Release v2.25.0

.github/dependabot.yml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 version: 2
 updates:
@@ -11,7 +11,7 @@ updates:
       time: "04:00"
     open-pull-requests-limit: 10
     reviewers:
-      - giantswarm/team-cabbage
+      - giantswarm/team-bigmac
     ignore:
       - dependency-name: zricethezav/gitleaks-action
       - dependency-name: actions/setup-go
@@ -22,4 +22,4 @@ updates:
       time: "04:00"
     open-pull-requests-limit: 10
     reviewers:
-      - giantswarm/team-cabbage
+      - giantswarm/team-bigmac

.github/pull_request_template.md

@@ -6,7 +6,7 @@ https://intranet.giantswarm.io/docs/dev-and-releng/app-developer-processes/cert-
 -->
 
 <!--
-@team-hydra will be automatically requested for review once
+@team-bigmac will be automatically requested for review once
 this PR has been submitted.
 -->
 
@@ -42,4 +42,3 @@ Changelog must always be updated.
 ### Checklist
 
 - [ ] Update changelog in CHANGELOG.md.
-

.github/workflows/zz_generated.add-team-labels.yaml

@@ -45,7 +45,7 @@ jobs:
         done
         echo "EOF" >> $GITHUB_ENV
     - name: Apply label to issue
-      if: ${{ env.LABEL != '' }}
+      if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }}
       uses: actions-ecosystem/action-add-labels@v1
       with:
         github_token: ${{ secrets.ISSUE_AUTOMATION }}

.github/workflows/zz_generated.add-to-project-board.yaml

@@ -56,7 +56,7 @@ jobs:
 
         echo "BOARD=${BOARD}" >> $GITHUB_ENV
     - name: Add issue to personal board
-      if: ${{ env.BOARD != 'null' && env.BOARD != '' }}
+      if: ${{ env.BOARD != 'null' && env.BOARD != ''  && env.BOARD != null }}
       uses: actions/add-to-project@main
       with:
         project-url: ${{ env.BOARD }}
@@ -82,7 +82,7 @@ jobs:
 
         echo "BOARD=${BOARD}" >> $GITHUB_ENV
     - name: Add issue to team board
-      if: ${{ env.BOARD != 'null' && env.BOARD != '' }}
+      if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }}
       uses: actions/add-to-project@main
       with:
         project-url: ${{ env.BOARD }}

.github/workflows/zz_generated.check_values_schema.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 name: 'Values and schema'
 on:
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

.github/workflows/zz_generated.create_release.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 name: Create Release
 on:
@@ -53,7 +53,7 @@ jobs:
           echo "version=${version}" >> $GITHUB_OUTPUT
       - name: Checkout code
         if: ${{ steps.get_version.outputs.version != '' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Get project.go path
         id: get_project_go_path
         if: ${{ steps.get_version.outputs.version != '' }}
@@ -93,7 +93,7 @@ jobs:
         uses: giantswarm/[email protected]
         with:
           binary: "architect"
-          version: "6.11.0"
+          version: "6.13.0"
       - name: Install semver
         uses: giantswarm/[email protected]
         with:
@@ -103,7 +103,7 @@ jobs:
           tarball_binary_path: "*/src/${binary}"
           smoke_test: "${binary} --version"
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Update project.go
         id: update_project_go
         env:
@@ -143,7 +143,7 @@ jobs:
           version: "${{ needs.gather_facts.outputs.version }}"
           title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}"
         run: |
-          hub pull-request -f  -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }}
+          gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }}
   create_release:
     name: Create release
     runs-on: ubuntu-22.04
@@ -154,7 +154,7 @@ jobs:
       upload_url: ${{ steps.create_gh_release.outputs.upload_url }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.sha }}
       - name: Ensure correct version in project.go
@@ -208,7 +208,7 @@ jobs:
           tarball_binary_path: "*/src/${binary}"
           smoke_test: "${binary} --version"
       - name: Check out the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Clone the whole history, not just the most recent commit.
       - name: Fetch all tags and branches

.github/workflows/zz_generated.create_release_pr.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 name: Create Release PR
 on:
@@ -152,7 +152,7 @@ jobs:
           binary: "architect"
           version: "6.11.0"
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ needs.gather_facts.outputs.branch }}
       - name: Prepare release changes
@@ -227,4 +227,4 @@ jobs:
           base: "${{ needs.gather_facts.outputs.base }}"
           version: "${{ needs.gather_facts.outputs.version }}"
         run: |
-          hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }}
+          gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}"

.github/workflows/zz_generated.gitleaks.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 name: gitleaks
 
@@ -10,8 +10,8 @@ jobs:
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: '0'
     - name: gitleaks-action
-      uses: zricethezav/gitleaks-action@v1.6.0
+      uses: giantswarm/gitleaks-action@main

.github/workflows/zz_generated.update_chart.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@6.7.0
+#    devctl@6.17.0
 #
 
 #
@@ -62,8 +62,10 @@ jobs:
         env:
           GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
         run: |
-          if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.head }} | grep -i 'state:[[:space:]]*open' >/dev/null; then
-            gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.head }}
+          head="${{ steps.gather_facts.outputs.branch }}"
+          branch="${head#refs/heads/}" # Strip "refs/heads/" prefix.
+          if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then
+            gh pr view --repo "${{ github.repository }}" "${branch}"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
             echo "skip=false" >> $GITHUB_OUTPUT
@@ -76,7 +78,7 @@ jobs:
     if: ${{ needs.gather_facts.outputs.skip != 'true' }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ needs.gather_facts.outputs.branch }}
       - name: Install vendir
@@ -115,7 +117,7 @@ jobs:
       - name: Create update commit
         run: |
           git add -A
-          git commit -m "Sync chart with upstream."
+          git commit -m "Automated update from upstream"
       - name: Push changes
         env:
           remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
@@ -126,4 +128,9 @@ jobs:
           GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
           base: "${{ needs.gather_facts.outputs.base }}"
         run: |
-          hub pull-request -f -m "Update chart from upstream" -m "This PR was created by the \`update-chart\` automated workflow." -m "**:warning: Make sure all tests have passed before merging.**" -l "automated-update" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }}
+          gh pr create --title "Automated update from upstream"  --label "automated-update" --assignee ${{ github.actor }} --base ${{ env.base }} --head ${{ needs.gather_facts.outputs.branch }} --body-file - << EOF
+          This PR was created by the \`update-chart\` GitHub Actions workflow.
+          - [ ] **:warning: All tests are passing**
+          - [ ] **:warning: The CHANGELOG.md file has been updated**
+          - [ ] **:warning: Additional changes in ignored files (see vendir.yml) have been adapted and migrated**
+          EOF

CHANGELOG.md

@@ -7,10 +7,11 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
-## [2.25.0] - 2023-09-26
+## [2.25.0] - 2023-11-22
 
 ### Changed
 
+- Added support for PSS resolving issue on upgrade to newer v3+ releases
 - Remove control plane node toleration of CA injector deployment. This caused problems on single control plane node clusters. ([#362](https://github.com/giantswarm/cert-manager-app/pull/362))
 - Update container image versions to use [v1.12.4](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.4)
 
@@ -469,7 +470,7 @@ Before you upgrade to this release, make sure to read the [Upgrading from v1.7 t
 - `cert-manager` upstream helm chart `v0.9.0`. ([#1](https://github.com/giantswarm/cert-manager-app/pull/1))
 
 [Unreleased]: https://github.com/giantswarm/cert-manager-app/compare/v2.25.0...HEAD
-[2.25.0]: https://github.com/giantswarm/cert-manager-app/compare/v2.24.1...v2.25.0
+[2.25.0]: https://github.com/giantswarm/cert-manager-app/compare/v2.25.0...v2.25.0
 [2.24.1]: https://github.com/giantswarm/cert-manager-app/compare/v2.24.0...v2.24.1
 [2.24.0]: https://github.com/giantswarm/cert-manager-app/compare/v2.23.2...v2.24.0
 [2.23.2]: https://github.com/giantswarm/cert-manager-app/compare/v2.23.1...v2.23.2

helm/cert-manager-app/charts/cert-manager-giantswarm-clusterissuer/templates/job.yaml

@@ -15,14 +15,12 @@ spec:
         {{- include "issuerLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ .Values.name }}
-      {{- with .Values.global.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
+        runAsUser: {{ .Values.userID }}
+        runAsGroup: {{ .Values.groupID }}
+        runAsNonRoot: true
         seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
-      {{- end }}
+          type: RuntimeDefault
       containers:
       - name: {{ .Values.name }}
         image: "{{ .Values.global.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -31,10 +29,16 @@ spec:
         - apply
         - --filename
         - /data
-        {{- with .Values.global.containerSecurityContext }}
         securityContext:
-          {{- toYaml . | nindent 12 }}
-        {{- end }}
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsUser: {{ .Values.userID }}
+          runAsGroup: {{ .Values.groupID }}
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - name: {{ .Values.name }}
           subPath: clusterissuer.yaml

helm/cert-manager-app/charts/cert-manager-giantswarm-clusterissuer/templates/podsecuritypolicy.yaml

@@ -7,9 +7,7 @@ metadata:
     {{- include "issuerLabels" . | nindent 4 }}
   annotations:
     {{- include "issuerAnnotations" . | nindent 4 }}
-    {{- if .Values.global.securityContext.seccompProfile }}
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-    {{- end }}
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
 spec:
   privileged: false
   hostPID: false

helm/cert-manager-app/templates/cainjector-deployment.yaml

@@ -25,13 +25,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ template "certManager.name.cainjector" . }}
-      {{- with .Values.global.securityContext }}
+      {{- with .Values.cainjector.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
-        seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: cainjector
@@ -43,7 +39,7 @@ spec:
           {{- if .Values.cainjector.extraArgs }}
           {{ toYaml .Values.cainjector.extraArgs }}
           {{- end }}
-          {{- with .Values.global.containerSecurityContext }}
+          {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

helm/cert-manager-app/templates/cainjector-psp.yaml

@@ -7,9 +7,14 @@ metadata:
   labels:
     app.kubernetes.io/component: "cainjector"
     {{- include "certManager.defaultLabels" . | nindent 4 }}
-  {{- if .Values.global.securityContext.seccompProfile }}
+  {{- if .Values.cainjector.securityContext.seccompProfile }}
   annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
   {{- end }}
 spec:
   allowedCapabilities: [] # drop default capabilities

helm/cert-manager-app/templates/controller-deployment.yaml

@@ -38,13 +38,9 @@ spec:
       - key: node-role.kubernetes.io/control-plane
         effect: NoSchedule
       serviceAccountName: {{ template "certManager.controller.serviceAccountName" . }}
-      {{- with .Values.global.securityContext }}
+      {{- with .Values.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
-        seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: cert-manager
@@ -70,7 +66,7 @@ spec:
           {{- if .Values.controller.extraArgs }}
 {{ toYaml .Values.controller.extraArgs | indent 10 }}
           {{- end }}
-          {{- with .Values.global.containerSecurityContext }}
+          {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

helm/cert-manager-app/templates/controller-psp.yaml

@@ -7,9 +7,14 @@ metadata:
   labels:
     app.kubernetes.io/component: "controller"
     {{- include "certManager.defaultLabels" . | nindent 4 }}
-  {{- if .Values.global.securityContext.seccompProfile }}
   annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
+    {{- if .Values.global.securityContext.seccompProfile }}
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
   {{- end }}
 spec:
   allowedCapabilities: [] # drop default capabilities