chore(deps): update helm release cert-manager to v1.13.3

[renovate]

This PR contains the following updates:

Package	Update	Change
cert-manager	patch	v1.13.2 -> v1.13.3

---

Release Notes

cert-manager/cert-manager (cert-manager)

v1.13.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#​6507, @​inteon)
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#​6507, @​inteon)
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#​6507, @​inteon)
• Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#​6538, @​wallrj)
• Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#​6514, @​inteon)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/firestore: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.110.6 → v0.110.7
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
• github.com/go-logr/logr: v1.2.4 → v1.3.0
• github.com/golang/glog: v1.1.0 → v1.1.2
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel: v1.19.0 → v1.20.0
• go.uber.org/goleak: v1.2.1 → v1.3.0
• golang.org/x/sys: v0.13.0 → v0.14.0
• google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
• google.golang.org/genproto: f966b18 → b8732ec
• google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

--- . Kustomization: flux-system/flux-system HelmRelease: dns/cert-manager

+++ . Kustomization: flux-system/flux-system HelmRelease: dns/cert-manager

@@ -6,13 +6,13 @@

   namespace: dns
 spec:
   interval: 1h
   chart:
     spec:
       chart: cert-manager
-      version: v1.13.2
+      version: v1.13.3
       sourceRef:
         kind: HelmRepository
         name: cert-manager
         namespace: dns
       interval: 1h
   values:
--- . Kustomization: flux-system/flux-system HelmRelease: automation/windmill

+++ . Kustomization: flux-system/flux-system HelmRelease: automation/windmill

@@ -6,13 +6,13 @@

   namespace: automation
 spec:
   interval: 30m
   chart:
     spec:
       chart: windmill
-      version: 2.0.50
+      version: 2.0.45
       sourceRef:
         kind: HelmRepository
         name: windmill
         namespace: automation
   maxHistory: 2
   install:

[github-actions]

--- . HelmRelease: dns/cert-manager Deployment: dns/cert-manager

+++ . HelmRelease: dns/cert-manager Deployment: dns/cert-manager

@@ -35,19 +35,19 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-controller
-        image: quay.io/jetstack/cert-manager-controller:v1.13.2
+        image: quay.io/jetstack/cert-manager-controller:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --cluster-resource-namespace=$(POD_NAMESPACE)
         - --leader-election-namespace=kube-system
-        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.2
+        - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.13.3
         - --max-concurrent-challenges=60
         ports:
         - containerPort: 9402
           name: http-metrics
           protocol: TCP
         - containerPort: 9403
--- . HelmRelease: dns/cert-manager Job: dns/cert-manager-startupapicheck

+++ . HelmRelease: dns/cert-manager Job: dns/cert-manager-startupapicheck

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-startupapicheck
-        image: quay.io/jetstack/cert-manager-ctl:v1.13.2
+        image: quay.io/jetstack/cert-manager-ctl:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - check
         - api
         - --wait=1m
         securityContext:
--- . HelmRelease: dns/cert-manager Deployment: dns/cert-manager-cainjector

+++ . HelmRelease: dns/cert-manager Deployment: dns/cert-manager-cainjector

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-cainjector
-        image: quay.io/jetstack/cert-manager-cainjector:v1.13.2
+        image: quay.io/jetstack/cert-manager-cainjector:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --leader-election-namespace=kube-system
         env:
         - name: POD_NAMESPACE
--- . HelmRelease: dns/cert-manager Deployment: dns/cert-manager-webhook

+++ . HelmRelease: dns/cert-manager Deployment: dns/cert-manager-webhook

@@ -31,13 +31,13 @@

       securityContext:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
       containers:
       - name: cert-manager-webhook
-        image: quay.io/jetstack/cert-manager-webhook:v1.13.2
+        image: quay.io/jetstack/cert-manager-webhook:v1.13.3
         imagePullPolicy: IfNotPresent
         args:
         - --v=2
         - --secure-port=10250
         - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
         - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca