chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
cert-manager/cert-manager		patch	v1.13.2 -> v1.13.3
github.com/aws/aws-sdk-go-v2	require	minor	v1.23.1 -> v1.24.0
github.com/aws/aws-sdk-go-v2/config	require	minor	v1.25.5 -> v1.26.2
github.com/aws/aws-sdk-go-v2/credentials	require	patch	v1.16.4 -> v1.16.13
github.com/aws/aws-sdk-go-v2/service/acmpca	require	minor	v1.24.3 -> v1.25.5
github.com/aws/aws-sdk-go-v2/service/iam	require	minor	v1.27.3 -> v1.28.6
github.com/aws/aws-sdk-go-v2/service/ram	require	minor	v1.22.3 -> v1.23.7
github.com/aws/aws-sdk-go-v2/service/sts	require	minor	v1.25.4 -> v1.26.6
github.com/cert-manager/cert-manager	require	patch	v1.13.2 -> v1.13.3
github.com/go-logr/logr	require	minor	v1.3.0 -> v1.4.1
golang	stage	patch	1.21.4 -> 1.21.5
k8s.io/api	require	minor	v0.28.4 -> v0.29.0
k8s.io/apimachinery	require	minor	v0.28.4 -> v0.29.0
k8s.io/client-go	require	minor	v0.28.4 -> v0.29.0
k8s.io/utils	require	digest	cf03d44 -> b307cd5

---

Release Notes

cert-manager/cert-manager (cert-manager/cert-manager)

v1.13.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#​6507, @​inteon)
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#​6507, @​inteon)
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#​6507, @​inteon)
• Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#​6538, @​wallrj)
• Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#​6514, @​inteon)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/firestore: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.110.6 → v0.110.7
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
• github.com/go-logr/logr: v1.2.4 → v1.3.0
• github.com/golang/glog: v1.1.0 → v1.1.2
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel: v1.19.0 → v1.20.0
• go.uber.org/goleak: v1.2.1 → v1.3.0
• golang.org/x/sys: v0.13.0 → v0.14.0
• google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
• google.golang.org/genproto: f966b18 → b8732ec
• google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)

v1.24.0

Compare Source

v1.23.5

Compare Source

v1.23.4

Compare Source

v1.23.3

Compare Source

v1.23.2

Compare Source

go-logr/logr (github.com/go-logr/logr)

v1.4.1

Compare Source

What's Changed

• slogr: fix unintended API break in v1.4.0 by @​pohly in https://github.com/go-logr/logr/pull/253

Full Changelog: go-logr/logr@v1.4.0...v1.4.1

v1.4.0

Compare Source

This release dramatically improves interoperability with Go's log/slog package. In particular, logr.NewContext and logr.NewContextWithSlogLogger use the same context key, which allows logr.FromContext and logr.FromContextAsSlogLogger to return logr.Logger or *slog.Logger respectively, including transparently converting each to the other as needed.

Functions logr/slogr.NewLogr and logr/slogr.ToSlogHandler have been superceded by logr.FromSlogHandler and logr.ToSlogHandler respectively, and type logr/slogr.SlogSink has been superceded by logr.SlogSink. All of the old names in logr/slogr remain, for compatibility.

Package logr/funcr now supports logr.SlogSink, meaning that it's output passes all but one of the Slog conformance tests (that exception being that funcr handles the timestamp itself).

Users who have a logr.Logger and need a *slog.Logger can call slog.New(logr.ToSlogHandler(...)) and all output will go through the same stack.

Users who have a *slog.Logger or slog.Handler can call logr.FromSlogHandler(...) and all output will go through the same stack.

What's Changed

• slog context support by @​pohly in https://github.com/go-logr/logr/pull/237
• slog support: fix WithGroup + WithValues combination by @​pohly in https://github.com/go-logr/logr/pull/243
• Add tests for context with slog by @​thockin in https://github.com/go-logr/logr/pull/246
• sloghandler: unnamed groups should be inlined by @​thockin in https://github.com/go-logr/logr/pull/245
• Add SlogSink support to funcr by @​thockin in https://github.com/go-logr/logr/pull/241
• funcr: Add LogInfoLevel Option to skip logging level in the info log by @​spacewander in https://github.com/go-logr/logr/pull/240

New Contributors

• @​spacewander made their first contribution in https://github.com/go-logr/logr/pull/240

Full Changelog: go-logr/logr@v1.3.0...v1.4.0

kubernetes/api (k8s.io/api)

v0.29.0

Compare Source

v0.28.5

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.29.0

Compare Source

v0.28.5

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.29.0

Compare Source

v0.28.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - "after 9am on Wednesday,before 12pm on Wednesday" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment