Update dependency cert-manager to v1.17.0

[renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager	minor	1.16.2 -> 1.17.0

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.17.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.17.0 is a minor feature release including several improvements. Full release notes will be provided later.

Please help the project by testing this release!

Changes

Feature

• Potentially BREAKING: The CA and SelfSigned issuers now use SHA512 when signing with RSA keys 4096 bits and above, and SHA384 when signing with RSA keys 3072 bits and above. If you were previously using a larger RSA key as a CA, be sure to check that your systems support the new hash algorithms. (#​7368, @​SgtCoDFish)
• Add CAInjectorMerging feature gate to the ca-injector, enabling this will change the behaviour of the ca-injector to merge in new CA certificates instead of outright replacing the existing one. (#​7469, @​ThatsMrTalbot)
• Added image pull secrets to deployments when service accounts aren't created (#​7411, @​TheHenrick)
• Added the ability to customize client ID when using username/password authentication for Venafi client (#​7484, @​ilyesAj)
• Helm: New value webhook.extraEnv, allows you to set custom environment variables in the webhook Pod.
  Helm: New value cainjector.extraEnv, allows you to set custom environment variables in the cainjector Pod.
  Helm: New value startupapicheck.extraEnv, allows you to set custom environment variables in the startupapicheck Pod. (#​7317, @​wallrj)
• Increase the amount of PEM data pki.DecodeX509CertificateSetBytes is able to parse, to enable reading larger TLS trust bundles (#​7464, @​SgtCoDFish)
• New configuration option tenantID for the AzureDNS provider when using managed identities with service principals. This enhancement allows users to specify the tenant ID when using managed identities, offering better flexibility in multi-tenant environments. (#​7376, @​jochenrichter)
• Promote the UseDomainQualifiedFinalizer feature to Beta. (#​7488, @​jsoref)

Documentation

• Add example for IPv6 in --dns01-recursive-nameservers (#​7367, @​SgtCoDFish)
• Updated the chart documentation to show enableGatewayAPI in the config example. (#​7354, @​puerco)

Bug or Regression

• BUGFIX: A change in v1.16.0 caused cert-manager's ACME ClusterIssuer to look in the wrong namespace for resources required for the issuance (eg. credential Secrets). This is now fixed in v1.16.1+ and v1.17.0+ (#​7339, @​inteon)
• BUGFIX: Helm will now accept percentages for the podDisruptionBudget.minAvailable and podDisruptionBudget.maxAvailable values. (#​7343, @​inteon)
• Fix ACME HTTP-01 solver for IPv6 endpoints (#​7391, @​Peac36)
• Fix the behavior of renewBeforePercentage to comply with its spec (#​7421, @​adam-sroka)
• Helm: allow enabled to be set as a value to toggle cert-manager as a dependency. (#​7350, @​inteon)
• SECURITY (low risk): Limit maxiumum allowed PEM size to prevent potential DoS in cert-manager controller from attacker-controlled PEM. See GHSA-r4pg-vg54-wxx4 (#​7400, @​SgtCoDFish)
• The Certificate object will no longer create CertificateRequest or Secret objects while being deleted (#​7361, @​ThatsMrTalbot)
• The issuer will now more quickly retry when its linked Secret is updated to fix an issue that caused a high back-off timeout. (#​7455, @​inteon)
• Upgrades Venafi vCert library fixing a bug which caused the RSA 3072 bit key size for TPP certificate enrollment to not work. (#​7498, @​inteon)

Other (Cleanup or Flake)

• ⚠️ Potentially BREAKING: Log messages that were not structured have now been replaced with structured logs. If you were matching on specific log strings, this could break your setup. (#​7461, @​inteon)
• DEPRECATION: The ValidateCAA feature gate is now deprecated, with removal scheduled for cert-manager 1.18. In 1.17, enabling this feature gate will print a warning. (#​7491, @​jsoref)
• Remove Neither --kubeconfig nor --master was specified warning message when the controller and the webhook services boot (#​7457, @​Peac36)

v1.16.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.16.3 is a patch release mainly focused around bumping dependencies to address reported CVEs: CVE-2024-45337 and CVE-2024-45338.

We don't believe that cert-manager is actually vulnerable; this release is instead intended to satisfy vulnerability scanners.

It also includes a bug fix to the new renewBeforePercentage field. If you were using renewBeforePercentage, see PR #​7421 for more information.

Changes

Bug

• Bump golang.org/x/net and golang.org/x/crypto to address CVE-2024-45337 and CVE-2024-45338 (#​7485, @​erikgb)
• Fix the behaviour of renewBeforePercentage to comply with its spec (#​7441, @​cert-manager-bot)

Other

• Bump go to 1.23.4 (#​7489, @​erikgb)
• Bump base images to latest available (#​7508, @​SgtCoDFish)

---

Configuration

📅 Schedule: Branch creation - "after 7am on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.