chore(deps): update helm chart cert-manager to v1.6.3 [ci-skip]

[renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager	patch	v1.6.0 -> v1.6.3

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

cert-manager/cert-manager

v1.6.3

Compare Source

v1.6.3 Release Notes

1.6.3 is a minor release rebuilding cert-manager 1.6 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.

We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.

Changelog since cert-manager 1.6.2

Bug or Regression

• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#​4975, @​vhosakot)
• Fixes an expired hardcoded certificate which broke unit tests (#​4977, @​SgtCoDFish @​jakexks)

v1.6.2

Compare Source

In 1.6.2, we have reverted a change present in 1.6.0 and 1.6.1 that caused a regression in the ACME Issuer. In 1.6.0 and 1.6.1, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).

The regression is present in cert-manager 1.5.4, 1.6.0, and 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.6.2, we have restored the original behavior which is to use the annotation. This patch is also available in 1.5.5 and in 1.7.0.

Most people won't have any trouble upgrading from 1.6.0 or 1.6.1 to 1.6.2. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.

Changelog since v1.6.1

Bug or Regression

• The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#​4785, @​jetstack-bot)

Other (Cleanup or Flake)

• cert-manager now does one call to the ACME API instead of two when an Order fails. This fix is part of the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#​4619, @​irbekrm)
• Bump base images to latest versions (#​4707, @​SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v1.6.1

Compare Source

Changelog since v1.6.0

Changes by Kind

Bug or Regression

• Fixes an issue in cmctl that prevented displaying the Order resource with cert-manager 1.6 when running cmctl status certificate. (#​4572, @​maelvls)
• Update to latest version of keystore-go to address a backwards incompatible change introduced in v1.6.0 (#​4564, @​SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

• github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0 → v4.2.0

Removed

Nothing has changed.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.