chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
anchore/sbom-action	action	patch	v0.20.1 -> v0.20.2
github.com/cert-manager/cert-manager	require	minor	v1.17.3 -> v1.18.2
go (source)	toolchain	patch	1.24.4 -> 1.24.5
k8s.io/api	require	minor	v0.32.4 -> v0.33.2
k8s.io/apiextensions-apiserver	require	minor	v0.32.4 -> v0.33.2
k8s.io/apimachinery	require	minor	v0.32.4 -> v0.33.2
k8s.io/client-go	require	minor	v0.32.4 -> v0.33.2

---

Release Notes

anchore/sbom-action (anchore/sbom-action)

v0.20.2

Compare Source

Changes in v0.20.2

• Update Syft to v1.28.0 (#​526)

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.18.2

Compare Source

v1.18.1

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We have added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers.
This change fixes the following issue: #​7791

We have increased the ACME challenge authorization timeout to two minutes, which we hope will fix a timeout error (error waiting for authorization), which has been reported by multiple users, since the release of cert-manager v1.16.0.
This change should fix the following issues: #​7337, #​7444, and #​7685.

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Changes since v1.18.0:

Feature

• Added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers. (#7810, @​sspreitzer)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization. (#7801, @​hjoshi123)

Other (Cleanup or Flake)

• Use the latest version of ingress-nginx in E2E tests to ensure compatibility (#7807, @​wallrj)

v1.18.0

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking).

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Known Issues

• ACME HTTP01 challenge paths are rejected by the ingress-nginx validating webhook (#​7791)

Changes since v1.17.2:

Feature

• Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#​7663, @​ThatsMrTalbot)
• Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#​7577, @​terinjokes)
• Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#​7612, @​solidDoWant)
• Added ingress-shim option: --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#​7083, @​k0da)
• Added the iss short name for the cert-manager Issuer resource. (#​7373, @​SgtCoDFish)
• Added the ciss short name for the cert-manager ClusterIssuer resource (#​7373, @​SgtCoDFish)
• Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#​7666, @​ali-hamza-noor)
• Allow customizing signature algorithm (#​7591, @​tareksha)
• Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#​7596, @​ThatsIvan)
• Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#​7752, @​wallrj)
• Add support for ACME profiles extension. (#​7777, @​wallrj)
• Promote the UseDomainQualifiedFinalizer feature to GA. (#​7735, @​jsoref)
• Switched service/servicemon definitions to use port names instead of numbers. (#​7727, @​jcpunk)
• The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#​7723, @​wallrj)
• Potentially breaking: Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#​7758, @​ali-hamza-noor)

Documentation

• Fix some comments (#​7620, @​teslaedison)

Bug or Regression

• Bump go-jose dependency to address CVE-2025-27144. (#​7606, @​SgtCoDFish)
• Bump golang.org/x/oauth2 to patch CVE-2025-22868. (#​7638, @​NicholasBlaskey)
• Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77. (#​7638, @​NicholasBlaskey)
• Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#​7638, @​NicholasBlaskey)
• Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#​7767, @​sspreitzer)
• Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#​7690, @​wallrj)
• Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#​7678, @​tsaarni)
• Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#​7081, @​johnjcool)
• Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#​7549, @​LukeCarrier)
• Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#​7609, @​solidDoWant)
• Fixing the service account template to incorporate boolean values for the annotations. (#​7698, @​ali-hamza-noor)
• Quote nodeSelector values in Helm Chart (#​7579, @​tobiasbp)
• Skip Gateway TLS listeners in Passthrough mode. (#​6986, @​vehagn)
• Upgrade golang.org/x/net fixing CVE-2025-22870. (#​7619, @​dependabot[bot])

Other (Cleanup or Flake)

• ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behaviour. (#​7771, @​wallrj)
• Patch the third_party/forked/acme package with support for the ACME profiles extension. (#​7776, @​wallrj)
• Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#​7744, @​erikgb)
• Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#​7553, @​SgtCoDFish)
• Update kind images to include the Kubernetes 1.33 node image (#​7787, @​cert-manager-bot)
• Upgrade Go to v1.24.4 (#​7785, @​wallrj)
• Use slices.Contains to simplify code (#​7753, @​cuinix)

v1.17.4

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We fixed a bug in the CSR's name constraints construction (only applies if you have enabled the NameConstraints feature gate).

Changes since v1.17.3:

Bug or Regression

• BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#​7832, @​cert-manager-bot)

golang/go (go)

v1.24.5

kubernetes/api (k8s.io/api)

v0.33.2

Compare Source

v0.33.1

Compare Source

v0.33.0

Compare Source

v0.32.6

Compare Source

v0.32.5

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.33.2

Compare Source

v0.33.1

Compare Source

v0.33.0

Compare Source

v0.32.6

Compare Source

v0.32.5

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.33.2

Compare Source

v0.33.1

Compare Source

v0.33.0

Compare Source

v0.32.6

Compare Source

v0.32.5

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.33.2

Compare Source

v0.33.1

Compare Source

v0.33.0

Compare Source

v0.32.6

Compare Source

v0.32.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 19 additional dependencies were updated

Details:

Package	Change
github.com/google/cel-go	v0.22.1 -> v0.23.2
github.com/prometheus/client_golang	v1.20.5 -> v1.22.0
github.com/prometheus/common	v0.61.0 -> v0.62.0
go.etcd.io/etcd/api/v3	v3.5.17 -> v3.5.21
go.etcd.io/etcd/client/pkg/v3	v3.5.17 -> v3.5.21
go.etcd.io/etcd/client/v3	v3.5.17 -> v3.5.21
golang.org/x/crypto	v0.36.0 -> v0.38.0
golang.org/x/sync	v0.12.0 -> v0.14.0
golang.org/x/sys	v0.31.0 -> v0.33.0
golang.org/x/term	v0.30.0 -> v0.32.0
golang.org/x/text	v0.23.0 -> v0.25.0
golang.org/x/time	v0.8.0 -> v0.9.0
google.golang.org/protobuf	v1.36.0 -> v1.36.5
k8s.io/apiserver	v0.32.4 -> v0.33.2
k8s.io/component-base	v0.32.4 -> v0.33.2
k8s.io/kms	v0.32.4 -> v0.33.2
k8s.io/kube-openapi	v0.0.0-20241212222426-2c72e554b1e7 -> v0.0.0-20250318190949-c8a335a9a2ff
sigs.k8s.io/apiserver-network-proxy/konnectivity-client	v0.31.1 -> v0.31.2
sigs.k8s.io/structured-merge-diff/v4	v4.5.0 -> v4.6.0