Update dependency cert-manager/cert-manager to v1.13.3 #52
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.12.2
->v1.13.3
Release Notes
cert-manager/cert-manager (cert-manager/cert-manager)
v1.13.3
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
GO-2023-2334
: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.
Changes
Bug or Regression
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @inteon)ReadHeaderTimeout
in allhttp.Server
instances. (#6538, @wallrj)otel
,docker
, andjose
to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#6514, @inteon)Dependencies
Added
Nothing has changed.
Changed
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
cloud.google.com/go
:v0.110.6 → v0.110.7
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
github.com/go-jose/go-jose/v3
:v3.0.0 → v3.0.1
github.com/go-logr/logr
:v1.2.4 → v1.3.0
github.com/golang/glog
:v1.1.0 → v1.1.2
github.com/google/go-cmp
:v0.5.9 → v0.6.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
go.uber.org/goleak
:v1.2.1 → v1.3.0
golang.org/x/sys
:v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api
:f966b18 → b8732ec
google.golang.org/genproto
:f966b18 → b8732ec
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
Nothing has changed.
v1.13.2
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.2 fixes some CVE alerts and contains fixes for:
Changes since v1.13.1
Bug or Regression
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6402, @maelvls)Other (Cleanup or Flake)
v1.13.1
Compare Source
v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0.
Changes since v1.13.0
Bug or Regression
Other (Cleanup or Flake)
github.com/emicklei/go-restful/v3
tov3.11.0
becausev3.10.2
is labeled as "DO NOT USE". (#6368, @inteon)v1.13.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This is the 1.13 release of cert-manager!
cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned
config file for the cert-manager controller, and more. This release also includes the promotion of
the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta.
Known issues
The
StableCertificateRequestName
that was promoted to Beta contains a "name collision" bug: https://github.com/cert-manager/cert-manager/issues/6342This will be fixed in v1.13.1.
Breaking Changes (You MUST read this before you upgrade!)
.featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook. (#6093, @irbekrm)--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)Community
Welcome to these new cert-manager members (more info - https://github.com/cert-manager/cert-manager/pull/6260):
@jsoref
@FlorianLiebhart
@hawksight
@erikgb
Thanks again to all open-source contributors with commits in this release, including:
@AcidLeroy
@FlorianLiebhart
@lucacome
@cypres
@erikgb
@ubergesundheit
@jkroepke
@jsoref
@gdvalle
@rouke-broersma
@schrodit
@zhangzhiqiangcs
@arukiidou
@hawksight
@Richardds
@kahirokunn
Thanks also to the following cert-manager maintainers for their contributions during this release:
@SgtCoDFish
@maelvls
@irbekrm
@inteon
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings!
Special thanks to @AcidLeroy for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see https://github.com/cert-manager/cert-manager/pull/5337)
Also, thanks a lot to @FlorianLiebhart for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see https://github.com/cert-manager/cert-manager/pull/5003)
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes since v1.12.0
Feature
cluster-reader
aggregated cluster role (#6241, @erikgb)enableServiceLinks
configurable for all Deployments andstartupapicheck
Job in Helm chart. (#6292, @ubergesundheit)Design
The DNS check method to be used is controlled through the command line flag:
--dns01-recursive-nameservers-only=true
in combination with--dns01-recursive-nameservers=https://<DoH-endpoint>
(e.g.https://8.8.8.8/dns-query
). It keeps using DNS lookup as a default method. (#5003, @FlorianLiebhart)Bug or Regression
cmctl check api --wait 0
exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code (#6109, @inteon).featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook.--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)net.IP.String()
function would have printed that address. (#6293, @SgtCoDFish)enableServiceLinks
option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. (#6143, @schrodit)Other (Cleanup or Flake)
cert-manager.io/common-name
,cert-manager.io/alt-names
, ... annotations on Secrets are kept at their correct value. (#6176, @inteon)v0.27.2
. (#6077, @lucacome)v0.27.4
. (#6227, @lucacome)v1.12.7
Compare Source
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
GO-2023-2382
: Denial of service via chunk extensions innet/http
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
and these are included in this patch release.
Changes
Feature
1.20.12
(#6543, @wallrj).Bug or Regression
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon).ReadHeaderTimeout
in allhttp.Server
instances (#6539, @wallrj).otel
anddocker
to fix:CVE-2023-47108
andGHSA-jq35-85cj-fj4p
(#6513, @inteon).Dependencies
Added
cloud.google.com/go/dataproc/v2
:v2.0.1
Changed
cloud.google.com/go/aiplatform
:v1.45.0 → v1.48.0
cloud.google.com/go/analytics
:v0.21.2 → v0.21.3
cloud.google.com/go/baremetalsolution
:v0.5.0 → v1.1.1
cloud.google.com/go/batch
:v0.7.0 → v1.3.1
cloud.google.com/go/beyondcorp
:v0.6.1 → v1.0.0
cloud.google.com/go/bigquery
:v1.52.0 → v1.53.0
cloud.google.com/go/cloudbuild
:v1.10.1 → v1.13.0
cloud.google.com/go/cloudtasks
:v1.11.1 → v1.12.1
cloud.google.com/go/compute
:v1.21.0 → v1.23.0
cloud.google.com/go/contactcenterinsights
:v1.9.1 → v1.10.0
cloud.google.com/go/container
:v1.22.1 → v1.24.0
cloud.google.com/go/datacatalog
:v1.14.1 → v1.16.0
cloud.google.com/go/dataplex
:v1.8.1 → v1.9.0
cloud.google.com/go/datastore
:v1.12.1 → v1.13.0
cloud.google.com/go/datastream
:v1.9.1 → v1.10.0
cloud.google.com/go/deploy
:v1.11.0 → v1.13.0
cloud.google.com/go/dialogflow
:v1.38.0 → v1.40.0
cloud.google.com/go/documentai
:v1.20.0 → v1.22.0
cloud.google.com/go/eventarc
:v1.12.1 → v1.13.0
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
cloud.google.com/go/gkebackup
:v0.4.0 → v1.3.0
cloud.google.com/go/gkemulticloud
:v0.6.1 → v1.0.0
cloud.google.com/go/kms
:v1.12.1 → v1.15.0
cloud.google.com/go/maps
:v0.7.0 → v1.4.0
cloud.google.com/go/metastore
:v1.11.1 → v1.12.0
cloud.google.com/go/policytroubleshooter
:v1.7.1 → v1.8.0
cloud.google.com/go/pubsub
:v1.32.0 → v1.33.0
cloud.google.com/go/run
:v0.9.0 → v1.2.0
cloud.google.com/go/servicedirectory
:v1.10.1 → v1.11.0
cloud.google.com/go/speech
:v1.17.1 → v1.19.0
cloud.google.com/go/translate
:v1.8.1 → v1.8.2
cloud.google.com/go/video
:v1.17.1 → v1.19.0
cloud.google.com/go/vmwareengine
:v0.4.1 → v1.0.0
cloud.google.com/go
:v0.110.4 → v0.110.7
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
github.com/go-logr/logr
:v1.2.4 → v1.3.0
github.com/golang/glog
:v1.1.0 → v1.1.2
github.com/google/go-cmp
:v0.5.9 → v0.6.0
github.com/google/uuid
:v1.3.0 → v1.3.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
go.uber.org/goleak
:v1.2.1 → v1.3.0
golang.org/x/oauth2
:v0.10.0 → v0.11.0
golang.org/x/sys
:v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api
:782d3b1 → b8732ec
google.golang.org/genproto/googleapis/rpc
:782d3b1 → b8732ec
google.golang.org/genproto
:782d3b1 → b8732ec
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
cloud.google.com/go/dataproc
:v1.12.0
v1.12.6
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.6 fixes some CVE alerts and a Venafi issuer bug.
Changes since v1.12.5
Bug or Regression
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6401, @maelvls)Other (Cleanup or Flake)
Known bugs
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).
This problem was resolved in v1.13.2, but the fix cannot be backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to v1.13.2.
v1.12.5
Compare Source
v1.12.5 contains a backport for a name collision bug that was found in v1.13.0
Changes since v1.12.4
Bug or Regression
Other (Cleanup or Flake)
v1.12.4
Compare Source
v1.12.4 contains an important security fix that addresses CVE-2023-29409.
Changes since v1.12.3
e compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's
net.IP.Str ing()
function would have printed that address. (#6297, @SgtCoDFish)crypto/tls
library. (#6318, @maelvls)v1.12.3
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.3 contains a bug fix for the cainjector which addresses a memory leak!
Changes by Kind
Bugfixes
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.