chore(deps): update all dependencies#210
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
ba4266f to
59ed765
Compare
f97dc64 to
fbc450c
Compare
8a5a702 to
02d7293
Compare
Contributor
Author
|
0a3fd99 to
8f4dde5
Compare
36727bc to
e8b6012
Compare
6c65913 to
e303f34
Compare
b35305a to
8ebe850
Compare
6ea6d46 to
fd85540
Compare
fd85540 to
cd118d8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.20.2→1.21.0963fa6c→f7f8f72v2.29.0→v2.32.0v1.41.0→v1.42.1v0.152.0→v0.156.0v1.59.0→v1.62.0v1.59.0→v1.62.0v1.59.0→v1.62.0v1.59.0→v1.62.0v0.153.0→v0.156.0v0.153.0→v0.156.0v0.153.0→v0.156.01.26.3-alpine3.22→1.26.4-alpine3.22v0.36.1→v0.36.2v0.36.1→v0.36.2v0.36.1→v0.36.20.113.1→0.119.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cert-manager/cert-manager (cert-manager/cert-manager)
v1.21.0Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.21 brings ACME Renewal Information (ARI) support, AWS IAM authentication for the Vault issuer, several security hardening changes, and continued improvements to Gateway API integration and cainjector. There are three breaking changes related to Helm chart RBAC and metrics values — review them carefully before upgrading.
Known Issues
filteredEventHandlertype assertion failures ("OnAdd missing Object","OnUpdate missing ObjectOld","OnDelete missing Object") for every non-cert-manager-labelled Secret event, multiplied by 7 certificate sub-controllers. This is cosmetic only — the affected controllers only need events from cert-manager-labelled Secrets (which arrive via the typed informer); the metadata informer events were always filtered out by predicates in previous versions. Issuer and ClusterIssuer controllers are not affected. See #8994 for details.Major Themes
Default
tokenrequestRBAC removed from Helm chartThe Helm chart no longer creates a default
RoleandRoleBindinggranting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create). No documented workflow requires this RBAC — the Route53 docs section that motivated it was removed in 2024.If you use
serviceAccountRef.namepointing at the controller ServiceAccount, you must now either create your ownRole/RoleBindinggrantingserviceaccounts/token: create, or migrate to a dedicated ServiceAccount (recommended — see the Vault or Route53 documentation).Restrict Challenge and Order RBAC in
cert-manager-editClusterRoleThe
cert-manager-editaggregate ClusterRole no longer grantscreateforchallenges.acme.cert-manager.ioorcreate,patch,updatefororders.acme.cert-manager.io(GHSA-8rvj-mm4h-c258). These resources are internal to cert-manager's ACME workflow. Challengepatchandupdateare retained because users may need them to remove stuck finalizers.This change was already shipped in v1.20.3 and v1.19.6, so if you are running one of those versions this will not be a breaking change. If you have tooling that creates Challenge or Order resources directly, you will need to grant those permissions explicitly.
Metrics port name and path Helm values removed
The Helm values
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.pathhave been removed. The controller Service metrics port has been renamed fromtcp-prometheus-servicemonitortohttp-metrics. Because the Helm values schema usesadditionalProperties: false, users who still have any of the removed keys in their values overrides will see a schema validation error on upgrade — remove them before upgrading. (#8952)ACME and Certificate Management
ACMEUseARIfeature gate. When enabled, cert-manager queries the ACME server'srenewalInfoendpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. (#8798)waitInsteadOfSelfChecksolver option: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See configuration details. (#8858)renewalPoliciesfield on the Certificate API provides more expressive control over renewal scheduling, complementingrenewBeforeandrenewBeforePercentage. (#8258)--certificate-request-maximum-backoff-durationflag (default: 32 hours) caps the exponential backoff for failed CertificateRequests, useful for environments with scheduled CA maintenance windows. (#8893)Gateway API and cainjector
acme.cert-manager.io/http01-parentreffallback: "true"annotation causes cert-manager to use the parent Gateway for solver HTTPRoutes instead of the ListenerSet, enabling TLS-only ListenerSets to use a shared HTTP listener for ACME challenges. (#8749)cert-manager.io/ignore-tls-listenersannotation: exclude specific Gateway TLS listeners from certificate management. (#8727)enableGatewayAPIconfiguration restructure:enableGatewayAPIandenableGatewayAPIListenerSetare deprecated in favor ofgatewayAPI.enabled/gatewayAPI.enableListenerSet. The old fields continue to work. (#8732)CAInjectorMergingpromoted to GA: unconditionally enabled; will be removed in a future release. (#8583)ServerSideApplyfeature gate is deprecated. (#8692)--ignore-namespacesflag: skip specified namespaces when watching Secrets for injection. (#8614)Deployment and Observability
AuthFailedIssuer condition reason distinguishes bad credentials from transient errors. PANW NGTS is now supported as a Venafi backend. (#8808, #8779)runtimeClassNamesupport: configurable for cert-manager components and ACME HTTP01 solver pods. (#8791, #8976)startupapicheck.ttlSecondsAfterFinished: opt-in automatic cleanup of the startupapicheck Job. (#8523)--acme-http01-solver-extra-labels: propagateglobal.commonLabelsto dynamically-created ACME HTTP01 solver resources. (#8761)Notable Bug Fixes
renewBeforePercentage: Certificates with durations longer than approximately 3 years were incorrectly rejected or assigned incorrect renewal times. (#8947)..path segments, preventingpath.Joinfrom silently resolving relative segments. (#8930)Community
As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.
A special thanks to:
for their contributions, comments and support!
Also, thanks to the cert-manager maintainer team for their help in this release:
And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:
Changes since v1.20.0
Feature
AuthFailedIssuer condition reason to distinguish bad credentials from transient infrastructure errors. (#8808, @FelixPhipps)certificateRequestMaximumBackoffDurationcontroller configuration option to cap retry backoff time for failed CertificateRequests. Configurable via config file,--certificate-request-maximum-backoff-durationCLI flag, or Helm valueconfig.certificateRequestMaximumBackoffDuration. Defaults to 32 hours for backward compatibility. (#8893, @lunarwhite)waitInsteadOfSelfCheckfield to ACME HTTP01 and DNS01 solvers so cert-manager can skip its own self-check and ask the ACME server to validate after a configured wait. (#8858, @wallrj)runtimeClassNamesupport for cert-manager components and ACME HTTP01 solver pods. (#8791, @jsoref)runtimeClassNamesupport for ACME HTTP01 solver pods via theacmesolver.runtimeClassNameHelm value. (#8976, @erikgb)--acme-http01-solver-extra-labels, allowing Helm'sglobal.commonLabelsto propagate to all dynamically-created ACME HTTP01 solver resources (Pods, Services, Ingresses, or Gateway API HTTPRoutes). (#8761, @lunarwhite)startupapicheck.ttlSecondsAfterFinishedHelm value to enable automatic cleanup of the startupapicheck Job via the Kubernetes TTL-after-finished controller. (#8523, @dap0am)cert-manager.io/ignore-tls-listenersannotation for ignoring gwapi listeners. (#8727, @hjoshi123)--ignore-namespaceswas added to the cainjector binary. It can be used to filter out namespaces from being watched for secrets to use for injectables. (#8614, @figaw)cert-manager.io/alt-names,cert-manager.io/ip-sansto Certificates generated from ingress like objects in cert-shim controllers. (#8927, @jabbrwcky)acme.cert-manager.io/http01-parentreffallback: "true"causes cert-manager to use the parent Gateway as the solver HTTPRoute parentRef instead of the ListenerSet. This enables TLS-only ListenerSets to rely on a shared Gateway HTTP listener for ACME challenges. (#8749, @apkatsikas)Bug or Regression
RoleandRoleBindinggranting the cert-manager controller ServiceAccount permission to create tokens for itself (serviceaccounts/token: create). This RBAC was added in v1.16 (#7213) but no documented workflow requires it, and the motivating Route53 docs section was removed in Oct 2024. If you rely onserviceAccountRef.namepointing at the controller ServiceAccount (an undocumented pattern), you must now create your ownRoleandRoleBindinggrantingserviceaccounts/token: createon that ServiceAccount, or migrate to one of the documented patterns (IRSA ambient, or a dedicated ServiceAccount with its own RBAC). (#8931, @wallrj-cyberark)renewBeforePercentagecalculations that caused Certificates with durations longer than approximately 3 years to be incorrectly rejected by validation or assigned incorrect renewal times. (#8947, @ThatsMrTalbot)parentRefbug when both issuer config and annotations are present. (#8619, @hjoshi123)e2e-setup-samplewebhookinstallation to use the samplewebhook image repository and tag from the saved image tarball manifest. (#8821, @wallrj)webhook.configandwebhook.volumesare defined. (#8664, @jnohlgard)createand Ordercreate/patch/updatefrom the cert-manager-edit aggregate ClusterRole to prevent direct manipulation of these internal resources (GHSA-8rvj-mm4h-c258). (#8958, @wallrj-cyberark)..path segments inspec.vault.pathand auth mount path fields, preventingpath.Joinfrom silently resolving relative segments before constructing the Vault API request. (#8930, @wallrj-cyberark)Other (Cleanup or Flake)
prometheus.servicemonitor.targetPort,prometheus.servicemonitor.path, andprometheus.podmonitor.path. The metrics path is always/metricsand the target port is alwayshttp-metrics. Rename the controller service metrics port fromtcp-prometheus-servicemonitortohttp-metricsfor consistency with other workloads. Users must remove these keys from their value overrides before upgrading. (#8952, @erikgb)enableGatewayAPIandenableGatewayAPIListenerSetfields onControllerConfigurationare deprecated and moved into thegatewayAPIsub-struct asgatewayAPI.enabledandgatewayAPI.enableListenerSet. The old fields continue to work. (#8732, @ThatsMrTalbot)v1.20.3Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This patch release fixes a security issue (
GHSA-8rvj-mm4h-c258, HIGH) where the defaultcert-manager-editaggregate ClusterRole granted namespace users permission to create ACMEChallengeandOrderresources directly. A user who could create aChallengereferencing aClusterIssuercould supply attacker-controlled solver configuration while cert-manager loaded credentials from theClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones,dnsNames,matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.This release also removes the issuer owner reference from Challenges which was blocking Challenge garbage collection, and updates Go to fix reported CVEs.
All users should upgrade.
Changes by Kind
Bug or Regression
createand Ordercreate,patch,updateverbs from thecert-manager-editaggregate ClusterRole (GHSA-8rvj-mm4h-c258). (#8940, @wallrj-cyberark)Other (Cleanup or Flake)
v1.26.4to fix CVE-2026-27145, CVE-2026-42504, and CVE-2026-42507 (#8926, @wallrj-cyberark)onsi/ginkgo (github.com/onsi/ginkgo/v2)
v2.32.0Compare Source
2.32.0
-fdgenerate RSpec-style documentation output. Thank @woodie !--sleep-on-failure pauses a failed spec before teardown. Thanks @qinqon !
v2.31.0Compare Source
2.31.0
Add a bunch of Claude Skills via the marketplace:
v2.30.0Compare Source
2.30.0
Features
Ginkgo now allows
extentions/global.Resetto support running multiple suites from within a single process. This may take some massaging on your part (see 1672) but can dramatically speed up codebases with O(hundreds) of test suites.Thanks @lawrencejones !
Fixes
4f62d7a]onsi/gomega (github.com/onsi/gomega)
v1.42.1Compare Source
1.42.1
Bump Dependencies
v1.42.0Compare Source
1.42.0
Add a set of Claude skill as a marketplace plugin
open-telemetry/opentelemetry-operator (github.com/open-telemetry/opentelemetry-operator)
v0.156.0Compare Source
0.156.0
🧰 Bug fixes 🧰
collector: Honorspec.observability.metrics.disablePrometheusAnnotations: trueon update by removing the operator-stamped prometheus.io annotations from the pod template, not just stopping new ones from being added. (#5043)Previously the pod-template mutate path preserved any annotation that
existed on the current resource but was absent from the desired render,
so toggling disablePrometheusAnnotations from false to true on an
existing OpenTelemetryCollector left the prometheus.io/scrape, port,
and path annotations stuck on the rolled pods. The operator now stamps
an ownership marker (operator.opentelemetry.io/prometheus-annotations-added)
whenever it adds one of the default prometheus.io/* annotations, and
the mutate path strips those annotations only when the marker is
present on the existing pod template. This preserves prometheus.io/*
annotations the user set out of band on the same collector.
Components
v0.155.0Compare Source
0.155.0
🧰 Bug fixes 🧰
operator: Fix NetworkPolicy and operand network policy defaulting when webhooks run in a separate deployment. (#5288)collector: Collectors with persistent storage no longer fail with "permission denied" on OpenShift when running under a permissive SCC such as anyuid. (#5224)On OpenShift, the restricted SCC injects fsGroup from the namespace range, but
permissive SCCs (e.g. anyuid) do not. The controller now defaults
podSecurityContext.fsGroup from the namespace's supplemental-groups or UID range
annotation when no explicit fsGroup is configured. An explicitly set fsGroup is
never overwritten.
Components
v0.154.0Compare Source
0.154.0
🛑 Breaking changes 🛑
collector: Promote the operator.collector.usedefaulttelemetryshape feature gate to beta. The operator-injected Prometheus telemetry reader now uses collector defaults by default — metric names from operator-managed collectors no longer carry type suffixes, units, or scope_info. (#5075)Users wanting the pre-v0.154.0 metric name shape can disable the gate via --feature-gates=-operator.collector.usedefaulttelemetryshape, or pin without_type_suffix/without_units/without_scope_info to false explicitly under spec.config.service.telemetry. The gate will be promoted to stable and removed in a future release.
💡 Enhancements 💡
collector: Add status.observedGeneration and status.conditions support for OpenTelemetryCollector resources. (#4312)operator: Add pod-webhook subcommand for running a standalone pod mutation webhook (#5010)The operator binary now supports a
pod-webhooksubcommand that runs only the pod mutationwebhook (auto-instrumentation and sidecar injection) without the controllers. This enables
deploying the webhook separately.
opampbridge: Add TLS configuration support to the OpAMP Bridge, including options to disable TLS or skip certificate verification. (#4921)opamp: Allow standalone OpAMP bridge agents to configure per-agent non-identifying attributes. (#5245)opamp-bridge: Make standalone OpAMP Bridge manifests and runtime permissions friendlier for OpenShift and namespaced RBAC. (#5277)operator: Add standalone pod webhook deployment for High Availability on OpenShift (#5010)On OpenShift with OLM, the pod mutation webhook (auto-instrumentation and sidecar injection)
is now deployed as a standalone Deployment with 2 replicas by default, enabling HA.
OpenShift with OLM:
OPENSHIFT_WEBHOOK_REPLICASenv var in the Subscription (0 or 1)Kubernetes (community bundle):
opamp-bridge: OpAMP Bridge standalone mode (#4913)Standalone mode for OpAMP Bridge allows users to manage collector configuration from a remote
OpAMP server without the need to deploy full Otel Operator.
operator: Move all webhooks to the dedicated webhook deployment. (#5010)This change moves remaining webhooks (defaulting, validating for: Collector, TargetAllocator, Instrumentation, OpAMPBridge) to the dedicated webhook deployment.
Previously, only the pod mutation webhook was served by the webhook deployment, while the other webhooks were served by the controller-manager.
The dedicated webhook deployment is opt-in and enabled by default only on OpenShift with OLM.
🧰 Bug fixes 🧰
target allocator: Fix silent target loss when group labels are present in static_configs by sorting labels globally in processTargetGroups. (#4967)ScratchBuilder.Labels() serializes labels in insertion order. When group labels sort
alphabetically after target labels (e.g. vendor > address), Labels.Get() early
termination returns empty, causing hash collisions that silently drop targets.
auto-instrumentation: Use MergeFrom patch for Instrumentation blocked-versions status to avoid overwriting unrelated status fields. (#5243)target allocator: Accept a prometheus receiver that only declarestarget_allocator:without aconfig:block. (#2998)When the prometheus receiver is configured with only a
target_allocator:block and noconfig:,reconciliation previously failed with
no prometheusConfig available as part of the configuration.The target allocator supplies scrape configuration externally in this mode (e.g. via discovered
PrometheusCR objects), so the operator now skips the scrape_configs cleanup when no
config:block is present. The webhook validator likewise permits this shape.
Components
v0.153.0Compare Source
0.153.0
🛑 Breaking changes 🛑
api: Move apis package to a separate sub-module (#4362)Yamlstandalone functions ininternal/otelconfigis moved to a methods on*Config(packageapis/v1beta1)CheckTargetAllocatorPrometheusCRPolicyRulesfromapis/v1beta1/targetallocator_rbac.gotointernal/webhook/targetallocator_rbac.go+ rename it tocheckTargetAllocatorPrometheusCRPolicyRules.OpenTelemetryCollectoris not implementing theConvertibleinterface fromsigs.k8s.io/controller-runtime/pkg/conversion, but implements 2 helper function the achieve the same functionality:apispackage to a dedicated sub-module.target allocator: Theoperator.targetallocator.mtlsfeature gate has been removed. mTLS is now configured per-CR viaspec.mtls.enabledon the TargetAllocator or Collector resource. (#5136)Set
spec.mtls.useCertManager: falseto provide your own TLS secrets instead of having cert-manager provision them.💡 Enhancements 💡
collector: Add optionalspec.commandto OpenTelemetryCollector to override the collector container entrypoint (#3188)spec.commandis a[]stringmatchingPod.spec.containers[].command.target allocator: Add allowInsecureAuthSecrets option to serve auth secret values over plain HTTP without mTLS (#3746)Adds a new allowInsecureAuthSecrets field to both the TargetAllocator CRD and the
embedded TargetAllocator in the OpenTelemetryCollector CRD. When enabled, auth secret
values (e.g. basicAuth passwords) are served over plain HTTP instead of being masked.
This is useful when transport security is handled by a service mesh or equivalent.
🧰 Bug fixes 🧰
must-gather: Fix must-gather output to produce omc-compatible directory layout and correct YAML serialization (#4965)Previously collected files used a per-collector directory with kind-prefixed filenames (e.g.
namespaces/<ns>/<collector-name>/deployment-<name>.yaml),which omc cannot parse. Output now follows the standard omc layout (
namespaces/<ns>/<api-group>/<resource-plural>/<name>.yaml).Also fixes missing apiVersion/kind fields in serialized YAML, incorrect default output directory, and adds collection of CRDs and OpAMPBridge resources.
opamp: Skip OpenTelemetryCollector instances with a non-nil DeletionTimestamp when building EffectiveConfig (#5170)ListInstances returns objects with DeletionTimestamp set until finalizers complete.
Reporting them as effective races with the bridge's own Delete calls in applyRemoteConfig.
collector: Fix Service reconciliation to propagate trafficDistribution, internalTrafficPolicy, ipFamilies, and ipFamilyPolicy changes (#5141)Components
open-telemetry/opentelemetry-collector (go.opentelemetry.io/collector/component)
v1.62.0💡 Enhancements 💡
cmd/mdatagen: Add support for defining stability levels for resource attributes (#15312)cmd/mdatagen: Add semantic convention reference to resource attributes (#15313)processor/memory_limiter: Adding health events for the memorylimiter (#14700)Publish health event from memorylimiter using componentstatus.ReportStatus
🧰 Bug fixes 🧰
cmd/mdatagen: Removes the extra line in the documentation.md between extended description and table (#15458)exporter/otlp_http: Treat errors parsing successful (2xx) HTTP response bodies as permanent errors to prevent retrying already-accepted data. (#15386)When a server returns a 2xx status but the response body exceeds the 64kB read limit,
the body is truncated and proto unmarshaling fails. Previously this was treated as a
retryable error, causing duplicate data to be exported. Now it is marked as a permanent
error so the retry logic will not re-send data that was already accepted by the server.
pkg/config/configretry: Always validate BackOffConfig fields regardless of the Enabled flag. (#15437)pkg/service: Ensure receivers always start after all other components (#15495)There was previously a race condition where multiple receivers using a shared internal implementation,
such as the OTLP receiver, could start sending telemetry into a pipeline before all its components had fully started.
processor/memory_limiter: Fix degenerate colleConfiguration
📅 Schedule: (in timezone Etc/UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.