[pull] master from cert-manager:master#1066
Open
pull[bot] wants to merge 3860 commits into
Open
Conversation
chore(deps): update base images (master)
io.ReadAll(resp.Body) in the DoH client reads the full response without a size limit. A malicious or compromised DoH server can send an arbitrarily large response, causing the cert-manager controller to run out of memory. Wrap with io.LimitReader using a 128KB cap, which is well above the DNS over TCP maximum of 65535 bytes (RFC 1035). This matches the existing pattern used in cloudflare.go and http.go for bounding external response reads. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
Signed-off-by: immanuwell <pchpr.00@list.ru>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…dControllers Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
feat: add SCM issuer stanza for OAuth 2.0 client credentials (NGTS/Palo Alto)
Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>
[CI] Merge self-upgrade-master into master
…b-actions chore(deps): update github/codeql-action action to v4.36.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-net-vulnerability chore(deps): update module golang.org/x/net to v0.55.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…org-x-crypto-vulnerability fix(deps): update module golang.org/x/crypto to v0.52.0 [security] (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update cloud go deps (master)
fix: Guard ClusterIssuer metrics collector with controller enable check
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Felix Phipps <78652401+FelixPhipps@users.noreply.github.com>
Bump Renovate base branches
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…cemanager/privatedns/armprivatedns to v2 Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…e-openapi-digest fix(deps): update k8s.io/kube-openapi digest to cdb1db5 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
The commented config example in the cert-manager helm chart values used `gatewayAPI: enable: true`, but the ControllerConfiguration field is `enabled` (GatewayAPIConfig.Enabled), so following the example fails. Correct the key and regenerate values.schema.json and README.template.md. Fixes #9007. Signed-off-by: Mateen Anjum <mateenali66@gmail.com>
…d-values fix(helm): correct gatewayAPI.enabled key in values config example
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…ls-digest fix(deps): update k8s.io/utils digest to cf1189d (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…-azure-azure-sdk-for-go-sdk-resourcemanager-privatedns-armprivatedns-2.x fix(deps): update module github.com/azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns to v2 (master)
…odules chore(deps): update makefile modules to 2f12511 (master)
fix(deps): update cloud go deps (master)
…-go-patches fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.4.2 (master)
fix: de-duplicate dnsNames when multiple Gateway/ListenerSet listeners share a Secret
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…x-deps fix(deps): update module golang.org/x/crypto to v0.54.0 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update module google.golang.org/api to v0.287.1 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
fix(deps): update cloud go deps (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules chore(deps): update makefile modules to b7c9d73 (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
chore(deps): update base images (master)
Signed-off-by: Renovate Bot <renovate-bot@users.noreply.github.com>
…odules chore(deps): update makefile modules to 703bbcc (master)
The Vault AWS IAM auth path (requestTokenWithAWSAuth) fell back to the controller's ambient AWS credential chain whenever awsAuth.ServiceAccountRef was nil, without consulting IssuerOptions.CanUseAmbientCredentials(issuer) - the gate every other ambient-credential code path honours and which defaults to false for namespaced Issuers. Because the tenant also controls spec.vault.server, a namespaced Issuer could point a Vault Issuer at a server it controls and receive a SigV4-signed GetCallerIdentity assertion of the controller's IAM identity, disclosing the controller's AWS account/role and enabling replay against a trusting Vault AWS-IAM backend to escalate to controller privilege. Thread the ambient-credentials decision from the issuer and CSR controllers (where the issuer type and IssuerOptions are known) through New/ClientBuilder into the Vault client, and refuse the ambient fallback when the issuer is not permitted to use ambient credentials. The explicit IRSA path (serviceAccountRef set) and ClusterIssuer behaviour are unchanged. ```release-note The `vault` issuer no longer authenticates to Vault using the cert-manager controller's ambient AWS credentials for AWS IAM auth on a namespaced `Issuer`, unless ambient credentials are explicitly enabled via `--issuer-ambient-credentials`. This aligns the Vault AWS auth path with every other ambient-credential code path. `ClusterIssuer` and explicit `serviceAccountRef` (IRSA) configurations are unaffected. ``` Signed-off-by: Felix Phipps <fphipps@paloaltonetworks.com>
fix(vault): gate AWS IAM auth ambient credentials for namespaced Issuers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )