chore(deps): update all non-major dependencies #459
+646
−524
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.14.5-debian-12-r7
->0.14.9-debian-12-r0
0.14.5-debian-12-r7
->0.14.9-debian-12-r0
14.12.0-debian-12-r15
->14.15.0-debian-12-r5
16.3.0-debian-12-r17
->16.6.0-debian-12-r2
v1.15.1
->v1.16.2
8.0.0
->8.7.1
v2.3.0
->v2.4.0
v2.3.0
->v2.4.0
v1.11.0
->v1.12.0
2.10.2
->2.13.5
0.7.1
->0.9.0
6.3.5
->6.4.2
7.2.6
->7.3.0
1.27.0-alpine
->1.27.3-alpine
7.4.14
->7.4.19
7.2
->7.4
Release Notes
cert-manager/cert-manager (cert-manager)
v1.16.2
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release of cert-manager 1.16 makes several changes to how PEM input is validated, adding maximum sizes appropriate to the type of PEM data which is being parsed.
This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.
The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.
Note also that since most PEM data parsed by cert-manager comes from
ConfigMap
orSecret
resources which have a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.Further information is available in GHSA-r4pg-vg54-wxx4
In addition, the version of Go used to build cert-manager 1.16 was updated along with the base images.
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
v1.16.1
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
The cert-manager 1.16 release includes: new Helm chart features, more Prometheus metrics, memory optimizations, and various improvements and bug fixes for the ACME issuer and Venafi Issuer.
📖 Read the complete 1.16 release notes before upgrading.
📜Changes since
v1.16.0
Bug or Regression
@inteon
)podDisruptionBudget.minAvailable
andpodDisruptionBudget.maxAvailable
values. (#7345,@inteon
)enabled
to be set as a value to toggle cert-manager as a dependency. (#7356,@inteon
)v1.16.0
caused cert-manager's ACME ClusterIssuer to look in the wrong namespace for resources required for the issuance (e.g. credential Secrets). This is now fixed inv1.16.1
. (#7342,@inteon
)v1.16.0
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
The cert-manager 1.16 release includes: new Helm chart features, more Prometheus metrics, memory optimizations, and various improvements and bug fixes for the ACME issuer and Venafi Issuer.
📖 Read the complete 1.16 release notes at cert-manager.io.
❗ Breaking changes
📖 Read the complete 1.16 release notes at cert-manager.io.
📜 Changes since v1.15.0
📖 Read the complete 1.16 release notes at cert-manager.io.
Feature
SecretRef
support for Venafi TPP issuer CA Bundle (#7036,@sankalp-at-gh
)renewBeforePercentage
alternative torenewBefore
(#6987,@cbroglie
)@wallrj
)@wallrj
)@joshmue
)@mindw
)app.kubernetes.io/managed-by: cert-manager
label to the cert-manager-webhook-ca Secret (#7154,@jrcichra
)@ThatsMrTalbot
)@Jasper-Ben
)@wallrj
)@wallrj
)AWS_REGION
environment variable.Feature: The Route53 DNS solver of the ACME Issuer now uses the "ambient" region (
AWS_REGION
orAWS_DEFAULT_REGION
) ifissuer.spec.acme.solvers.dns01.route53.region
is empty; regardless of the flags--issuer-ambient-credentials
and--cluster-issuer-ambient-credentials
. (#7299,@wallrj
)@inteon
)--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly.Added
disableAutoApproval
andapproveSignerNames
Helm chart options. (#7049,@inteon
)config.apiVersion
andconfig.kind
within the Helm chart. (#7126,@ThatsMrTalbot
)@Guitarkalle
)cainjector
, by only caching the metadata of Secret resources.Reduce the load on the K8S API server when
cainjector
starts up, by only listing the metadata of Secret resources. (#7161,@wallrj
)AWS_REGION
andAWS_DEFAULT_REGION
environment variables, which is set by the IAM for Service Accounts (IRSA) webhook and by the Pod Identity webhook.The
issuer.spec.acme.solvers.dns01.route53.region
field is now optional.The API documentation of the
region
field has been updated to explain when and how the region value is used. (#7287,@wallrj
)Breaking: cert-manager will no longer use the API Key authentication method which was deprecated in 20.2 and since removed in 24.1 of TPP. (#7084,
@hawksight
)@aidy
)webhook.extraEnv
, allows you to set custom environment variables in the webhook Pod.Helm: New value
cainjector.extraEnv
, allows you to set custom environment variables in the cainjector Pod.Helm: New value
startupapicheck.extraEnv
, allows you to set custom environment variables in the startupapicheck Pod. (#7319,@wallrj
)Bug or Regression
metadata.finalizers: "finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers
(#7273,@jsoref
)aws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7108,@inteon
)@inteon
)@inteon
)@wallrj
)@wallrj
)grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7164,@SgtCoDFish
)go-retryablehttp
dependency to fixCVE-2024-6104
(#7125,@SgtCoDFish
)@eplightning
)endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7190,@wallrj
)@miguelvr
)@bdols
)@inteon
)@inteon
)KeyUsages
X.509 extension is no longer added when there are no key usages set (in accordance to RFC 5280 Section 4.2.1.3) (#7250,@inteon
)github.com/Azure/azure-sdk-for-go/sdk/azidentity
to addressCVE-2024-35255
(#7087,@dependabot[bot]
)Other (Cleanup or Flake)
Removed:
(acme.)cert-manager.io/v1alpha2
(acme.)cert-manager.io/v1alpha3
(acme.)cert-manager.io/v1beta1 (#7278,
@inteon
)v0.31.0
removes a lot of noisyreflector.go: unable to sync list result: internal error: cannot cast object DeletedFinalStateUnknown
errors from logs. (#7237,@inteon
)v1.23.2
(#7324,@cert-manager-bot
)v1.15.4
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release of cert-manager 1.15 makes several changes to how PEM input is validated, adding maximum sizes appropriate to the type of PEM data which is being parsed.
This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.
The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.
Note also that since most PEM data parsed by cert-manager comes from
ConfigMap
orSecret
resources which have a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.Further information is available in GHSA-r4pg-vg54-wxx4
In addition, the version of Go used to build cert-manager 1.15 was updated along with the base images, and a Route53 bug fix was backported.
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
v1.15.3
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since
v1.15.2
Bug or Regression
v1.15.2
Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
🔗 See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
📜 Changes since
v1.15.1
Bug or Regression
route53
: explicitly set theaws-global
STS region which is now required by thegithub.com/aws/aws-sdk-go-v2
library. (#7189,@cert-manager-bot
)grpc-go
to fixGHSA-xr7q-jx4m-x55m
(#7167,@SgtCoDFish
)@cert-manager-bot
)endpointAdditionalProperties
in thePodMonitor
template of the Helm chart (#7191,@inteon
)HTTPRoute
resources (#7186,@cert-manager-bot
)golang
from1.22.3
to1.22.5
(#7165,@github-actions
)bitnami/charts (external-dns)
v8.7.1
v8.7.0
v8.6.1
v8.6.0
v8.5.1
v8.5.0
v8.4.0
v8.3.12
v8.3.11
v8.3.10
v8.3.9
v8.3.8
v8.3.7
v8.3.6
v8.3.5
v8.3.4
v8.3.3
v8.3.2
v8.3.1
v8.3.0
v8.2.3
v8.2.2
v8.2.1
v8.2.0
v8.1.0
v8.0.2
v8.0.1
fluxcd/flux2 (fluxcd/flux2)
v2.4.0
Compare Source
Highlights
Flux v2.4.0 is a feature release. Users are encouraged to upgrade for the best experience.
For a comprehensive overview of new features and API changes included in this release, please refer to the Announcing Flux 2.4 GA blog post.
This release marks the General Availability (GA) of Flux Bucket API. The
Bucket
v1 API comes with new features including: proxy support, mTLS and custom STS configuration for AWS S3 and MinIO LDAP authentication.The
GitRepository
v1 API gains support for OIDC authentication. Starting with this version, you can authenticate against Azure DevOps repositories using AKS Workload Identity.The
OCIRepository
v1beta2 API gains support for proxy configuration thus allowing dedicated HTTP/S Proxy authentication on multi-tenant Kubernetes clusters.The
HelmRelease
v2 API gains support for disabling JSON schema validation of the Helm release values during installation and upgrade. And allows adopting existing Kubernetes resources during Helm release installation.The Flux controllers are now built with Go 1.23 and their dependencies have been updated to Kubernetes 1.31, Helm 3.16, SOPS 3.9 Cosign 2.4 and Notation 1.2.
❤️ Big thanks to all the Flux contributors that helped us with this release!
Kubernetes compatibility
This release is compatible with the following Kubernetes versions:
v1.29
>= 1.29.0
v1.30
>= 1.30.0
v1.31
>= 1.31.0
OpenShift compatibility
Flux can be installed on Red Hat OpenShift cluster directly from OperatorHub using Flux Operator.
The operator allows the configuration of Flux multi-tenancy lockdown, network policies, persistent storage, sharding, vertical scaling and the synchronization of the cluster state from Git repositories, OCI artifacts and S3-compatible storage.
API changes
Bucket v1
The Bucket kind was promoted from v1beta2 to v1 (GA).
The v1 API is backwards compatible with v1beta2.
New fields:
.spec.proxySecretRef
allows configuring HTTP/S Proxy authentication for the S3-compatible storage service..spec.certSecretRef
allows custom TLS client certificate and CA for secure communication with the S3-compatible storage service..spec.sts
allows custom STS configuration for AWS S3 and MinIO LDAP authentication.GitRepository v1
The GitRepository kind gains new optional fields with no breaking changes.
New fields:
.spec.provider
allows specifying an OIDC provider used for authentication purposes. Currently, only theazure
provider is supported.OCIRepository v1beta2
The OCIRepository kind gains new optional fields with no breaking changes.
New fields:
.spec.proxySecretRef
allows configuring HTTP/S Proxy authentication for the container registry service.HelmRelease v2
The HelmRelease kind gains new optional fields with no breaking changes.
New fields:
.spec.install.disableSchemaValidation
allows disabling the JSON schema validation of the Helm release values during installation..spec.upgrade.disableSchemaValidation
allows disabling the JSON schema validation of the Helm release values during upgrade.Upgrade procedure
Upgrade Flux from
v2.3.0
tov2.4.0
either by rerunning bootstrap or by using the Flux GitHub Action.To upgrade the APIs, make sure the new CRDs and controllers are deployed, and then change the manifests in Git:
apiVersion: source.toolkit.fluxcd.io/v1
in the YAML files that containBucket
definitions.Bumping the APIs version in manifests can be done gradually.
It is advised to not delay this procedure as the deprecated versions will be removed after 6 months.
Components changelog
New Documentation
CLI Changelog
flux create secret
flux create secret proxy
command--proxy-secret-ref
toflux create source
commandsbucket
commands to GA--provider
flag toflux create source git
part-of
label to controllers basemealie-recipes/mealie (ghcr.io/mealie-recipes/mealie)
v1.12.0
: - Image import via OpenAICompare Source
Highlights
What's Changed
New Contributors
Full Changelog: mealie-recipes/mealie@v1.11.0...v1.12.0
paperless-ngx/paperless-ngx (ghcr.io/paperless-ngx/paperless-ngx)
v2.13.5
: Paperless-ngx v2.13.5Compare Source
paperless-ngx 2.13.5
Bug Fixes
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.