chore(chart-deps): update cert-manager to version v1.18.2 (#2305)

Co-authored-by: Matthias Erll <[email protected]>

Author: svcAPLBot

apps.yaml

@@ -22,8 +22,8 @@ appsInfo:
     about: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
     integration: Argo CD is configured by APL to use the SSO provided by keycloak, and maps APL groups to Argo CD roles. The otomi-admin role is made super admin within Argo CD. The team-admin role has access to Argo CD and is admin of all team projects. Members of team roles are only allowed to administer their own projects. All Teams will automatically get access to a Git repo, and Argo CD is configured to listen to this repo. All a team has to do is to fill their repo with intended state, commit, and automation takes care of the rest.
   cert-manager:
-    title: Certificate Manager
-    appVersion: 1.17.1
+    title: Cert-manager
+    appVersion: 1.18.2
     repo: https://github.com/cert-manager/cert-manager
     maintainers: The Linux Foundation
     relatedLinks:

chart/chart-index/Chart.yaml

@@ -9,7 +9,7 @@ dependencies:
     version: 8.0.9
     repository: https://argoproj.github.io/argo-helm
   - name: cert-manager
-    version: v1.17.1
+    version: v1.18.2
     repository: https://charts.jetstack.io
   - name: cloudnative-pg
     version: 0.24.0

charts/cert-manager/Chart.yaml

@@ -6,7 +6,7 @@ annotations:
     fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
     url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
 apiVersion: v2
-appVersion: v1.17.1
+appVersion: v1.18.2
 description: A Helm chart for cert-manager
 home: https://cert-manager.io
 icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png
@@ -23,4 +23,4 @@ maintainers:
 name: cert-manager
 sources:
 - https://github.com/cert-manager/cert-manager
-version: v1.17.1
+version: v1.18.2

charts/cert-manager/README.md

@@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou
 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
 
 ```bash
-$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.crds.yaml
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.crds.yaml
 ```
 
 To install the chart with the release name `cert-manager`:
@@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`:
 $ helm repo add jetstack https://charts.jetstack.io --force-update
 
 ## Install the cert-manager helm chart
-$ helm install cert-manager --namespace cert-manager --version v1.17.1 jetstack/cert-manager
+$ helm install cert-manager --namespace cert-manager --version v1.18.2 jetstack/cert-manager
 ```
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer
@@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als
 delete the previously installed CustomResourceDefinition resources:
 
 ```console
-$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.crds.yaml
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.crds.yaml
 ```
 
 ## Configuration
@@ -230,13 +230,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad
 Pod is currently running.
 #### **podDisruptionBudget.minAvailable** ~ `unknown`
 
-This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This configures the minimum available pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if `minAvailable` is set.
+This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). it cannot be used if `minAvailable` is set.
 
 
 #### **featureGates** ~ `string`
@@ -300,7 +300,7 @@ Override the "cert-manager.fullname" value. This value is used as part of most o
 
 #### **nameOverride** ~ `string`
 
-Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector").
+Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use, e.g., "cainjector.name" which resolves to the value "cainjector").
 
 #### **serviceAccount.create** ~ `bool`
 > Default value:
@@ -371,10 +371,10 @@ config:
   kubernetesAPIBurst: 9000
   numberOfConcurrentWorkers: 200
   enableGatewayAPI: true
-  # Feature gates as of v1.17.0. Listed with their default values.
+  # Feature gates as of v1.18.1. Listed with their default values.
   # See https://cert-manager.io/docs/cli/controller/
   featureGates:
-    AdditionalCertificateOutputFormats: true # BETA - default=true
+    AdditionalCertificateOutputFormats: true # GA - default=true
     AllAlpha: false # ALPHA - default=false
     AllBeta: false # BETA - default=false
     ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
@@ -386,8 +386,10 @@ config:
     ServerSideApply: false # ALPHA - default=false
     StableCertificateRequestName: true # BETA - default=true
     UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-    UseDomainQualifiedFinalizer: true # BETA - default=false
+    UseDomainQualifiedFinalizer: true # GA - default=true
     ValidateCAA: false # ALPHA - default=false
+    DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true
+    ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
   # Configure the metrics server for TLS
   # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
   metricsTLSConfig:
@@ -425,7 +427,7 @@ Option to disable cert-manager's build-in auto-approver. The auto-approver appro
 > - clusterissuers.cert-manager.io/*
 > ```
 
-List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.  
+List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.  
 ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
 
 #### **extraArgs** ~ `array`
@@ -684,7 +686,7 @@ enableServiceLinks indicates whether information about services should be inject
 
 Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a  
 ServiceMonitor resource.  
-Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
+Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
 #### **prometheus.servicemonitor.enabled** ~ `bool`
 > Default value:
 > ```yaml
@@ -703,13 +705,14 @@ The namespace that the service monitor should live in, defaults to the cert-mana
 > ```
 
 Specifies the `prometheus` label on the created ServiceMonitor. This is used when different Prometheus instances have label selectors matching different ServiceMonitors.
-#### **prometheus.servicemonitor.targetPort** ~ `number`
+#### **prometheus.servicemonitor.targetPort** ~ `string,integer`
 > Default value:
 > ```yaml
-> 9402
+> http-metrics
 > ```
 
 The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.
+
 #### **prometheus.servicemonitor.path** ~ `string`
 > Default value:
 > ```yaml
@@ -969,13 +972,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad
 Pod is currently running.
 #### **webhook.podDisruptionBudget.minAvailable** ~ `unknown`
 
-This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `maxUnavailable` is set.
 
 
 #### **webhook.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
-This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).  
 It cannot be used if `minAvailable` is set.
 
 
@@ -1442,14 +1445,14 @@ Pod is currently running.
 #### **cainjector.podDisruptionBudget.minAvailable** ~ `unknown`
 
 `minAvailable` configures the minimum available pods for disruptions. It can either be set to  
-an integer (e.g. 1) or a percentage value (e.g. 25%).  
+an integer (e.g., 1) or a percentage value (e.g., 25%).  
 Cannot be used if `maxUnavailable` is set.
 
 
 #### **cainjector.podDisruptionBudget.maxUnavailable** ~ `unknown`
 
 `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to  
-an integer (e.g. 1) or a percentage value (e.g. 25%).  
+an integer (e.g., 1) or a percentage value (e.g., 25%).  
 Cannot be used if `minAvailable` is set.
 
 

charts/cert-manager/templates/NOTES.txt

@@ -1,6 +1,12 @@
 {{- if .Values.installCRDs }}
 ⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.
+
 {{- end }}
+⚠️  WARNING: New default private key rotation policy for Certificate resources.
+The default private key rotation policy for Certificate resources was
+changed to `Always` in cert-manager >= v1.18.0.
+Learn more in the [1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18).
+
 cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
 
 In order to begin issuing certificates, you will need to set up a ClusterIssuer

charts/cert-manager/templates/cainjector-deployment.yaml

@@ -138,7 +138,9 @@ spec:
           {{- end }}
       {{- with .Values.cainjector.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
       {{- end }}
       {{- with .Values.cainjector.affinity }}
       affinity: