notes
Installation instructions

🔧 Breaking changes

See Breaking changes in v1.13.0 release notes

📜 Changes since v1.13.4

Bug or Regression

• Allow cert-manager.io/allow-direct-injection in annotations (#​6810, @​jetstack-bot)
• BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#​6814, @​inteon)
• BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#​6832, @​inteon)

Other (Cleanup or Flake)

• Bump base images to the latest version. (#​6841, @​inteon)
• Upgrade go to 1.21.8: fixes CVE-2024-24783 (#​6824, @​inteon)
• Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#​6828, @​inteon)

v1.13.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

• ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations

ℹ️ Documentation

Release notes
Upgrade notes
Installation instructions

🔧 Breaking changes

See Breaking changes in v1.13.0 release notes

📜 Changes since v1.13.3

Bug or Regression

• BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#​6772, @​jetstack-bot)

Other (Cleanup or Flake)

• Bump go to 1.20.14 (#​6736, @​jetstack-bot)
• Cert-manager is now built with Go 1.20.12 (#​6544, @​wallrj)
• Cert-manager is now built with Go 1.20.13 (#​6630, @​SgtCoDFish)
• Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0 (#​6675, @​wallrj)
• Fix GHSA-7ww5-4wqc-m92c by upgrading to github.com/containerd/containerd@v1.7.12 (#​6684, @​wallrj)

v1.13.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#​6507, @​inteon)
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#​6507, @​inteon)
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#​6507, @​inteon)
• Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#​6538, @​wallrj)
• Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#​6514, @​inteon)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/firestore: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.110.6 → v0.110.7
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
• github.com/go-logr/logr: v1.2.4 → v1.3.0
• github.com/golang/glog: v1.1.0 → v1.1.2
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel: v1.19.0 → v1.20.0
• go.uber.org/goleak: v1.2.1 → v1.3.0
• golang.org/x/sys: v0.13.0 → v0.14.0
• google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
• google.golang.org/genproto: f966b18 → b8732ec
• google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.