the replaced version had several CVEs as reported by Trivy:
CVE-2021-44716 - golang.org/x/net:
golang: net/http: limit growth of header canonicalization cache
CVE-2021-31525 - golang.org/x/net:
golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header
CVE-2022-29526 - golang.org/x/sys:
golang: syscall: faccessat checks wrong group
this commit fixes those reported CVEs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
As the later version has a breaking change (bumps github.com/emicklei/go-restful -> github.com/emicklei/go-restful/v3)
Signed-off-by: irbekrm <irbekrm@gmail.com>
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Following the release of cert-manager v1.6.0, it was observed that an
update to the keystore-go library was backwards-incompatible; it
introduced a 6-character minimum length on passwords which wasn't
previously in force.
This led to https://github.com/pavel-v-chernykh/keystore-go/issues/30
which in turn led to https://github.com/pavel-v-chernykh/keystore-go/pull/31
This commit bumps to use the new version, which by default doesn't have
a min password length
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.
The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:
--controllers=*,gateway-shim
All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:
"acme.cert-manager.io/http01-ingress-class"
This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.
"acme.cert-manager.io/http01-edit-in-place"
This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.
"kubernetes.io/tls-acme"
This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.
Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.
The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
