Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: Update Build Tools #644

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps: Update Build Tools #644

wants to merge 1 commit into from
+3 −3

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Dec 2, 2024
edited
Loading

This PR contains the following updates:

Package Update Change Age Adoption Passing Confidence
cert-manager/cert-manager minor v1.15.0 -> v1.16.2 age adoption passing confidence
github.com/elastic/crd-ref-docs minor v0.0.12 -> v0.1.0 age adoption passing confidence
hashicorp/terraform minor v1.8.5 -> v1.10.3 age adoption passing confidence

Release Notes

cert-manager/cert-manager (cert-manager/cert-manager)

v1.16.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release of cert-manager 1.16 makes several changes to how PEM input is validated, adding maximum sizes appropriate to the type of PEM data which is being parsed.

This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.

The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.

Note also that since most PEM data parsed by cert-manager comes from ConfigMap or Secret resources which have a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.

Further information is available in GHSA-r4pg-vg54-wxx4

In addition, the version of Go used to build cert-manager 1.16 was updated along with the base images.

Changes by Kind

Bug or Regression
  • Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input (#​7401, @​SgtCoDFish)
Other (Cleanup or Flake)

v1.16.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The cert-manager 1.16 release includes: new Helm chart features, more Prometheus metrics, memory optimizations, and various improvements and bug fixes for the ACME issuer and Venafi Issuer.

📖 Read the complete 1.16 release notes before upgrading.

📜Changes since v1.16.0

Bug or Regression
  • BUGFIX: Helm schema validation: the new schema validation was too strict for the "global" section. Since the global section is shared across all charts and sub-charts, we must also allow unknown fields. (#​7348, @inteon)
  • BUGFIX: Helm will now accept percentages for the podDisruptionBudget.minAvailable and podDisruptionBudget.maxAvailable values. (#​7345, @inteon)
  • Helm: allow enabled to be set as a value to toggle cert-manager as a dependency. (#​7356, @inteon)
  • BUGFIX: A change in v1.16.0 caused cert-manager's ACME ClusterIssuer to look in the wrong namespace for resources required for the issuance (e.g. credential Secrets). This is now fixed in v1.16.1. (#​7342, @inteon)

v1.16.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The cert-manager 1.16 release includes: new Helm chart features, more Prometheus metrics, memory optimizations, and various improvements and bug fixes for the ACME issuer and Venafi Issuer.

📖 Read the complete 1.16 release notes at cert-manager.io.

⚠️ Known issues

  1. Helm Chart: JSON schema prevents the chart being used as a sub-chart on Rancher RKE.
  2. ACME DNS01 ClusterIssuer fail while loading credentials from Secret resources.

❗ Breaking changes

  1. Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.
  2. Venafi Issuer may fail to renew certificates if the requested duration conflicts with the CA’s minimum or maximum policy settings in Venafi.
  3. Venafi Issuer may fail to renew Certificates if the issuer has been configured for TPP with username-password authentication.

📖 Read the complete 1.16 release notes at cert-manager.io.

📜 Changes since v1.15.0

📖 Read the complete 1.16 release notes at cert-manager.io.

Feature
  • Add SecretRef support for Venafi TPP issuer CA Bundle (#​7036, @sankalp-at-gh)
  • Add renewBeforePercentage alternative to renewBefore (#​6987, @cbroglie)
  • Add a metrics server to the cainjector (#​7194, @wallrj)
  • Add a metrics server to the webhook (#​7182, @wallrj)
  • Add client certificate auth method for Vault issuer (#​4330, @joshmue)
  • Add process and go runtime metrics for controller (#​6966, @mindw)
  • Added app.kubernetes.io/managed-by: cert-manager label to the cert-manager-webhook-ca Secret (#​7154, @jrcichra)
  • Allow the user to specify a Pod template when using GatewayAPI HTTP01 solver, this mirrors the behavior when using the Ingress HTTP01 solver. (#​7211, @ThatsMrTalbot)
  • Create token request RBAC for the cert-manager ServiceAccount by default (#​7213, @Jasper-Ben)
  • Feature: Append cert-manager user-agent string to all AWS API requests, including IMDS and STS requests. (#​7295, @wallrj)
  • Feature: Log AWS SDK warnings and API requests at cert-manager debug level to help debug AWS Route53 problems in the field. (#​7292, @wallrj)
  • Feature: The Route53 DNS solver of the ACME Issuer will now use regional STS endpoints computed from the region that is supplied in the Issuer spec or in the AWS_REGION environment variable.
    Feature: The Route53 DNS solver of the ACME Issuer now uses the "ambient" region (AWS_REGION or AWS_DEFAULT_REGION) if issuer.spec.acme.solvers.dns01.route53.region is empty; regardless of the flags --issuer-ambient-credentials and --cluster-issuer-ambient-credentials. (#​7299, @wallrj)
  • Helm: adds JSON schema validation for the Helm values. (#​7069, @inteon)
  • If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly.
    Added disableAutoApproval and approveSignerNames Helm chart options. (#​7049, @inteon)
  • Make it easier to configure cert-manager using Helm by defaulting config.apiVersion and config.kind within the Helm chart. (#​7126, @ThatsMrTalbot)
  • Now passes down specified duration to Venafi client instead of using the CA default only. (#​7104, @Guitarkalle)
  • Reduce the memory usage of cainjector, by only caching the metadata of Secret resources.
    Reduce the load on the K8S API server when cainjector starts up, by only listing the metadata of Secret resources. (#​7161, @wallrj)
  • The Route53 DNS01 solver of the ACME Issuer can now detect the AWS region from the AWS_REGION and AWS_DEFAULT_REGION environment variables, which is set by the IAM for Service Accounts (IRSA) webhook and by the Pod Identity webhook.
    The issuer.spec.acme.solvers.dns01.route53.region field is now optional.
    The API documentation of the region field has been updated to explain when and how the region value is used. (#​7287, @wallrj)
  • Venafi TPP issuer can now be used with a username & password combination with OAuth. Fixes #​4653.
    Breaking: cert-manager will no longer use the API Key authentication method which was deprecated in 20.2 and since removed in 24.1 of TPP. (#​7084, @hawksight)
  • You can now configure the pod security context of HTTP-01 solver pods. (#​5373, @aidy)
  • Helm: New value webhook.extraEnv, allows you to set custom environment variables in the webhook Pod.
    Helm: New value cainjector.extraEnv, allows you to set custom environment variables in the cainjector Pod.
    Helm: New value startupapicheck.extraEnv, allows you to set custom environment variables in the startupapicheck Pod. (#​7319, @wallrj)
Bug or Regression
  • Adds support (behind a flag) to use a domain qualified finalizer. If the feature is enabled (which is not by default), it should prevent Kubernetes from reporting: metadata.finalizers: "finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers (#​7273, @jsoref)
  • BUGFIX Route53: explicitly set the aws-global STS region which is now required by the github.com/aws/aws-sdk-go-v2 library. (#​7108, @inteon)
  • BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#​7105, @inteon)
  • BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing its CA certificate. Please upgrade before the expiration of this CA certificate is reached. (#​7230, @inteon)
  • Bugfix: Prevent aggressive Route53 retries caused by IRSA authentication failures by removing the Amazon Request ID from errors wrapped by the default credential cache. (#​7291, @wallrj)
  • Bugfix: Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors. (#​7259, @wallrj)
  • Bump grpc-go to fix GHSA-xr7q-jx4m-x55m (#​7164, @SgtCoDFish)
  • Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#​7125, @SgtCoDFish)
  • Fix Azure DNS causing panics whenever authentication error happens (#​7177, @eplightning)
  • Fix incorrect indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart (#​7190, @wallrj)
  • Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources (#​7178, @miguelvr)
  • Handle errors arising from challenges missing from the ACME server (#​7202, @bdols)
  • Helm BUGFIX: the cainjector ConfigMap was not mounted in the cainjector deployment. (#​7052, @inteon)
  • Improve the startupapicheck: validate that the validating and mutating webhooks are doing their job. (#​7057, @inteon)
  • The KeyUsages X.509 extension is no longer added when there are no key usages set (in accordance to RFC 5280 Section 4.2.1.3) (#​7250, @inteon)
  • Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#​7087, @dependabot[bot])
Other (Cleanup or Flake)
  • Old API versions were removed from the codebase.
    Removed:
    (acme.)cert-manager.io/v1alpha2
    (acme.)cert-manager.io/v1alpha3
    (acme.)cert-manager.io/v1beta1 (#​7278, @inteon)
  • Upgrading to client-go v0.31.0 removes a lot of noisy reflector.go: unable to sync list result: internal error: cannot cast object DeletedFinalStateUnknown errors from logs. (#​7237, @inteon)
  • Bump Go to v1.23.2 (#​7324, @cert-manager-bot)

v1.15.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release of cert-manager 1.15 makes several changes to how PEM input is validated, adding maximum sizes appropriate to the type of PEM data which is being parsed.

This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.

The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.

Note also that since most PEM data parsed by cert-manager comes from ConfigMap or Secret resources which have a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.

Further information is available in GHSA-r4pg-vg54-wxx4

In addition, the version of Go used to build cert-manager 1.15 was updated along with the base images, and a Route53 bug fix was backported.

Changes by Kind

Bug or Regression
  • Bugfix: Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors. (#​7261, @​cert-manager-bot)
  • Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input (#​7402, @​SgtCoDFish)
Other (Cleanup or Flake)

v1.15.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.2

Bug or Regression
  • BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing its CA certificate. Please upgrade before the expiration of this CA certificate is reached. (#​7232, @​cert-manager-bot)

v1.15.2

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.1

Bug or Regression

v1.15.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.

📜 Changes since v1.15.0

Bug or Regression
  • BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#​7111, @​inteon)
Other (Cleanup or Flake)
elastic/crd-ref-docs (github.com/elastic/crd-ref-docs)

v0.1.0

Changelog

hashicorp/terraform (hashicorp/terraform)

v1.10.3

Compare Source

1.10.3 (December 18, 2024)

BUG FIXES:

  • Terraform could panic when encountering an error during plan encoding (#​36212)

v1.10.2

Compare Source

1.10.2 (December 11, 2024)

BUG FIXES:

  • cli: variables in an auto-loaded tfvars file which were overridden during plan incorrectly show as changed during apply [GH-36180]

v1.10.1

Compare Source

1.10.1 (December 4, 2024)

BUG FIXES:

  • cli: Complex variables values set via environment variables were parsed incorrectly during apply (#​36121)
  • config: templatefile would panic if given and entirely unknown map of variables (#​36118)
  • config: templatefile would panic if the variables map contains marked values (#​36127)
  • config: Remove constraint that an expanded resource block must only be used in conjunction with imports using for_each (#​36119)
  • backend/s3: Lock files could not be written to buckets with object locking enabled (#​36120)

v1.10.0

Compare Source

1.10.0 (November 27, 2024)

NEW FEATURES:

  • Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
  • Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.
    • ephemeralasnull function: a function takes a value of any type and returns a similar value of the same type with any ephemeral values replaced with non-ephemeral null values and all non-ephemeral values preserved.

BUG FIXES:

  • The secret_suffix in the kubernetes backend now includes validation to prevent errors when the secret_suffix ends with a number (#​35666).
  • The error message for an invalid default value for an input variable now indicates when the problem is with a nested value in a complex data type. (#​35465)
  • Sensitive marks could be incorrectly transferred to nested resource values, causing erroneous changes during a plan (#​35501)
  • Allow unknown error_message values to pass the core validate step, so variable validation can be completed later during plan
    (#​35537)
  • Unencoded slashes within GitHub module source refs were being truncated and incorrectly used as subdirectories in the request path (#​35552)
  • Terraform refresh-only plans with output only changes are now applyable. (#​35812)
  • Postconditions referencing self with many instances could encounter an error during evaluation (#​35895)
  • The plantimestamp() function would return an invalid date during validation (#​35902)
  • Updates to resources which were forced to use create_before_destroy could lose that flag in the state temporarily and cause cycles if immediately removed from the configuration (#​35966)
  • backend/cloud: Prefer KV tags, even when tags are defined as set (#​35937)
  • Simplify config generation (plan -generate-config-out) for string attributes that contain primitive types (e.g. numbers or booleans) (#​35984)
  • config: issensitive could incorrectly assert that an unknown value was not sensitive during plan, but later became sensitive during apply, causing failures where changes did not match the planned result (#​36012)
  • config: The evaluation of conditional expressions and for expression in HCL could lose marks with certain combinations of unknown values (#​36017)

ENHANCEMENTS:

  • The element function now accepts negative indices (#​35501)
  • Import block validation has been improved to provide more useful errors and catch more invalid cases during terraform validate (#​35543)
  • Performance enhancements for resource evaluation, especially when large numbers of resource instances are involved (#​35558)
  • The plan, apply, and refresh commands now produce a deprecated warning when using the -state flag. Instead use the path attribute within the local backend to modify the state file. (#​35660)
  • backend/cos: Add new auth for Tencent Cloud backend (#​35888)

UPGRADE NOTES:

  • backend/s3: Removes deprecated attributes for assuming IAM role. Must use the assume_role block (#​35721)
  • backend/s3: The s3 backend now supports S3 native state locking. When used with DynamoDB-based locking, locks will be acquired from both sources. In a future minor release of Terraform the DynamoDB locking mechanism and associated arguments will be deprecated. (#​35661)
  • moved: Moved blocks now respect reserved keywords when parsing resource addresses. Configurations that reference resources with type names that match top level blocks and keywords from moved blocks will need to prepend the resource. identifier to these references. (#​35850)
  • config: In order to ensure consistency in results from HCL conditional expressions, marks must be combined from all values within the expression to avoid losing mark information. This typically improves accuracy when validating configuration, but users may see sensitive results where they were lost previously.

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

v1.9.8

Compare Source

1.9.8 (October 16, 2024)

BUG FIXES:

  • init: Highlight missing subdirectories of registry modules in error message (#​35848)
  • init: Prevent crash when loading provider_meta blocks with invalid names (#​35842)
  • config generation: Escape all invalid syntax in generate map keys with quotes (#​35837)
  • plan: also validate provider requirements from state (#​35864)

v1.9.7

Compare Source

1.9.7 (October 2, 2024)

BUG FIXES:

  • config generation: escape map keys with whitespaces (#​35754)

v1.9.6

Compare Source

1.9.6 (September 18, 2024)

BUG FIXES:

  • plan renderer: Render complete changes within unknown nested blocks. (#​35644)
  • plan renderer: Fix crash when attempting to render unknown nested blocks that contain attributes forcing resource replacement. (#​35644)
  • plan renderer: Fix crash when rendering a plan that contains null attributes being update to unknown values. (#​35709)

v1.9.5

Compare Source

1.9.5 (August 20, 2024)

ENHANCEMENTS:

  • cloud: The cloud block can now interact with workspaces that have HCP resource IDs. (#​35495)

BUG FIXES:

  • core: removed blocks with provisioners were not executed when the resource was in a nested module. (#​35611)

v1.9.4

Compare Source

1.9.4 (August 7, 2024)

BUG FIXES:

  • core: Unneeded variable validations were being executed during a destroy plan, which could cause plans starting with incomplete state to fail. (#​35511)
  • init: Don't crash when discovering invalid syntax in duplicate required_providers blocks. (#​35533)

v1.9.3

Compare Source

1.9.3 (July 24, 2024)

ENHANCEMENTS:

  • Terraform now returns a more specific error message in the awkward situation where an input variable validation rule is known to have failed (condition returned false) but the error message is derived from an unknown value. (#​35400)

BUG FIXES:

  • core: Terraform no longer performs an unnecessary refresh when removing an instance targeted by a removed block. (#​35458)
  • config generation: Fix validation error when using nested computed or deprecated attributes. (#​35484)
  • Updated to newer github.com/hashicorp/go-retryablehttp version, addressing CVE-2024-6104, and bringing in updates for several indirect dependencies. (#​35473)
  • Moved to building with Go 1.22.5, which addresses CVE-2024-24791 and several other non-security bugs. (#​35494)

v1.9.2

Compare Source

1.9.2 (July 10, 2024)

BUG FIXES:

  • core: Fix panic when self-referencing direct instances from count and for_each meta attributes. (#​35432)

v1.9.1

Compare Source

v1.9.0

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner December 2, 2024 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@hessjcg hessjcg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@renovate-bot @hessjcg