⬆️ Update chart cert-manager to v1.13.3

[feisar-bot]

This PR contains the following updates:

Package	Update	Change
cert-manager	patch	v1.13.2 -> v1.13.3

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.13.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#​6507, @​inteon)
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#​6507, @​inteon)
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#​6507, @​inteon)
• Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#​6538, @​wallrj)
• Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#​6514, @​inteon)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/firestore: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.110.6 → v0.110.7
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
• github.com/go-logr/logr: v1.2.4 → v1.3.0
• github.com/golang/glog: v1.1.0 → v1.1.2
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel: v1.19.0 → v1.20.0
• go.uber.org/goleak: v1.2.1 → v1.3.0
• golang.org/x/sys: v0.13.0 → v0.14.0
• google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
• google.golang.org/genproto: f966b18 → b8732ec
• google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[feisar-bot]

--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cluster-apps-cert-manager HelmRelease: cert-manager/cert-manager

+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cluster-apps-cert-manager HelmRelease: cert-manager/cert-manager

@@ -12,13 +12,13 @@

     spec:
       chart: cert-manager
       sourceRef:
         kind: HelmRepository
         name: jetstack
         namespace: flux-system
-      version: v1.13.2
+      version: v1.13.3
   install:
     crds: CreateReplace
     createNamespace: true
     remediation:
       retries: 3
   interval: 30m

[feisar-bot]

--- kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

+++ kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-cainjector
-        image: quay.io/jetstack/cert-manager-cainjector:v1.13.2
+        image: quay.io/jetstack/cert-manager-cainjector:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --leader-election-namespace=kube-system
         env:
         - name: POD_NAMESPACE
--- kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

+++ kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

@@ -31,19 +31,19 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-controller
-        image: quay.io/jetstack/cert-manager-controller:v1.13.2
+        image: quay.io/jetstack/cert-manager-controller:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.2
+        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.3
         - --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
         - --dns01-recursive-nameservers-only
         - --max-concurrent-challenges=60
         ports:
         - containerPort: 9402
           name: http-metrics
--- kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

+++ kubernetes HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-webhook
-        image: quay.io/jetstack/cert-manager-webhook:v1.13.2
+        image: quay.io/jetstack/cert-manager-webhook:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --secure-port=10250
         - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
         - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
--- kubernetes HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

+++ kubernetes HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-startupapicheck
-        image: quay.io/jetstack/cert-manager-ctl:v1.13.2
+        image: quay.io/jetstack/cert-manager-ctl:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - check
         - api
         - --wait=1m
         securityContext: