Skip to content

[pull] master from cert-manager:master#1066

Open
pull[bot] wants to merge 3860 commits into
next-stack:masterfrom
cert-manager:master
Open

[pull] master from cert-manager:master#1066
pull[bot] wants to merge 3860 commits into
next-stack:masterfrom
cert-manager:master

Conversation

@pull

@pull pull Bot commented Oct 28, 2022

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot]

Can you help keep this open source service alive? 💖 Please sponsor : )

@pull pull Bot added the ⤵️ pull label Oct 28, 2022
cert-manager-prow Bot and others added 29 commits May 18, 2026 08:07
io.ReadAll(resp.Body) in the DoH client reads the full response
without a size limit. A malicious or compromised DoH server can send
an arbitrarily large response, causing the cert-manager controller
to run out of memory.

Wrap with io.LimitReader using a 128KB cap, which is well above the
DNS over TCP maximum of 65535 bytes (RFC 1035). This matches the
existing pattern used in cloudflare.go and http.go for bounding
external response reads.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
Signed-off-by: immanuwell <pchpr.00@list.ru>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…dControllers

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
feat: add SCM issuer stanza for OAuth 2.0 client credentials (NGTS/Palo Alto)
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
…b-actions

chore(deps): update github/codeql-action action to v4.36.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-net-vulnerability

chore(deps): update module golang.org/x/net to v0.55.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-crypto-vulnerability

fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix: Guard ClusterIssuer metrics collector with controller enable check
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Felix Phipps <78652401+FelixPhipps@users.noreply.github.com>
cert-manager-prow Bot and others added 30 commits July 10, 2026 11:18
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…cemanager/privatedns/armprivatedns to v2

Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…e-openapi-digest

fix(deps): update k8s.io/kube-openapi digest to cdb1db5 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
The commented config example in the cert-manager helm chart values used
`gatewayAPI: enable: true`, but the ControllerConfiguration field is
`enabled` (GatewayAPIConfig.Enabled), so following the example fails.
Correct the key and regenerate values.schema.json and README.template.md.

Fixes #9007.

Signed-off-by: Mateen Anjum <mateenali66@gmail.com>
…d-values

fix(helm): correct gatewayAPI.enabled key in values config example
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…ls-digest

fix(deps): update k8s.io/utils digest to cf1189d (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…-azure-azure-sdk-for-go-sdk-resourcemanager-privatedns-armprivatedns-2.x

fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns to v2 (master)
…odules

chore(deps): update makefile modules to 2f12511 (master)
…-go-patches

fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.4.2 (master)
fix: de-duplicate dnsNames when multiple Gateway/ListenerSet listeners share a Secret
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…x-deps

fix(deps): update module golang.org/x/crypto to v0.54.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update module google.golang.org/api to v0.287.1 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to b7c9d73 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules

chore(deps): update makefile modules to 703bbcc (master)
The Vault AWS IAM auth path (requestTokenWithAWSAuth) fell back to the
controller's ambient AWS credential chain whenever awsAuth.ServiceAccountRef
was nil, without consulting IssuerOptions.CanUseAmbientCredentials(issuer) -
the gate every other ambient-credential code path honours and which defaults
to false for namespaced Issuers.

Because the tenant also controls spec.vault.server, a namespaced Issuer could
point a Vault Issuer at a server it controls and receive a SigV4-signed
GetCallerIdentity assertion of the controller's IAM identity, disclosing the
controller's AWS account/role and enabling replay against a trusting Vault
AWS-IAM backend to escalate to controller privilege.

Thread the ambient-credentials decision from the issuer and CSR controllers
(where the issuer type and IssuerOptions are known) through New/ClientBuilder
into the Vault client, and refuse the ambient fallback when the issuer is not
permitted to use ambient credentials. The explicit IRSA path
(serviceAccountRef set) and ClusterIssuer behaviour are unchanged.

```release-note
The `vault` issuer no longer authenticates to Vault using the cert-manager
controller's ambient AWS credentials for AWS IAM auth on a namespaced `Issuer`,
unless ambient credentials are explicitly enabled via
`--issuer-ambient-credentials`. This aligns the Vault AWS auth path with every
other ambient-credential code path. `ClusterIssuer` and explicit
`serviceAccountRef` (IRSA) configurations are unaffected.
```

Signed-off-by: Felix Phipps <fphipps@paloaltonetworks.com>
fix(vault): gate AWS IAM auth ambient credentials for namespaced Issuers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.