Signed-off-by: tanujd11 <[email protected]>

Signed-off-by: tanujd11 <[email protected]>

Signed-off-by: tanujd11 <[email protected]>

Signed-off-by: tanujd11 <[email protected]>

Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances

Refactor GenerateCSR and deprecate the helper functions

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

BUGFIX: LiteralCertificateSubject webhook logic

Signed-off-by: Tim Ramlot <[email protected]>

Rename internal API fields to match the field names in the public API

Signed-off-by: Tim Ramlot <[email protected]>

Update AWS SDK for Go to 1.48.7

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Joe North <[email protected]>

BUGFIX: run pprof server on non-leaderelected replicas

Replace deprecated pkcs12 function call with pkcs12.LegacyRC2

Signed-off-by: Tim Ramlot <[email protected]>

Bump the go-jose dependency

Signed-off-by: Tim Ramlot <[email protected]>

BUGFIX: Limit webhook admission input

Fix controller feature gates config in helm

Signed-off-by: Avi Sharma <[email protected]>

Do not process Gateway listeners that do not support TLS

Add Core Infrastructure Initiative Best Practices badge

Signed-off-by: Tim Ramlot <[email protected]>

I filled out the form on the CII site and they gave us a badge!

This is part of the work toward...

Enable verbose logging in startupapicheck by default

So that if it fails, users can know exactly what caused the failure.

Signed-off-by: Richard Wal...

Add x509 v3 CA Issuers Extension

Signed-off-by: Jeremy Campbell <[email protected]>

feat(helm) Add support for PodMonitor

Increase the default webhook timeout to its maximum value of 30 seconds

Signed-off-by: Tim Ramlot <[email protected]>

Bump docker to fix cve alert

Signed-off-by: Tim Ramlot <[email protected]>

Users sometimes report that the connection between the K8S API server and the
cert-manager webho...

Fix CVE alert

Signed-off-by: Tim Ramlot <[email protected]>

fix error message when setting up vault issuer

Use explicit debian version for base images

Regenerate hardcoded certs

Fixes #6478

Signed-off-by: Ashley Davis <[email protected]>

fixes #6476

Signed-off-by: Ashley Davis <[email protected]>

Stop using global runtime.Scheme variables

Signed-off-by: Tim Ramlot <[email protected]>

cainjector: Use controller-runtime manager to manage goroutine instead of errorgroup.

Signed-off-by: Tim Ramlot <[email protected]>

Ensure ACME solver Pod complies with Pod Security Standards

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

By using ClusterPolicy with exlusion rules for the namespaces of non-compliant E2E test tools.

...

Remove redundant / misleading runAsNonRoot examples from values.yaml

`runAsNonRoot` is already set to true in the *Pod*SecurityContext,
so there isn't really any rea...

feat(helm): allow configuration of cainjector feature gates

Enable readOnlyRootFilesystem by default

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Erik Godding Boye <[email protected]>

Signed-off-by: ShlomiTubul <[email protected]>

Use latest version of the best-practice Helm values

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

Bump gRPC library version to fix CVE alert

Signed-off-by: Tim Ramlot <[email protected]>

Fix kindest image digests

And explain why

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0

Signed-off-by: Richard Wall <richa...

Fix image checksum validation and upgrade ingress NGINX to demonstrate the problem

Co-authored-by: Tim Ramlot <[email protected]>
Signed-off-by: Vinny Sabat...

Because it was also broken and was being supplied with digests of
single-architecture images rat...

Signed-off-by: Richard Wall <[email protected]>

Use sample-external-issuer v0.4.0

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

Signed-off-by: Richard Wall <[email protected]>

fix(helm): templating of required value in controller and webhook configmaps

Signed-off-by: ABWassim <[email protected]>

When initializing a Vault issuer:

* Create different error messages depending on if Vault is se...

* Ensure Vault URL can be parsed
* Separate generic http errors from vault specific errors when ...

Bump golang.org/x/net v0.15.0 => v0.17.0

part of addressing CVE-2023-44487 / CVE-2023-39325
(which, again, we're not super concerned abou...

Fix the 'make update-licenses' command on macos

Signed-off-by: Tim Ramlot <[email protected]>

Rename `webhookConfig` to `controllerConfig`

Signed-off-by: Max Brauer <[email protected]>

Fix DuplicateSecretName issue

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Fix typo in values.yml

Affinty -> Affinity

Signed-off-by: Zois Pagoulatos <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Bump go to latest to address CVE-2023-39325

Signed-off-by: Ashley Davis <[email protected]>

Signed-off-by: Ashley Davis <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Signed-off-by: Tim Ramlot <[email protected]>

Otherwise, these will raise warnings in the next steps (e.g. about empty
TLS blocks, which are n...