Skip to content

[pull] master from cert-manager:master#1066

Open
pull[bot] wants to merge 3862 commits into
next-stack:masterfrom
cert-manager:master
Open

[pull] master from cert-manager:master#1066
pull[bot] wants to merge 3862 commits into
next-stack:masterfrom
cert-manager:master

Conversation

@pull

@pull pull Bot commented Oct 28, 2022

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot added the ⤵️ pull label Oct 28, 2022
cert-manager-bot and others added 29 commits May 19, 2026 00:58
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
Signed-off-by: immanuwell <pchpr.00@list.ru>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…dControllers

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
feat: add SCM issuer stanza for OAuth 2.0 client credentials (NGTS/Palo Alto)
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
…b-actions

chore(deps): update github/codeql-action action to v4.36.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-net-vulnerability

chore(deps): update module golang.org/x/net to v0.55.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-crypto-vulnerability

fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix: Guard ClusterIssuer metrics collector with controller enable check
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Felix Phipps <78652401+FelixPhipps@users.noreply.github.com>
Signed-off-by: Hemant Joshi <mail@hjoshi.me>
cleanup(acme): updating acme to latest master
renovate Bot and others added 30 commits July 10, 2026 12:00
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…cemanager/privatedns/armprivatedns to v2

Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…e-openapi-digest

fix(deps): update k8s.io/kube-openapi digest to cdb1db5 (master)
Change the return type of EnqueueCertificatesForResourceUsingPredicates
from func(U) to func(metav1.Object), adding an internal type assertion
that silently skips objects that do not match the concrete type U.

This is the minimal fix for the log spam described in #8994, caused by
the metadata informer delivering *v1.PartialObjectMetadata to a handler
typed as func(*corev1.Secret). The return type change makes the handler
accept both concrete types from the filtered Secret informer.

Fixes: #8994

Signed-off-by: Richard Wall <richard.wall@venafi.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
The commented config example in the cert-manager helm chart values used
`gatewayAPI: enable: true`, but the ControllerConfiguration field is
`enabled` (GatewayAPIConfig.Enabled), so following the example fails.
Correct the key and regenerate values.schema.json and README.template.md.

Fixes #9007.

Signed-off-by: Mateen Anjum <mateenali66@gmail.com>
…d-values

fix(helm): correct gatewayAPI.enabled key in values config example
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…ls-digest

fix(deps): update k8s.io/utils digest to cf1189d (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…-azure-azure-sdk-for-go-sdk-resourcemanager-privatedns-armprivatedns-2.x

fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns to v2 (master)
…odules

chore(deps): update makefile modules to 2f12511 (master)
…-go-patches

fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.4.2 (master)
fix: de-duplicate dnsNames when multiple Gateway/ListenerSet listeners share a Secret
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…x-deps

fix(deps): update module golang.org/x/crypto to v0.54.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update module google.golang.org/api to v0.287.1 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to b7c9d73 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to 703bbcc (master)
The Vault AWS IAM auth path (requestTokenWithAWSAuth) fell back to the
controller's ambient AWS credential chain whenever awsAuth.ServiceAccountRef
was nil, without consulting IssuerOptions.CanUseAmbientCredentials(issuer) -
the gate every other ambient-credential code path honours and which defaults
to false for namespaced Issuers.

Because the tenant also controls spec.vault.server, a namespaced Issuer could
point a Vault Issuer at a server it controls and receive a SigV4-signed
GetCallerIdentity assertion of the controller's IAM identity, disclosing the
controller's AWS account/role and enabling replay against a trusting Vault
AWS-IAM backend to escalate to controller privilege.

Thread the ambient-credentials decision from the issuer and CSR controllers
(where the issuer type and IssuerOptions are known) through New/ClientBuilder
into the Vault client, and refuse the ambient fallback when the issuer is not
permitted to use ambient credentials. The explicit IRSA path
(serviceAccountRef set) and ClusterIssuer behaviour are unchanged.

```release-note
The `vault` issuer no longer authenticates to Vault using the cert-manager
controller's ambient AWS credentials for AWS IAM auth on a namespaced `Issuer`,
unless ambient credentials are explicitly enabled via
`--issuer-ambient-credentials`. This aligns the Vault AWS auth path with every
other ambient-credential code path. `ClusterIssuer` and explicit
`serviceAccountRef` (IRSA) configurations are unaffected.
```

Signed-off-by: Felix Phipps <fphipps@paloaltonetworks.com>
fix(vault): gate AWS IAM auth ambient credentials for namespaced Issuers
…1-object

Fix #8994 (approach A): widen return type to metav1.Object
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.