volschin / home-ops

Repository for my home infrastructure and Kubernetes cluster which adheres to Infrastructure as Code (IaC) and GitOps practices where possible
https://k8s.olschi.de/
MIT License
2 stars 1 forks source link

feat(helm): update chart cert-manager ( v1.15.3 → v1.16.0 ) #912

Closed renovate[bot] closed 3 weeks ago

renovate[bot] commented 3 weeks ago

This PR contains the following updates:

Package Update Change OpenSSF
cert-manager (source) minor v1.15.3 -> v1.16.0 OpenSSF Scorecard

Release Notes

cert-manager/cert-manager (cert-manager) ### [`v1.16.0`](https://redirect.github.com/cert-manager/cert-manager/compare/v1.15.3...v1.16.0) [Compare Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.15.3...v1.16.0)

Configuration

📅 Schedule: Branch creation - "after 8am every weekday,before 7pm every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.

github-actions[bot] commented 3 weeks ago
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager

+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager

@@ -13,13 +13,13 @@

     spec:
       chart: cert-manager
       sourceRef:
         kind: HelmRepository
         name: jetstack
         namespace: flux-system
-      version: v1.15.3
+      version: v1.16.0
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true
github-actions[bot] commented 3 weeks ago
--- HelmRelease: cert-manager/cert-manager ClusterRoleBinding: cert-manager/cert-manager-webhook:subjectaccessreviews

+++ HelmRelease: cert-manager/cert-manager ClusterRoleBinding: cert-manager/cert-manager-webhook:subjectaccessreviews

@@ -11,11 +11,10 @@

     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cert-manager-webhook:subjectaccessreviews
 subjects:
-- apiGroup: ''
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: cert-manager-webhook
   namespace: cert-manager

--- HelmRelease: cert-manager/cert-manager RoleBinding: kube-system/cert-manager:leaderelection

+++ HelmRelease: cert-manager/cert-manager RoleBinding: kube-system/cert-manager:leaderelection

@@ -12,11 +12,10 @@

     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager:leaderelection
 subjects:
-- apiGroup: ''
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: cert-manager
   namespace: cert-manager

--- HelmRelease: cert-manager/cert-manager RoleBinding: cert-manager/cert-manager-webhook:dynamic-serving

+++ HelmRelease: cert-manager/cert-manager RoleBinding: cert-manager/cert-manager-webhook:dynamic-serving

@@ -12,11 +12,10 @@

     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: cert-manager-webhook:dynamic-serving
 subjects:
-- apiGroup: ''
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: cert-manager-webhook
   namespace: cert-manager

--- HelmRelease: cert-manager/cert-manager Service: cert-manager/cert-manager-webhook

+++ HelmRelease: cert-manager/cert-manager Service: cert-manager/cert-manager-webhook

@@ -14,11 +14,15 @@

   type: ClusterIP
   ports:
   - name: https
     port: 443
     protocol: TCP
     targetPort: https
+  - name: metrics
+    port: 9402
+    protocol: TCP
+    targetPort: http-metrics
   selector:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: webhook

--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-cainjector

@@ -31,17 +31,21 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-cainjector
-        image: quay.io/jetstack/cert-manager-cainjector:v1.15.3
+        image: quay.io/jetstack/cert-manager-cainjector:v1.16.0
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --leader-election-namespace=kube-system
+        ports:
+        - containerPort: 9402
+          name: http-metrics
+          protocol: TCP
         env:
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
         securityContext:
--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager

@@ -31,19 +31,19 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-controller
-        image: quay.io/jetstack/cert-manager-controller:v1.15.3
+        image: quay.io/jetstack/cert-manager-controller:v1.16.0
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.3
+        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.16.0
         - --enable-gateway-api
         - --max-concurrent-challenges=60
         - --dns01-recursive-nameservers-only=true
         - --dns01-recursive-nameservers=https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
         ports:
         - containerPort: 9402
--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager-webhook

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-webhook
-        image: quay.io/jetstack/cert-manager-webhook:v1.15.3
+        image: quay.io/jetstack/cert-manager-webhook:v1.16.0
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --secure-port=10250
         - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
         - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
@@ -48,12 +48,15 @@

         - name: https
           protocol: TCP
           containerPort: 10250
         - name: healthcheck
           protocol: TCP
           containerPort: 6080
+        - containerPort: 9402
+          name: http-metrics
+          protocol: TCP
         livenessProbe:
           httpGet:
             path: /livez
             port: 6080
             scheme: HTTP
           initialDelaySeconds: 60
--- HelmRelease: cert-manager/cert-manager ServiceMonitor: cert-manager/cert-manager

+++ HelmRelease: cert-manager/cert-manager ServiceMonitor: cert-manager/cert-manager

@@ -11,16 +11,29 @@

     app.kubernetes.io/component: controller
     app.kubernetes.io/managed-by: Helm
     prometheus: default
 spec:
   jobLabel: cert-manager
   selector:
-    matchLabels:
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: controller
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: In
+      values:
+      - cainjector
+      - cert-manager
+      - webhook
+    - key: app.kubernetes.io/instance
+      operator: In
+      values:
+      - cert-manager
+    - key: app.kubernetes.io/component
+      operator: In
+      values:
+      - cainjector
+      - controller
+      - webhook
   endpoints:
   - targetPort: 9402
     path: /metrics
     interval: 60s
     scrapeTimeout: 30s
     honorLabels: false
--- HelmRelease: cert-manager/cert-manager Role: cert-manager/cert-manager-startupapicheck:create-cert

+++ HelmRelease: cert-manager/cert-manager Role: cert-manager/cert-manager-startupapicheck:create-cert

@@ -15,10 +15,10 @@

     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
     helm.sh/hook-weight: '-5'
 rules:
 - apiGroups:
   - cert-manager.io
   resources:
-  - certificates
+  - certificaterequests
   verbs:
   - create

--- HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

+++ HelmRelease: cert-manager/cert-manager Job: cert-manager/cert-manager-startupapicheck

@@ -31,22 +31,27 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-startupapicheck
-        image: quay.io/jetstack/cert-manager-startupapicheck:v1.15.3
+        image: quay.io/jetstack/cert-manager-startupapicheck:v1.16.0
         imagePullPolicy: IfNotPresent
         args:
         - check
         - api
         - --wait=1m
         - -v
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
       nodeSelector:
         kubernetes.io/os: linux

--- HelmRelease: cert-manager/cert-manager Role: cert-manager/cert-manager-tokenrequest

+++ HelmRelease: cert-manager/cert-manager Role: cert-manager/cert-manager-tokenrequest

@@ -0,0 +1,22 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-tokenrequest
+  namespace: cert-manager
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  resourceNames:
+  - cert-manager
+  verbs:
+  - create
+
--- HelmRelease: cert-manager/cert-manager RoleBinding: cert-manager/cert-manager-cert-manager-tokenrequest

+++ HelmRelease: cert-manager/cert-manager RoleBinding: cert-manager/cert-manager-cert-manager-tokenrequest

@@ -0,0 +1,21 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-cert-manager-tokenrequest
+  namespace: cert-manager
+  labels:
+    app: cert-manager
+    app.kubernetes.io/name: cert-manager
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-tokenrequest
+subjects:
+- kind: ServiceAccount
+  name: cert-manager
+  namespace: cert-manager
+
--- HelmRelease: cert-manager/cert-manager Service: cert-manager/cert-manager-cainjector

+++ HelmRelease: cert-manager/cert-manager Service: cert-manager/cert-manager-cainjector

@@ -0,0 +1,23 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cert-manager-cainjector
+  namespace: cert-manager
+  labels:
+    app: cainjector
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: cainjector
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: http-metrics
+  selector:
+    app.kubernetes.io/name: cainjector
+    app.kubernetes.io/instance: cert-manager
+    app.kubernetes.io/component: cainjector
+