Merge pull request #1365 from wallrj/release-cert-manager-v1.12.7

Release notes and updates for cert manager v1.12.7

.spelling

@@ -633,6 +633,7 @@ v1.13.3
 v1.13.
 v1.12.5
 v1.12.6
+v1.12.7
 liveness
 apiservices
 arm64

content/docs/releases/release-notes/release-notes-1.12.md

@@ -3,6 +3,100 @@ title: Release 1.12
 description: 'cert-manager release notes: cert-manager 1.12'
 ---
 
+## v1.12.7
+
+This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
+- [`GO-2023-2382`](https://pkg.go.dev/vuln/GO-2023-2382): Denial of service via chunk extensions in `net/http`
+
+If you use
+[ArtifactHub Security report](https://artifacthub.io/packages/helm/cert-manager/cert-manager/1.12.6?modal=security-report) or
+[trivy](https://trivy.dev/),
+this patch will also silence the following warning
+about a vulnerability in code which is imported but **not used** by the cert-manager-controller:
+- [`CVE-2023-47108`](https://access.redhat.com/security/cve/CVE-2023-47108): DoS vulnerability in `otelgrpc` due to unbound cardinality metrics.
+
+An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
+and these are included in this patch release.
+
+### Changes
+
+#### Feature
+
+- cert-manager is now built with Go `1.20.12` ([#6543](https://github.com/cert-manager/cert-manager/pull/6543), [@wallrj](https://github.com/wallrj)).
+
+#### Bug or Regression
+
+- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size `>= 3MiB`. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)).
+- The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)).
+- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)).
+- Mitigate potential Slowloris attacks by setting `ReadHeaderTimeout` in all `http.Server` instances ([#6539](https://github.com/cert-manager/cert-manager/pull/6539), [@wallrj](https://github.com/wallrj)).
+- Upgrade `otel` and `docker` to fix: `CVE-2023-47108` and `GHSA-jq35-85cj-fj4p` ([#6513](https://github.com/cert-manager/cert-manager/pull/6513), [@inteon](https://github.com/inteon)).
+
+#### Dependencies
+
+##### Added
+- `cloud.google.com/go/dataproc/v2`: `v2.0.1`
+
+##### Changed
+- `cloud.google.com/go/aiplatform`: `v1.45.0 → v1.48.0`
+- `cloud.google.com/go/analytics`: `v0.21.2 → v0.21.3`
+- `cloud.google.com/go/baremetalsolution`: `v0.5.0 → v1.1.1`
+- `cloud.google.com/go/batch`: `v0.7.0 → v1.3.1`
+- `cloud.google.com/go/beyondcorp`: `v0.6.1 → v1.0.0`
+- `cloud.google.com/go/bigquery`: `v1.52.0 → v1.53.0`
+- `cloud.google.com/go/cloudbuild`: `v1.10.1 → v1.13.0`
+- `cloud.google.com/go/cloudtasks`: `v1.11.1 → v1.12.1`
+- `cloud.google.com/go/compute`: `v1.21.0 → v1.23.0`
+- `cloud.google.com/go/contactcenterinsights`: `v1.9.1 → v1.10.0`
+- `cloud.google.com/go/container`: `v1.22.1 → v1.24.0`
+- `cloud.google.com/go/datacatalog`: `v1.14.1 → v1.16.0`
+- `cloud.google.com/go/dataplex`: `v1.8.1 → v1.9.0`
+- `cloud.google.com/go/datastore`: `v1.12.1 → v1.13.0`
+- `cloud.google.com/go/datastream`: `v1.9.1 → v1.10.0`
+- `cloud.google.com/go/deploy`: `v1.11.0 → v1.13.0`
+- `cloud.google.com/go/dialogflow`: `v1.38.0 → v1.40.0`
+- `cloud.google.com/go/documentai`: `v1.20.0 → v1.22.0`
+- `cloud.google.com/go/eventarc`: `v1.12.1 → v1.13.0`
+- `cloud.google.com/go/firestore`: `v1.11.0 → v1.12.0`
+- `cloud.google.com/go/gkebackup`: `v0.4.0 → v1.3.0`
+- `cloud.google.com/go/gkemulticloud`: `v0.6.1 → v1.0.0`
+- `cloud.google.com/go/kms`: `v1.12.1 → v1.15.0`
+- `cloud.google.com/go/maps`: `v0.7.0 → v1.4.0`
+- `cloud.google.com/go/metastore`: `v1.11.1 → v1.12.0`
+- `cloud.google.com/go/policytroubleshooter`: `v1.7.1 → v1.8.0`
+- `cloud.google.com/go/pubsub`: `v1.32.0 → v1.33.0`
+- `cloud.google.com/go/run`: `v0.9.0 → v1.2.0`
+- `cloud.google.com/go/servicedirectory`: `v1.10.1 → v1.11.0`
+- `cloud.google.com/go/speech`: `v1.17.1 → v1.19.0`
+- `cloud.google.com/go/translate`: `v1.8.1 → v1.8.2`
+- `cloud.google.com/go/video`: `v1.17.1 → v1.19.0`
+- `cloud.google.com/go/vmwareengine`: `v0.4.1 → v1.0.0`
+- `cloud.google.com/go`: `v0.110.4 → v0.110.7`
+- `github.com/felixge/httpsnoop`: [`v1.0.3 → v1.0.4`](https://github.com/felixge/httpsnoop/compare/v1.0.3...v1.0.4)
+- `github.com/go-logr/logr`: [`v1.2.4 → v1.3.0`](https://github.com/go-logr/logr/compare/v1.2.4...v1.3.0)
+- `github.com/golang/glog`: [`v1.1.0 → v1.1.2`](https://github.com/golang/glog/compare/v1.1.0...v1.1.2)
+- `github.com/google/go-cmp`: [`v0.5.9 → v0.6.0`](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0)
+- `github.com/google/uuid`: [`v1.3.0 → v1.3.1`](https://github.com/google/uuid/compare/v1.3.0...v1.3.1)
+- `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc`: `v0.45.0 → v0.46.0`
+- `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`: `v0.44.0 → v0.46.0`
+- `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`: `v1.19.0 → v1.20.0`
+- `go.opentelemetry.io/otel/exporters/otlp/otlptrace`: `v1.19.0 → v1.20.0`
+- `go.opentelemetry.io/otel/metric`: `v1.19.0 → v1.20.0`
+- `go.opentelemetry.io/otel/sdk`: `v1.19.0 → v1.20.0`
+- `go.opentelemetry.io/otel/trace`: `v1.19.0 → v1.20.0`
+- `go.opentelemetry.io/otel`: `v1.19.0 → v1.20.0`
+- `go.uber.org/goleak`: `v1.2.1 → v1.3.0`
+- `golang.org/x/oauth2`: `v0.10.0 → v0.11.0`
+- `golang.org/x/sys`: `v0.13.0 → v0.14.0`
+- `google.golang.org/genproto/googleapis/api`: `782d3b1 → b8732ec`
+- `google.golang.org/genproto/googleapis/rpc`: `782d3b1 → b8732ec`
+- `google.golang.org/genproto`: `782d3b1 → b8732ec`
+- `google.golang.org/grpc`: `v1.58.3 → v1.59.0`
+
+##### Removed
+- `cloud.google.com/go/dataproc`: `v1.12.0`
+
+
 ## v1.12.6
 
 v1.12.6 fixes some CVE alerts and a Venafi issuer bug

content/v1.12-docs/installation/README.md

@@ -12,7 +12,7 @@ Learn about the various ways you can install cert-manager and how to choose betw
 The default static configuration can be installed as follows:
 
 ```bash
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.yaml
 ```
 
 📖 Read more about [installing cert-manager using kubectl apply and static manifests](./kubectl.md).

content/v1.12-docs/installation/code-signing.md

@@ -22,7 +22,7 @@ The simplest way to verify signatures is to download the public key and then pas
 
 ```console
 curl -sSOL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem
-IMAGE_TAG=v1.12.6  # change as needed
+IMAGE_TAG=v1.12.7  # change as needed
 cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-acmesolver:$IMAGE_TAG
 cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-cainjector:$IMAGE_TAG
 cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-ctl:$IMAGE_TAG

content/v1.12-docs/installation/helm.md

@@ -44,7 +44,7 @@ or using the `installCRDs` option when installing the Helm chart.
 
 
 ```bash
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.crds.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.crds.yaml
 ```
 
 ##### Option 2: install CRDs as part of the Helm release
@@ -65,7 +65,7 @@ helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
-  --version v1.12.6 \
+  --version v1.12.7 \
   # --set installCRDs=true
 ```
 
@@ -78,7 +78,7 @@ helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
-  --version v1.12.6 \
+  --version v1.12.7 \
   # --set installCRDs=true
   --set prometheus.enabled=false \  # Example: disabling prometheus using a Helm parameter
   --set webhook.timeoutSeconds=4   # Example: changing the webhook timeout using a Helm parameter
@@ -109,7 +109,7 @@ version: 0.1.0
 appVersion: "0.1.0"
 dependencies:
   - name: cert-manager
-    version: v1.12.6
+    version: v1.12.7
     repository: https://charts.jetstack.io
     alias: cert-manager
     condition: cert-manager.enabled
@@ -140,7 +140,7 @@ helm template \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
-  --version v1.12.6 \
+  --version v1.12.7 \
   # --set prometheus.enabled=false \   # Example: disabling prometheus using a Helm parameter
   # --set installCRDs=true \           # Uncomment to also template CRDs
   > cert-manager.custom.yaml

content/v1.12-docs/installation/kubectl.md

@@ -19,7 +19,7 @@ are included in a single YAML manifest file:
 Install all cert-manager components:
 
 ```bash
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.yaml
 ```
 
 By default, cert-manager will be installed into the `cert-manager`

content/v1.12-docs/installation/operator-lifecycle-manager.md

@@ -217,7 +217,7 @@ The following JSON patch will append `-v=6` to command line arguments of the cer
 (the first container of the first Deployment).
 
 ```bash
-kubectl patch csv cert-manager.v1.12.6 \
+kubectl patch csv cert-manager.v1.12.7 \
   --type json \
   -p '[{"op": "add", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/args/-", "value": "-v=6" }]'
 ```