Bump the all group with 6 updates

[dependabot]

Bumps the all group with 6 updates:

Package	From	To
github.com/cert-manager/approver-policy	0.6.3	0.21.0
github.com/cert-manager/cert-manager	1.11.0	1.18.1
github.com/go-logr/logr	1.2.3	1.4.3
github.com/spf13/pflag	1.0.5	1.0.6
k8s.io/apimachinery	0.26.3	0.33.2
sigs.k8s.io/controller-runtime	0.14.5	0.21.0

Updates github.com/cert-manager/approver-policy from 0.6.3 to 0.21.0

Release notes

Sourced from github.com/cert-manager/approver-policy's releases.

v0.21.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This release contains miscellaneous bug fixes and dependency updates. It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-4673 and CVE-2025-0913

helm inspect chart cert-manager-approver-policy --repo https://charts.jetstack.io --version v0.21.0

📖 Read installing approver-policy on the cert-manager website to learn about installing approver-policy with helm.

What's Changed

Miscellaneous

• Remove use of deprecated c/r Result.Requeue by @​erikgb in cert-manager/approver-policy#641
• Specify custom commonname for webhook dynamic authority by @​inteon in cert-manager/approver-policy#619

Updates by Dependabot

• build(deps): bump github.com/cert-manager/cert-manager from 1.17.2 to 1.18.0 in the all group by @​dependabot in cert-manager/approver-policy#643
• build(deps): bump github.com/cert-manager/cert-manager from 1.18.0 to 1.18.1 in the all group by @​dependabot in cert-manager/approver-policy#645
• build(deps): bump the all group across 1 directory with 9 updates by @​dependabot in cert-manager/approver-policy#640
• build(deps): bump the all group with 7 updates by @​dependabot in cert-manager/approver-policy#647

Updates by makefile-modules

• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#631
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#632
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#633
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#634
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#635
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#637
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#642
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#644
• [CI] Merge self-upgrade-main into main by @​github-actions in cert-manager/approver-policy#646

Full Changelog: cert-manager/approver-policy@v0.20.0...v0.21.0

v0.20.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This release is primarily a patch with routine dependency updates, but also includes a small enhancement from returning contributor @​solidDoWant, who added names to container ports. 🫶

What's Changed

Enhancements

• Set container port names on Helm chart by @​solidDoWant in cert-manager/approver-policy#599

... (truncated)

Commits

• efc9f69 Merge pull request #647 from cert-manager/dependabot/go_modules/all-ea33c61968
• 8067273 build(deps): bump the all group with 7 updates
• cb6efe6 Merge pull request #646 from cert-manager/self-upgrade-main
• 65b6d0a BOT: run 'make upgrade-klone' and 'make generate'
• be5bfe0 Merge pull request #645 from cert-manager/dependabot/go_modules/all-6f5620d6ed
• cb29207 build(deps): bump github.com/cert-manager/cert-manager in the all group
• b013798 Merge pull request #644 from cert-manager/self-upgrade-main
• f6b8608 BOT: run 'make upgrade-klone' and 'make generate'
• 64006c9 Merge pull request #619 from cert-manager/custom_commonname
• 94c8b64 specify custom commonname for webhook dynamic authority
• Additional commits viewable in compare view

Updates github.com/cert-manager/cert-manager from 1.11.0 to 1.18.1

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.18.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We have added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers. This change fixes the following issue: #7791

We have increased the ACME challenge authorization timeout to two minutes, which we hope will fix a timeout error (error waiting for authorization), which has been reported by multiple users, since the release of cert-manager v1.16.0. This change should fix the following issues: #7337, #7444, and #7685.

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Changes since v1.18.0:

Feature

• Added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers. ([#7810](https://github.com/cert-manager/cert-manager/issues/7810), @​sspreitzer)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization. ([#7801](https://github.com/cert-manager/cert-manager/issues/7801), @​hjoshi123)

Other (Cleanup or Flake)

• Use the latest version of ingress-nginx in E2E tests to ensure compatibility ([#7807](https://github.com/cert-manager/cert-manager/issues/7807), @​wallrj)

v1.18.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking).

ℹ️ Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Known Issues

• ACME HTTP01 challenge paths are rejected by the ingress-nginx validating webhook (#7791)

Changes since v1.17.2:

Feature

• Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#7663, @​ThatsMrTalbot)
• Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#7577, @​terinjokes)
• Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#7612, @​solidDoWant)
• Added ingress-shim option: --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#7083, @​k0da)
• Added the iss short name for the cert-manager Issuer resource. (#7373, @​SgtCoDFish)
• Added the ciss short name for the cert-manager ClusterIssuer resource (#7373, @​SgtCoDFish)
• Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#7666, @​ali-hamza-noor)
• Allow customizing signature algorithm (#7591, @​tareksha)
• Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#7596, @​ThatsIvan)
• Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#7752, @​wallrj)
• Add support for ACME profiles extension. (#7777, @​wallrj)

... (truncated)

Commits

• d5382c8 Merge pull request #7814 from cert-manager-bot/cherry-pick-7813-to-release-1.18
• c4e9ecf Change ACMEHTTP01IngressPathTypeExact feature to beta
• 379f43e Merge pull request #7811 from cert-manager-bot/cherry-pick-7809-to-release-1.18
• 9542d75 make generate
• aa0aedf Update feature gate documentation in the Helm chart
• f05762b Explain why we disable strict-validate-path in ingress-nginx
• ee3b742 Fix typo
• 80e4745 Merge pull request #7810 from cert-manager-bot/cherry-pick-7795-to-release-1.18
• d69c1fc feat(acme): Add default feature gate to set Ingress pathType to Exact
• a95f4e1 Merge pull request #7807 from cert-manager-bot/cherry-pick-7792-to-release-1.18
• Additional commits viewable in compare view

Updates github.com/go-logr/logr from 1.2.3 to 1.4.3

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.3

Minor release.

What's Changed

• Fix slog tests for 1.25 by @​hoeppi-google in go-logr/logr#361
• Remove one exception from Slog testing by @​thockin in go-logr/logr#362

New Contributors

• @​hoeppi-google made their first contribution in go-logr/logr#361

Full Changelog: go-logr/logr@v1.4.2...v1.4.3

v1.4.2

What's Changed

• Fix lint: named but unused params by @​thockin in go-logr/logr#268
• Add a Go report card, fix lint by @​thockin in go-logr/logr#271
• funcr: Handle nested empty groups properly by @​thockin in go-logr/logr#274

Dependencies:

• build(deps): bump github/codeql-action from 3.22.11 to 3.22.12 by @​dependabot in go-logr/logr#254
• build(deps): bump github/codeql-action from 3.22.12 to 3.23.0 by @​dependabot in go-logr/logr#256
• build(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 by @​dependabot in go-logr/logr#257
• build(deps): bump github/codeql-action from 3.23.0 to 3.23.1 by @​dependabot in go-logr/logr#259
• build(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 by @​dependabot in go-logr/logr#260
• build(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 by @​dependabot in go-logr/logr#263
• build(deps): bump github/codeql-action from 3.23.1 to 3.23.2 by @​dependabot in go-logr/logr#262
• build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 by @​dependabot in go-logr/logr#264
• build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @​dependabot in go-logr/logr#266
• build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @​dependabot in go-logr/logr#267
• build(deps): bump github/codeql-action from 3.24.0 to 3.24.3 by @​dependabot in go-logr/logr#270
• build(deps): bump github/codeql-action from 3.24.3 to 3.24.5 by @​dependabot in go-logr/logr#272
• build(deps): bump github/codeql-action from 3.24.5 to 3.24.6 by @​dependabot in go-logr/logr#275
• build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot in go-logr/logr#276
• build(deps): bump github/codeql-action from 3.24.6 to 3.24.7 by @​dependabot in go-logr/logr#277
• build(deps): bump github/codeql-action from 3.24.7 to 3.24.9 by @​dependabot in go-logr/logr#278
• build(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @​dependabot in go-logr/logr#279
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 by @​dependabot in go-logr/logr#280
• build(deps): bump actions/checkout from 4.1.2 to 4.1.3 by @​dependabot in go-logr/logr#281
• build(deps): bump github/codeql-action from 3.24.10 to 3.25.1 by @​dependabot in go-logr/logr#282
• build(deps): bump github/codeql-action from 3.25.1 to 3.25.3 by @​dependabot in go-logr/logr#283
• build(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 by @​dependabot in go-logr/logr#284
• build(deps): bump actions/checkout from 4.1.3 to 4.1.4 by @​dependabot in go-logr/logr#285
• build(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 by @​dependabot in go-logr/logr#286
• build(deps): bump actions/setup-go from 5.0.0 to 5.0.1 by @​dependabot in go-logr/logr#288
• build(deps): bump golangci/golangci-lint-action from 5.0.0 to 5.3.0 by @​dependabot in go-logr/logr#289
• build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 by @​dependabot in go-logr/logr#293

... (truncated)

Commits

• 38a1c47 build(deps): bump github/codeql-action from 3.28.17 to 3.28.18
• f08bedd build(deps): bump actions/setup-go from 5.4.0 to 5.5.0
• 6295e99 build(deps): bump golangci/golangci-lint-action from 7.0.0 to 8.0.0
• 028840d build(deps): bump github/codeql-action from 3.28.15 to 3.28.17
• 511e5fa Merge pull request #367 from go-logr/dependabot/github_actions/github/codeql-...
• d806463 build(deps): bump github/codeql-action from 3.28.13 to 3.28.15
• 158c311 Merge pull request #366 from thockin/master
• c79ddb3 Update to support golangci-lint v2
• 20a64ba build(deps): bump github/codeql-action from 3.28.12 to 3.28.13
• 0385e14 Add comments around slog exceptions
• Additional commits viewable in compare view

Updates github.com/spf13/pflag from 1.0.5 to 1.0.6

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.6

What's Changed

• Add exported functions to preserve pkg/flag compatibility by @​mckern in spf13/pflag#220
• remove dead code for checking error nil by @​yashbhutwala in spf13/pflag#282
• Add IPNetSlice and unit tests by @​rpothier in spf13/pflag#170
• allow for blank ip addresses by @​duhruh in spf13/pflag#316
• add github actions by @​sagikazarmark in spf13/pflag#419

New Contributors

• @​mckern made their first contribution in spf13/pflag#220
• @​yashbhutwala made their first contribution in spf13/pflag#282
• @​rpothier made their first contribution in spf13/pflag#170
• @​duhruh made their first contribution in spf13/pflag#316
• @​sagikazarmark made their first contribution in spf13/pflag#419

Full Changelog: spf13/pflag@v1.0.5...v1.0.6

Commits

• 5ca8134 Merge pull request #419 from spf13/ci
• 100ab0e disable unsupported dependency graph for now
• a0f4ddd fix govet
• f48cbd1 add github actions
• d5e0c06 allow for blank ip addresses (#316)
• 85dd5c8 Add IPNetSlice and unit tests (#170)
• 6971c29 remove dead code for checking error nil (#282)
• 81378bb Add exported functions to preserve pkg/flag compatibility (#220)
• See full diff in compare view

Updates k8s.io/apimachinery from 0.26.3 to 0.33.2

Commits

• 173776a Merge pull request #131708tigrato/automated-cherry-pick-of-#131702
• a3d1fde fix: fixes a possible panic in NewYAMLToJSONDecoder
• 955939f bump etcd 3.5.21 sdk
• e8a77bd Merge pull request #130910 from googs1025/fix/datarace
• 7e8c77e Merge pull request #130906 from serathius/streaming-validation
• 27fd396 flake: fix data race for func TestBackoff_Step
• 8bcc6f1 Update kube-openapi and integrate streaming tags validation
• 6ce776c Merge pull request #130857 from thockin/kk_small_vg_diffs
• f2c94d6 Comment on origin and JSON schema
• b63ba07 Use origin in validateFalse's own test
• Additional commits viewable in compare view

Updates sigs.k8s.io/controller-runtime from 0.14.5 to 0.21.0

Release notes

Sourced from sigs.k8s.io/controller-runtime's releases.

v0.21.0

Highlights

• Bump to Kubernetes v1.33 libraries
• Improvements for priority queue (#2374)
• envtest now has an option to download envtest binaries (can be used to replace setup-envtest depending on use case)
• Metric improvements: native histograms, all Go runtime metrics are enabled now
• Various bug fixes
• New reviewers: @​troy0820, @​JoelSpeed!!

⚠️ Breaking Changes

• Bump to k8s.io/* v0.33.0 and Go 1.24 (#3104 #3142 #3161 #3204 #3215)
• config: Stop enabling client-side ratelimiter by default (#3119)
  • Previous behavior can be preserved by setting QPS 20 and Burst 30 on the rest.Config
• controller: NewUnmanaged/NewTypedUnmanaged: Stop requiring a manager (#3141)
• reconcile: Deprecate Result.Requeue (#3107)
• metrics: Expose all Go runtime metrics (#3070)

✨ New Features

• controller: priority queue:
  • Add debug logging for the state of the priority queue (#3075)
  • Add priority label to queue depth metric (#3156)
  • Leverage IsInInitialList (#3162)
  • Remove redundant WithLowPriorityWhenUnchanged in builder (#3168)
  • Retain the priority after Reconcile (#3167)
  • Set priority automatically in handlers (#3111 #3152 #3160 #3174)
• envtest: Add Environment.KubeConfig field (#2278)
• envtest: Add option to download envtest binaries (#3135 #3137)
• events: Add IsInInitialList to TypedCreateEvent (#3162)
• log/zap: Enable panic log level (#3186)
• logging: Adopt WarningHandlerWithContext (#3176)
• logging: Improve logging by adopting contextual logging (#3149)
• metrics: Adopt native histograms (#3165)

🐛 Bug Fixes

• apiutil: restmapper: Respect preferred version (#3151)
• builder: webhook: Fix custom path for webhook conflicts (#3102)
• cache: Clone maps to prevent data races when concurrently creating caches using the same options (#3078)
• cache: Stop accumulating lists in multi-namespace cache implementation (#3195)
• cache: List out of global cache when present and necessary (#3126)
• client: Return error if pagination is used with the cached client (#3134)
• controller: Support WaitForSync in TypedSyncingSource (#3084)
• controller: priority queue: Fix behavior of rate limit option in priorityqueue.AddWithOpts (#3103)
• controller: priority queue: Yet another queue_depth metric fix (#3085)
• controllerutil: CreateOrUpdate: Avoid panic when the MutateFn is nil (#2828)
• envtest: Fix nil pointer exception in Stop() (#3153)
• fake client: Fix data races when writing to the scheme (#3143)

... (truncated)

Commits

• 71f7db5 Merge pull request #3225 from troy0820/troy0820/prepare-for-0.21-release
• 52d8779 update README with go version
• ab37f74 Merge pull request #3223 from troy0820/troy0820/return-warnings-on-webhooks
• 250a88f return warnings on webhooks
• 85ee7a9 Merge pull request #3217 from kubernetes-sigs/dependabot/github_actions/all-g...
• 81f1fae 🌱 Bump the all-github-actions group across 1 directory with 3 updates
• d9a2274 Merge pull request #3187 from dongjiang1989/update-golangci-lint-v2
• 9c38211 update golangci-lint to v2
• 9b5f6a7 Merge pull request #3208 from troy0820/troy0820/api-machinery-marshal
• b3278df use sigs.k8s.io/json to unmarshal in fakeclient
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[erikgb]

@dependabot recreate

[erikgb]

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment