Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update all non-major dependencies #210

Merged
merged 1 commit into from
Aug 23, 2022
Merged

Update all non-major dependencies #210

merged 1 commit into from
Aug 23, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 13, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
cert-manager/cert-manager minor v1.8.2 -> v1.9.1
github.com/aws/aws-sdk-go-v2 require patch v1.16.7 -> v1.16.11
github.com/aws/aws-sdk-go-v2/config require minor v1.15.13 -> v1.17.1
github.com/aws/aws-sdk-go-v2/credentials require patch v1.12.8 -> v1.12.14
github.com/aws/aws-sdk-go-v2/service/acmpca require patch v1.17.10 -> v1.17.15
github.com/aws/aws-sdk-go-v2/service/iam require patch v1.18.9 -> v1.18.13
github.com/aws/aws-sdk-go-v2/service/ram require patch v1.16.11 -> v1.16.15
github.com/aws/aws-sdk-go-v2/service/sts require patch v1.16.9 -> v1.16.13
github.com/cert-manager/cert-manager require minor v1.8.2 -> v1.9.1
go (source) golang minor 1.17 -> 1.19
golang minor 1.18.3 -> 1.19.0
golang stage minor 1.18 -> 1.19
k8s.io/api require patch v0.24.2 -> v0.24.4
k8s.io/apimachinery require patch v0.24.2 -> v0.24.4
k8s.io/utils require digest f6158b4 -> e9cbc92

Release Notes

cert-manager/cert-manager

v1.9.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9.1 is a bugfix release which removes an incorrect check in the Route53 DNS solver. This accidental change prevented the use of credentials derived from instance metadata or AWS pod metadata.

Thanks to @​danquack and @​ArchiFleKs for raising this issue, and @​danquack and @​JoshVanL for fixing it!

Changes since v1.9.0

Bug

  • DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#​5341, @​JoshVanL @​danquack )

v1.9.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The new version adds alpha support for using cert-manager Certificates in scenarios where the ordering of the Relative Distinguished Names (RDN) sequence that constitutes an X.509 certificate's subject needs to be preserved; improves the ability to configure the Certificate created via ingress-shim using annotations on the Ingress resource; introduces various changes/improvements in contributor flow; and finishes the new make-based contributor workflow.

Major Themes

Literal Certificate Subjects

cert-manager's Certificate allows users to configure the subject fields of the X.509 certificate via spec.subject and spec.commonName fields. The X.509 spec states that the subject is an (ordered) sequence of Relative Distinguished Names (RDN).

cert-manager does not strictly abide by this spec when encoding the subject fields from the Certificate spec. For example, the order of the RDN sequence may not be preserved. This is because cert-manager uses Go's libraries for X.509 certificates, and the Go libraries don't preserve ordering.

For the vast majority of users this does not matter, but there are specific cases that require defining the exact ordered RDN sequence. For example, if the certificate is used for LDAP authentication and the RDN sequence represents a location in LDAP directory tree. See cert-manager#​3203.

For these use cases, a new alpha LiteralSubject field has been added to the Certificate spec where users can pass a literal RDN sequence:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test
spec:
  secretName: test
  literalSubject: "C=US,O=myOrg,CN=someName"

To use this field, the alpha feature gate LiteralCertificateSubject needs to be enabled on both the cert-manager controller and webhook. Bear in mind that spec.literalSubject is mutually exclusive with spec.commonName and spec.subject.

This feature is aimed at the specific scenario where an exact RDN sequence needs to be defined. We do not intend to deprecate the existing spec.subject and spec.commonName fields and we recommend that folks keep using those fields in all other cases; they're simpler, have better validation and are more obvious to read and change.

ingress-shim Certificate Configuration

cert-manager 1.9 adds the ability to configure an ingress-shim Certificate's spec.revisionHistoryLimit and spec.privateKey via annotations on the Ingress resource.

This should allow folks to configure ingress-shim Certificates according to best practices (i.e by setting Certificate's spec.privateKey.rotationPolicy to Always).

In the future we would like to design a better mechanism to configure these Certificates. We advise caution when using Ingress annotations as there is no validation of the annotations at Ingress creation time.

Contribution Workflow

Over the past couple of months there have been a number of discussions in regards to contributor experience and project health, partially triggered by the awesome community discussions in cert-manager's KubeCon booth and also by the work done to move cert-manager to CNCF's incubating stage.

For example, we've clarified our feature policy and discussed the process of building cert-manager's roadmap. If you're interested in these topics, we're happy to chat about them!

make Workflow

cert-manager 1.8 introduced a new make based workflow alongside the existing Bazel workflow. The work to improve the make workflow was continued in 1.9 and our contributor documentation has been redefined to use make commands. This should make building and testing cert-manager easier with faster build and test times, easier debugging and less complexity.

As part of this, Bazel has now been fully deprecated for building and testing cert-manager.

As usual, we welcome any feedback in regards to further improving contributor experience.

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

Thanks also to the following maintainers who worked on cert-manager 1.9:

Changes since v1.8.0

Feature
  • Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#​5194, @​Compy)
  • Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#​5118, @​SgtCoDFish)
  • Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#​5205, @​SgtCoDFish)
  • Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#​5053, @​irbekrm)
  • Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#​5142, @​AcidLeroy)
  • Adds new LICENSES format and ability to verify and update licenses through make (#​5243, @​SgtCoDFish)
  • Adds private key Ingress annotations to set private key properties for Certificate (#​5239, @​oGi4i)
  • Adds the cert-manager.io/revision-history-limit annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#​5221, @​oGi4i)
  • Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#​5002, @​spockz)
  • Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#​5130, @​SgtCoDFish)
  • Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#​5141, @​andrewgkew)
  • Helm: Allow for users to not auto-mount service account tokens see also k/k#​57601 (#​5016, @​sveba)
  • Use multiple retries when provisioning tools using curl, to reduce flakes in tests and development environments (#​5272, @​SgtCoDFish)
Bug or Regression
  • CertificateRequests controllers must wait for the core secrets informer to be synced (#​5224, @​rodrigorfk)
  • Ensure that make release-artifacts only builds unsigned artifacts as intended (#​5181, @​SgtCoDFish)
  • Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#​5136, @​craigminihan)
  • Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#​5212, @​jahrlin)
  • Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#​5050, @​jahrlin)
  • Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#​5226, @​SgtCoDFish)
  • Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#​5247, @​hawksight)
  • Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @​davidsbond for finding the issue! (#​5032, @​SgtCoDFish)
  • cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #​5020 (#​5286, @​jetstack-bot)
Other (Cleanup or Flake)
aws/aws-sdk-go-v2

v1.16.11

Compare Source

v1.16.10

Compare Source

v1.16.9

Compare Source

v1.16.8

Compare Source

golang/go

v1.19.0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

kubernetes/api

v0.24.4

Compare Source

v0.24.3

Compare Source

kubernetes/apimachinery

v0.24.4

Compare Source

v0.24.3

Compare Source

Configuration

📅 Schedule: Branch creation - "after 9am on Wednesday,before 12pm on Wednesday" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 643ac93 to 7a2572b Compare July 13, 2022 17:34
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 2fa222e to dea839d Compare July 20, 2022 20:19
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from b2d1343 to 7e5cc63 Compare July 26, 2022 16:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from d38c9b4 to 1f66165 Compare August 1, 2022 20:03
@jetstack-bot jetstack-bot added size/L and removed size/M labels Aug 1, 2022
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 3 times, most recently from efa1024 to b47758d Compare August 8, 2022 19:01
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 6 times, most recently from 5876c9c to 826aaef Compare August 14, 2022 18:55
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 826aaef to cb0ecaa Compare August 15, 2022 20:12
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from cb0ecaa to 89086ef Compare August 18, 2022 05:35
@renovate
Update all non-major dependencies
164dd42 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 89086ef to 164dd42 Compare August 23, 2022 15:53
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: aveega, renovate[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot merged commit 7398663 into main Aug 23, 2022
@renovate renovate bot deleted the renovate/all-minor-patch branch August 23, 2022 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aveega aveega aveega approved these changes

Assignees
No one assigned
Labels
approved dco-signoff: yes lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jetstack-bot @aveega @KyleBS @divyansh-gupta @amibhi