Merge pull request #1679 from cert-manager/master

Merge the release-branch forward to match master

Author: cert-manager-prow[bot]

.github/dependabot.yaml

@@ -1,5 +1,5 @@
 # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/dependabot.yaml instead.
 
 # Update Go dependencies and GitHub Actions dependencies daily.
 version: 2

.github/workflows/make-self-upgrade.yaml

@@ -32,13 +32,17 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.spelling

@@ -1,4 +1,15 @@
+fuzzer
+fuzzers
+Fuzzer
+Fuzzers
 phillebaba
+aidy
+bashlion
+7ing
+fadecore
+schedin
+ssyno
+ianarsenault
 tberreis
 allenmunC1
 jeremycampbell
@@ -7,13 +18,29 @@ JoeNorth
 tanujd11
 asapekia
 pevidex
+TheHenrick
+ilyesAj
+Peac36
+jochenrichter
+adam-sroka
+rquinio1A
+puerco
+fcrespofastly
 vinny
 lauraseidler
 ABWassim
 ThatsMrTalbot
 Pionerd
+tareksha
+LukeCarrier
+SHA-256
+SHA-384
+SHA-512
+3072-bit
+4096-bit
 andrey-dubnik
 bwaldrep
+sdarwin
 eplightning
 findnature
 gplessis
@@ -73,6 +100,9 @@ jwenz723
 seuf
 thirdeyenick
 MattiasGees
+Gamanji
+impactful
+Linkerd
 (sub)domains
 7opf
 ACLs
@@ -86,7 +116,10 @@ APIService
 APIServices
 APIs
 AWS
+SDK
+SDKs
 Akamai
+ANDed
 Anthos
 AppRole
 approvers
@@ -96,16 +129,22 @@ ArtifactHUB
 ArtifactHub
 AzureDNS
 BasicConstraints
+Bullseye
+Bookworm
 BKPR
 Bazel
 Bitnami
+BlueSky
 BobyMCbobs
 Bugfixes
 bugfix
 BundleSource
 BundleTarget
 BundleCondition
 NamespaceSelector
+CamelCase
+Cyberark
+CyberArk
 CAs
 CNAME
 CNAMEs
@@ -160,6 +199,7 @@ Dean-Coakley
 DigitalOcean
 OVHCloud
 Distroless
+DoesNotExist
 DuckDuckGo
 etcd
 EC2
@@ -234,6 +274,7 @@ NameCheap
 NGINX
 NLB
 NLBs
+NotIn
 Ocado
 OmairK
 OpenAPI
@@ -343,6 +384,7 @@ coderanger
 config
 containerd
 customizable
+defaultCAPackageVersion
 distroless
 e.g.
 e2e
@@ -426,8 +468,10 @@ multivalue
 macOS
 makefile
 manual-rotation-private-key
+matchExpressions
 mechanism
 metadata
+metadata.generation
 middleware
 migrate-api-version
 misconfiguration
@@ -444,6 +488,7 @@ namespaces
 ndegory
 oauth2
 OAuth
+observedGeneration
 onwards
 openshift-supported-versions
 plaintext
@@ -472,6 +517,7 @@ runtime
 runtimes
 signoff
 sigstore
+status.condition
 stdout
 subchart
 subcommand
@@ -501,6 +547,7 @@ unredacted
 unschedule
 untrusted
 upstream
+useDefaultCAs
 userinfo
 util
 vhosakot
@@ -515,8 +562,22 @@ v1.12.1
 v1.12.2
 v1.12.3
 v1.12.4
+v1.12.
 v1.13
+v1.14
+v1.15
+v1.15.
 v1.16
+v1.16.
+v1.16.0
+v1.16.1
+v1.17
+v1.17.
+v1.17.0
+v1.18.
+v1.18
+v1.18.0
+v1.18.0.
 v1.19
 v1.5
 v1.5.0
@@ -580,6 +641,7 @@ yann-soubeyrand
 yk
 mfmbarros
 maelvls
+Maël
 bitscuit
 zsh
 PodDisruptionBudget
@@ -732,7 +794,9 @@ venafi-issuer
 adcs-issuer
 cview-issuer
 cfssl-issuer
+cfmtls-issuer
 GlobalSign
+czertainly-issuer
 
 # TEMPORARY
 # these are temporarily ignored because the spellchecker
@@ -758,3 +822,14 @@ Logics
 OpenSSF
 OSS-Fuzz
 Korczynski
+
+CyberArk
+ContribFest
+Contribfest
+Zenior's
+Godding
+Boye
+READMEs
+K3d
+CyberArk
+90-minute

OWNERS

@@ -1,5 +1,6 @@
 approvers:
 - cm-maintainers
+- hawksight
 reviewers:
 - cm-maintainers
 - hawksight

OWNERS_ALIASES

@@ -8,7 +8,7 @@ aliases:
     - wallrj
     - jakexks
     - maelvls
-    - irbekrm
     - sgtcodfish
     - inteon
     - thatsmrtalbot
+    - erikgb

README.md

@@ -89,6 +89,11 @@ site you're working on.
 For example, the [manifest for the docs section](https://github.com/cert-manager/website/blob/master/content/docs/manifest.json)
 contains the expected path for every file.
 
+If you're adding a top-level page which should only appear in the `docs/` section (such as the existing "contributing" section)
+then add `"x-only-docs": true` underneath the title in `manifest.json`. This will cause that section to be removed when a new versioned docs section.
+
+Likewise, if a folder shouldn't be copied from `docs/` to a versioned section, add a file called `.x-only-docs` to that folder, and it will be removed from any newly created versioned documentation.
+
 ### Task: Changing OpenGraph / social sharing tags
 
 These tags are defined in Next.js code and config.

components/Footer.jsx

@@ -9,9 +9,9 @@ export default function Footer() {
       </div>
       <div className="bg-dark-2 pb-10 pt-5">
         <div className="container text-sm text-white">
-          <p>&copy; 2024 The cert-manager Authors.</p>
+          <p>&copy; 2025 The cert-manager Authors.</p>
           <p className="mb-6">
-            &copy; 2024 The Linux Foundation. All rights reserved.
+            &copy; 2025 The Linux Foundation. All rights reserved.
           </p>
           <p>
             The Linux Foundation has registered trademarks and uses trademarks.

content/announcements/2024-11-12-cert-manager-graduation.md

@@ -0,0 +1,54 @@
+---
+slug: cert-manager-graduation
+title: cert-manager is now a CNCF Graduated Project!
+description: cert-manager joins Kubernetes itself at the Graduated level of the CNCF
+date: "2024-11-12T09:00:00Z"
+---
+
+The 28th of November 2023 was an important day for the cert-manager project. We [raised](https://github.com/cncf/toc/pull/1212) our first issue on the road to becoming a CNCF Graduated project,
+which then grew into [another issue](https://github.com/cncf/toc/issues/1306), a [security audit](./2024-03-18-cert-manager-security-audit.md) and lots of [due diligence](https://github.com/cncf/toc/pull/1416)
+over the following months.
+
+We took that step towards graduation chiefly because being Graduated is the highest rung of the ladder that a CNCF project can climb.
+
+There's no higher level - Kubernetes itself is a CNCF Graduated project, along with other incredibly impactful and [noteworthy projects](https://www.cncf.io/projects/) such as Istio, Cilium, Linkerd and SPIFFE.
+
+We're now incredibly proud to announce that the 12th of November 2024 is also an important day for cert-manager; we're now officially a CNCF Graduated Project!
+
+The CNCF describes graduated projects as:
+
+> Projects considered stable, widely adopted, and production ready, attracting thousands of contributors
+
+We believe this description reflects cert-manager's place in the Cloud Native landscape. We've met hundreds of people at different KubeCon events who've told us that they rely on cert-manager
+in production across thousands of Kubernetes clusters. We treasure the trust that people place in us, and we remain dedicated to keeping cert-manager rock solid.
+
+Graduation isn't just the end of a long process though - it's a chance to reaffirm our commitment to solving X.509 in Kubernetes.
+
+There are interesting challenges ahead for cert-manager, and we're excited to be part of the solution.
+
+First, consider quantum computers promising to break existing encryption. The process of migrating to post-quantum cryptography has already begun,
+and cert-manager stands ready to adopt standards when they're ready.
+
+Second, think about the threat-strewn landscape of trust in Kubernetes containers today. trust-manager is growing rapidly, and we think it can
+help not only to manage everyday trust bundles, but also to increase response times for fixing trust issues in Kubernetes.
+
+And of course, machine identities - including X.509 certs - are only proliferating faster as time goes on. cert-manager is ready to scale with that growth!
+
+We'd like to finish by saying some thank yous:
+
+First, we'd like to thank [Katie Gamanji](https://x.com/k_gamanji) who helped to shepherd our project through the graduation process; we quite literally couldn't have
+completed the process without her.
+
+Second, we'd like to thank all those who were involved in helping during the process, including those who were interviewed,
+TAG Security and TAG Contributor Strategy, and many others for their feedback and advice.
+
+Third, we'd like to thank [Venafi](https://venafi.com/) for sponsoring the bulk of the maintainer time required to see this process through.
+
+Finally, thank you all for using cert-manager and being such a great community!
+
+We're actively looking for more contributors, maintainers, and feedback from users; please reach out on [Slack](https://cert-manager.io/docs/contributing/#slack) or join one of our [regular meetings](https://cert-manager.io/docs/contributing/#meetings) if you're interested in getting involved!
+
+Happy graduation to cert-manager!
+
+- The cert-manager Maintainers
+

content/announcements/2025-02-14-cert-manager-fuzzing-audit.md

@@ -0,0 +1,20 @@
+---
+slug: cert-manager-fuzzing-audit
+title: cert-manager Completes CNCF-Sponsored Fuzzing Audit
+description: As part of our graduation, cert-manager has completed a fuzzing audit.
+date: "2025-02-14T09:00:00Z"
+---
+
+In November 2024, cert-manager began a fuzzing audit to ensure our fuzzing efforts meet the highest standards. The goal was to thoroughly test cert-manager through fuzzing, an important technique for identifying reliability issues and security vulnerabilities in software systems. A well-designed and implemented fuzzing suite enables us to effectively discover edge cases that we might not have otherwise known existed.
+
+[Ada Logics](https://adalogics.com) carried out the fuzzing audit. They first assessed cert-manager's existing fuzzing setup [from its initial Graduation security audit](https://cert-manager.io/announcements/2024/03/18/cert-manager-security-audit). This setup was built around cert-manager's integration into [OSS-Fuzz](https://github.com/google/oss-fuzz), a free service by Google offering compute resources and state-of-the-art automation for critical open source tools.
+
+Ada Logics built upon the initial fuzzing setup by creating fuzz tests for several of cert-manager's controllers. These new fuzzers work by setting up the controller they test and then invoking the controller to reconcile randomized Kubernetes resources derived from the fuzzer's test case. This approach specifically tests parts of cert-manager's threat model that lower-privileged users with cluster access might exploit. The goal is to ensure that users cannot pass malicious resources to cert-manager's controllers in a way that could negatively impact the controllers or other users. The new fuzzers from cert-manager's audit test this in an end-to-end manner, using a near-production setup.
+
+During the fuzzing audit, no issues were found. OSS-Fuzz continues to run cert-manager’s fuzzers as long as it can build them, allowing the fuzzers to test future changes to the cert-manager source code. This continuous fuzzing process has previously played a key role in discovering security vulnerabilities: months after the initial Ada Logics security audit, one of the first fuzzers running on OSS-Fuzz identified a security issue in a parsing routine for PEM-encoded data; exploitation could have caused denial-of-service of cert-manager controllers.
+
+With the completion of cert-manager's fuzzing audit, we have a state-of-the-art fuzzing suite that covers even more of our threat model. All of our security contacts are notified when OSS-Fuzz finds crashes from running the fuzzers continuously, and OSS-Fuzz sends an email to our security mailing list, too.
+
+You can read the report from the audit [here](/docs/announcements/AdaLogics-2025-cert-manager-fuzzing-audit-report.pdf).
+
+A huge thanks to Ada Logics for their superb work and of course to the CNCF for sponsoring!

content/announcements/2025-03-11-contribfest-kubecon-eu-2025.md

@@ -0,0 +1,43 @@
+---
+slug: contribfest-kubecon-eu-2025
+title: Join Us for ContribFest at KubeCon EU 2025 in London!
+description: The cert-manager maintainers are hosting a ContribFest event on 2nd April, 2025, and you are invited!
+date: "2025-03-11T12:00:00Z"
+---
+
+
+
+Are you heading to KubeCon EU 2025 in London this April? If so, we have some exciting news: the cert-manager maintainers are hosting a [ContribFest event on Wednesday April 2, 2025 14:30 - 15:45 BST](https://kccnceu2025.sched.com/event/1tcxb/contribfest-dive-into-cert-manager-and-start-contributing) taking place on Level 3 in the ICC Capital Suite 1, and you are invited!
+
+As a newly graduated CNCF project, there's never been a better time to get involved with cert-manager and make an impact in the Kubernetes ecosystem.
+
+In this blog post, we will explain what ContribFest is and list first good issues to help you get started, whether you are joining us in London at KubeCon EU 2025 or participating from anywhere in the world.
+
+## What is ContribFest?
+
+ContribFest is an opportunity to join project maintainers and community contributors to explore good first issues, hunt bugs, discuss improvements, and pair program with maintainers to contribute directly to CNCF projects during a 90-minute session.
+
+At this year's cert-manager ContribFest, maintainers including CyberArk's Maël Valais and Richard Wall, and Zenior's Erik Godding Boye will be on hand to show users of all experience levels how to get involved with the cert-manager project.
+
+## Good First Issues
+
+An updated list of open good first issues will be available in [this google sheet](https://docs.google.com/spreadsheets/d/1zThfUB22HHdHAiRvS3ctbj4Da7j30imnUleURjxTYE0/edit?usp=sharing).
+
+## How to Prepare
+
+To make the most of the event, here are a few tips:
+
+- Familiarize yourself with the cert-manager project by exploring our [GitHub repository](https://github.com/cert-manager/cert-manager).
+- Read our [Contributor Guide](https://cert-manager.io/docs/contributing/) to understand the basics of contributing to cert-manager.
+- Join our community on the [Kubernetes Slack](https://slack.k8s.io/) in the `#cert-manager-dev` channel to ask questions and connect with the team.
+- Don't forget your laptop!
+
+## Join Us!
+
+If you're in London, you can join us for ContribFest on Wednesday April 2, 2025 14:30. It will take place at Level 3, ICC Capital Suite 1.
+
+We’re looking forward to seeing you at KubeCon EU 2025 in London! Together, we’ll make cert-manager even better while fostering a stronger open-source community.
+
+**See you at ContribFest!**
+
+Stay connected by following us on [BlueSky](https://bsky.app/profile/cert-manager.bsky.social), [Mastodon](https://infosec.exchange/@CertManager), [Twitter](https://twitter.com/certmanager), joining us [on Slack](https://cert-manager.io/docs/contributing/#slack), and exploring our [Contributor Guide](https://cert-manager.io/docs/contributing/).