chore(deps): update chart cert-manager v1.15.3 → v1.16.1 by renovate (#27723)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cert-manager](https://cert-manager.io)
([source](https://redirect.github.com/cert-manager/cert-manager)) |
minor | `v1.15.3` -> `v1.16.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>cert-manager/cert-manager (cert-manager)</summary>

###
[`v1.16.1`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.16.1)

[Compare
Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.16.0...v1.16.1)

cert-manager is the easiest way to automatically manage certificates in
Kubernetes and OpenShift clusters.

The cert-manager 1.16 release includes: new Helm chart features, more
Prometheus metrics, memory optimizations, and various improvements and
bug fixes for the ACME issuer and Venafi Issuer.

📖 Read the [complete 1.16 release
notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.16)
before upgrading.

#### 📜Changes since `v1.16.0`

##### Bug or Regression

- BUGFIX: Helm schema validation: the new schema validation was too
strict for the "global" section. Since the global section is shared
across all charts and sub-charts, we must also allow unknown fields.
([#&#8203;7348](https://redirect.github.com/cert-manager/cert-manager/pull/7348),
[`@inteon`](https://redirect.github.com/inteon))
- BUGFIX: Helm will now accept percentages for the
`podDisruptionBudget.minAvailable` and
`podDisruptionBudget.maxAvailable` values.
([#&#8203;7345](https://redirect.github.com/cert-manager/cert-manager/pull/7345),
[`@inteon`](https://redirect.github.com/inteon))
- Helm: allow `enabled` to be set as a value to toggle cert-manager as a
dependency.
([#&#8203;7356](https://redirect.github.com/cert-manager/cert-manager/pull/7356),
[`@inteon`](https://redirect.github.com/inteon))
- BUGFIX: A change in `v1.16.0` caused cert-manager's ACME ClusterIssuer
to look in the wrong namespace for resources required for the issuance
(e.g. credential Secrets). This is now fixed in `v1.16.1`.
([#&#8203;7342](https://redirect.github.com/cert-manager/cert-manager/pull/7342),
[`@inteon`](https://redirect.github.com/inteon))

###
[`v1.16.0`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.16.0)

[Compare
Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.15.3...v1.16.0)

cert-manager is the easiest way to automatically manage certificates in
Kubernetes and OpenShift clusters.

The cert-manager 1.16 release includes: new Helm chart features, more
Prometheus metrics, memory optimizations, and various improvements and
bug fixes for the ACME issuer and Venafi Issuer.

📖 Read the [complete 1.16 release
notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.16)
at cert-manager.io.

#### ⚠️ Known issues

1. [Helm Chart: JSON schema prevents the chart being used as a sub-chart
on Rancher
RKE](https://redirect.github.com/cert-manager/cert-manager/issues/7329).
2. [ACME DNS01 **ClusterIssuer** fail while loading credentials from
Secret
resources](https://redirect.github.com/cert-manager/cert-manager/issues/7331).

####  Breaking changes

1. Helm schema validation may reject your existing Helm values files if
they contain typos or unrecognized fields.
2. Venafi Issuer may fail to renew certificates if the requested
duration conflicts with the CA’s minimum or maximum policy settings in
Venafi.
3. Venafi Issuer may fail to renew Certificates if the issuer has been
configured for TPP with username-password authentication.

📖 Read the [complete 1.16 release
notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.16)
at cert-manager.io.

#### 📜 Changes since v1.15.0

📖 Read the [complete 1.16 release
notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.16)
at cert-manager.io.

##### Feature

- Add `SecretRef` support for Venafi TPP issuer CA Bundle
([#&#8203;7036](https://redirect.github.com/cert-manager/cert-manager/pull/7036),
[`@sankalp-at-gh`](https://redirect.github.com/sankalp-at-gh))
- Add `renewBeforePercentage` alternative to `renewBefore`
([#&#8203;6987](https://redirect.github.com/cert-manager/cert-manager/pull/6987),
[`@cbroglie`](https://redirect.github.com/cbroglie))
- Add a metrics server to the cainjector
([#&#8203;7194](https://redirect.github.com/cert-manager/cert-manager/pull/7194),
[`@wallrj`](https://redirect.github.com/wallrj))
- Add a metrics server to the webhook
([#&#8203;7182](https://redirect.github.com/cert-manager/cert-manager/pull/7182),
[`@wallrj`](https://redirect.github.com/wallrj))
- Add client certificate auth method for Vault issuer
([#&#8203;4330](https://redirect.github.com/cert-manager/cert-manager/pull/4330),
[`@joshmue`](https://redirect.github.com/joshmue))
- Add process and go runtime metrics for controller
([#&#8203;6966](https://redirect.github.com/cert-manager/cert-manager/pull/6966),
[`@mindw`](https://redirect.github.com/mindw))
- Added `app.kubernetes.io/managed-by: cert-manager` label to the
cert-manager-webhook-ca Secret
([#&#8203;7154](https://redirect.github.com/cert-manager/cert-manager/pull/7154),
[`@jrcichra`](https://redirect.github.com/jrcichra))
- Allow the user to specify a Pod template when using GatewayAPI HTTP01
solver, this mirrors the behavior when using the Ingress HTTP01 solver.
([#&#8203;7211](https://redirect.github.com/cert-manager/cert-manager/pull/7211),
[`@ThatsMrTalbot`](https://redirect.github.com/ThatsMrTalbot))
- Create token request RBAC for the cert-manager ServiceAccount by
default
([#&#8203;7213](https://redirect.github.com/cert-manager/cert-manager/pull/7213),
[`@Jasper-Ben`](https://redirect.github.com/Jasper-Ben))
- Feature: Append cert-manager user-agent string to all AWS API
requests, including IMDS and STS requests.
([#&#8203;7295](https://redirect.github.com/cert-manager/cert-manager/pull/7295),
[`@wallrj`](https://redirect.github.com/wallrj))
- Feature: Log AWS SDK warnings and API requests at cert-manager debug
level to help debug AWS Route53 problems in the field.
([#&#8203;7292](https://redirect.github.com/cert-manager/cert-manager/pull/7292),
[`@wallrj`](https://redirect.github.com/wallrj))
- Feature: The Route53 DNS solver of the ACME Issuer will now use
regional STS endpoints computed from the region that is supplied in the
Issuer spec or in the `AWS_REGION` environment variable.
Feature: The Route53 DNS solver of the ACME Issuer now uses the
"ambient" region (`AWS_REGION` or `AWS_DEFAULT_REGION`) if
`issuer.spec.acme.solvers.dns01.route53.region` is empty; regardless of
the flags `--issuer-ambient-credentials` and
`--cluster-issuer-ambient-credentials`.
([#&#8203;7299](https://redirect.github.com/cert-manager/cert-manager/pull/7299),
[`@wallrj`](https://redirect.github.com/wallrj))
- Helm: adds JSON schema validation for the Helm values.
([#&#8203;7069](https://redirect.github.com/cert-manager/cert-manager/pull/7069),
[`@inteon`](https://redirect.github.com/inteon))
- If the `--controllers` flag only specifies disabled controllers, the
default controllers are now enabled implicitly.
Added `disableAutoApproval` and `approveSignerNames` Helm chart options.
([#&#8203;7049](https://redirect.github.com/cert-manager/cert-manager/pull/7049),
[`@inteon`](https://redirect.github.com/inteon))
- Make it easier to configure cert-manager using Helm by defaulting
`config.apiVersion` and `config.kind` within the Helm chart.
([#&#8203;7126](https://redirect.github.com/cert-manager/cert-manager/pull/7126),
[`@ThatsMrTalbot`](https://redirect.github.com/ThatsMrTalbot))
- Now passes down specified duration to Venafi client instead of using
the CA default only.
([#&#8203;7104](https://redirect.github.com/cert-manager/cert-manager/pull/7104),
[`@Guitarkalle`](https://redirect.github.com/Guitarkalle))
- Reduce the memory usage of `cainjector`, by only caching the metadata
of Secret resources.
Reduce the load on the K8S API server when `cainjector` starts up, by
only listing the metadata of Secret resources.
([#&#8203;7161](https://redirect.github.com/cert-manager/cert-manager/pull/7161),
[`@wallrj`](https://redirect.github.com/wallrj))
- The Route53 DNS01 solver of the ACME Issuer can now detect the AWS
region from the `AWS_REGION` and `AWS_DEFAULT_REGION` environment
variables, which is set by the IAM for Service Accounts (IRSA) webhook
and by the Pod Identity webhook.
The `issuer.spec.acme.solvers.dns01.route53.region` field is now
optional.
The API documentation of the `region` field has been updated to explain
when and how the region value is used.
([#&#8203;7287](https://redirect.github.com/cert-manager/cert-manager/pull/7287),
[`@wallrj`](https://redirect.github.com/wallrj))
- Venafi TPP issuer can now be used with a username & password
combination with OAuth. Fixes
[#&#8203;4653](https://redirect.github.com/cert-manager/cert-manager/issues/4653).
Breaking: cert-manager will no longer use the API Key authentication
method which was deprecated in 20.2 and since removed in 24.1 of TPP.
([#&#8203;7084](https://redirect.github.com/cert-manager/cert-manager/pull/7084),
[`@hawksight`](https://redirect.github.com/hawksight))
- You can now configure the pod security context of HTTP-01 solver pods.
([#&#8203;5373](https://redirect.github.com/cert-manager/cert-manager/pull/5373),
[`@aidy`](https://redirect.github.com/aidy))
- Helm: New value `webhook.extraEnv`, allows you to set custom
environment variables in the webhook Pod.
Helm: New value `cainjector.extraEnv`, allows you to set custom
environment variables in the cainjector Pod.
Helm: New value `startupapicheck.extraEnv`, allows you to set custom
environment variables in the startupapicheck Pod.
([#&#8203;7319](https://redirect.github.com/cert-manager/cert-manager/pull/7319),
[`@wallrj`](https://redirect.github.com/wallrj))

##### Bug or Regression

- Adds support (behind a flag) to use a domain qualified finalizer. If
the feature is enabled (which is not by default), it should prevent
Kubernetes from reporting: `metadata.finalizers:
"finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer
name to avoid accidental conflicts with other finalizer writers`
([#&#8203;7273](https://redirect.github.com/cert-manager/cert-manager/pull/7273),
[`@jsoref`](https://redirect.github.com/jsoref))
- BUGFIX Route53: explicitly set the `aws-global` STS region which is
now required by the `github.com/aws/aws-sdk-go-v2` library.
([#&#8203;7108](https://redirect.github.com/cert-manager/cert-manager/pull/7108),
[`@inteon`](https://redirect.github.com/inteon))
- BUGFIX: fix issue that caused Vault issuer to not retry signing when
an error was encountered.
([#&#8203;7105](https://redirect.github.com/cert-manager/cert-manager/pull/7105),
[`@inteon`](https://redirect.github.com/inteon))
- BUGFIX: the dynamic certificate source used by the webhook TLS server
failed to detect a root CA approaching expiration, due to a calculation
error. This will cause the webhook TLS server to fail renewing its CA
certificate. Please upgrade before the expiration of this CA certificate
is reached.
([#&#8203;7230](https://redirect.github.com/cert-manager/cert-manager/pull/7230),
[`@inteon`](https://redirect.github.com/inteon))
- Bugfix: Prevent aggressive Route53 retries caused by IRSA
authentication failures by removing the Amazon Request ID from errors
wrapped by the default credential cache.
([#&#8203;7291](https://redirect.github.com/cert-manager/cert-manager/pull/7291),
[`@wallrj`](https://redirect.github.com/wallrj))
- Bugfix: Prevent aggressive Route53 retries caused by STS
authentication failures by removing the Amazon Request ID from STS
errors.
([#&#8203;7259](https://redirect.github.com/cert-manager/cert-manager/pull/7259),
[`@wallrj`](https://redirect.github.com/wallrj))
- Bump `grpc-go` to fix `GHSA-xr7q-jx4m-x55m`
([#&#8203;7164](https://redirect.github.com/cert-manager/cert-manager/pull/7164),
[`@SgtCoDFish`](https://redirect.github.com/SgtCoDFish))
- Bump the `go-retryablehttp` dependency to fix `CVE-2024-6104`
([#&#8203;7125](https://redirect.github.com/cert-manager/cert-manager/pull/7125),
[`@SgtCoDFish`](https://redirect.github.com/SgtCoDFish))
- Fix Azure DNS causing panics whenever authentication error happens
([#&#8203;7177](https://redirect.github.com/cert-manager/cert-manager/pull/7177),
[`@eplightning`](https://redirect.github.com/eplightning))
- Fix incorrect indentation of `endpointAdditionalProperties` in the
`PodMonitor` template of the Helm chart
([#&#8203;7190](https://redirect.github.com/cert-manager/cert-manager/pull/7190),
[`@wallrj`](https://redirect.github.com/wallrj))
- Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent
unbounded creation of HTTPRoute resources
([#&#8203;7178](https://redirect.github.com/cert-manager/cert-manager/pull/7178),
[`@miguelvr`](https://redirect.github.com/miguelvr))
- Handle errors arising from challenges missing from the ACME server
([#&#8203;7202](https://redirect.github.com/cert-manager/cert-manager/pull/7202),
[`@bdols`](https://redirect.github.com/bdols))
- Helm BUGFIX: the cainjector ConfigMap was not mounted in the
cainjector deployment.
([#&#8203;7052](https://redirect.github.com/cert-manager/cert-manager/pull/7052),
[`@inteon`](https://redirect.github.com/inteon))
- Improve the startupapicheck: validate that the validating and mutating
webhooks are doing their job.
([#&#8203;7057](https://redirect.github.com/cert-manager/cert-manager/pull/7057),
[`@inteon`](https://redirect.github.com/inteon))
- The `KeyUsages` X.509 extension is no longer added when there are no
key usages set (in accordance to RFC 5280 Section 4.2.1.3)
([#&#8203;7250](https://redirect.github.com/cert-manager/cert-manager/pull/7250),
[`@inteon`](https://redirect.github.com/inteon))
- Update `github.com/Azure/azure-sdk-for-go/sdk/azidentity` to address
`CVE-2024-35255`
([#&#8203;7087](https://redirect.github.com/cert-manager/cert-manager/pull/7087),
[`@dependabot[bot]`](https://redirect.github.com/apps/dependabot))

##### Other (Cleanup or Flake)

-   Old API versions were removed from the codebase.
    Removed:
    (acme.)cert-manager.io/v1alpha2
    (acme.)cert-manager.io/v1alpha3
(acme.)cert-manager.io/v1beta1
([#&#8203;7278](https://redirect.github.com/cert-manager/cert-manager/pull/7278),
[`@inteon`](https://redirect.github.com/inteon))
- Upgrading to client-go `v0.31.0` removes a lot of noisy `reflector.go:
unable to sync list result: internal error: cannot cast object
DeletedFinalStateUnknown` errors from logs.
([#&#8203;7237](https://redirect.github.com/cert-manager/cert-manager/pull/7237),
[`@inteon`](https://redirect.github.com/inteon))
- Bump Go to `v1.23.2`
([#&#8203;7324](https://redirect.github.com/cert-manager/cert-manager/pull/7324),
[`@cert-manager-bot`](https://redirect.github.com/cert-manager-bot))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjQuMCIsInVwZGF0ZWRJblZlciI6IjM4LjEyNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbInJlbm92YXRlL2hlbG0iLCJ0eXBlL21pbm9yIl19-->

---------

Signed-off-by: alfi0812 <43101280+alfi0812@users.noreply.github.com>
Co-authored-by: alfi0812 <43101280+alfi0812@users.noreply.github.com>
This commit is contained in:
TrueCharts Bot
2024-10-15 22:02:19 +02:00
committed by GitHub
parent 5b895ebebc
commit d7a7e3a6f0

View File

@@ -16,7 +16,7 @@ dependencies:
tags: []
import-values: []
- name: cert-manager
version: v1.15.3
version: v1.16.1
repository: https://charts.jetstack.io
condition: ""
alias: certmanager
@@ -42,4 +42,4 @@ sources:
- https://github.com/truecharts/charts/tree/master/charts/system/cert-manager
- https://github.com/truecharts/containers/tree/master/apps/scratch
type: application
version: 6.2.0
version: 6.2.1