chore(deps): update helm chart cert-manager to v1.4.1

[renovate-self-hosted]

This PR contains the following updates:

Package	Update	Change
cert-manager	minor	v1.3.1 -> v1.4.1

---

Release Notes

jetstack/cert-manager

v1.4.1

Compare Source

Release notes for release-1.4.1

Changelog since v1.4.0

Changes by Kind

Bug or Regression

• Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer's subject DN (#​4238, @​SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

v1.4.0

Compare Source

Release notes for release-1.4

Changelog since v1.3.1

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• The CA issuer now attempts to store the root CA instead of the issuing CA into the ca.crt field for issued certificates; this is a change of behavior. All of the information which was previously available is still available: the intermediate should appear as part of the chain in tls.crt. (#​3865, @​erikgb)
• RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#​4036, @​wallrj)

Changes by Kind

Feature

• Add serviceLabels to helm chart for adding custom labels to the controller service (#​4009, @​eddiehoffman)
• Adds an option for a Kubernetes CertificateSigningRequest controller to implement the CA Issuer. (#​4064, @​JoshVanL)
• RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#​4036, @​wallrj)
• The Vault issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#​3982, @​JoshVanL)
• The CA issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. Correctly passes down CA certificate when chaining CA Issuers together. (#​3985, @​JoshVanL)
• Change Venafi Issuer to populate CertificateRequest.Status.CA with the root most certificate that was returned from signing. (#​3983, @​JoshVanL)
• The webhook can now be configured to be accessible from outside of the cluster. (#​3876, @​anton-johansson)
• Update Akamai issuer to use Open Edgegrid EdgeDNS v2 API (#​4007, @​edglynes)
• The kubectl cert-manager plugin is now built for darwin/arm64 (Kubectl plugin for darwin arm64 cert-manager/release#37, @​irbekrm)

Documentation

• Add @​munnerz to SECURITY_CONTACTS.md (#​3970, @​SgtCoDFish)
• Add both style info and warnings about importing cert-manager as a module to README (#​3902, @​SgtCoDFish)

Bug or Regression

• Fix incorrect PublicKeysEqual comparison function for public keys and improve doc comments on related functions (#​3914, @​SgtCoDFish)
• Fixes a bug where the default cert renewal duration (30d) was clashing with the duration of certs issued by Vault PKI. All Certificates are now renewed 2/3 through the duration unless custom renew period specified by setting spec.renewBefore on the Certificate. (#​4092, @​irbekrm)
• Fixes an issue where an ACME Certificate with a long name (52 characters or more) does not get renewed due to non-unique Order names being generated. (#​3866, @​jandersen-plaid)
• Fixes stuck Orders in case of a misbehaving ACME server (#​3805, @​irbekrm)

Other (Cleanup or Flake)

• Cert-manager controller now uses ConfigMapsLeasesResourceLock for leader election. (#​4016, @​irbekrm)
• Deprecates UsageContentCommittment (#​3860, @​jsoref)
• Deprecates cert-manager.io/v1alpha2, cert-manager.io/v1alpha3, cert-manager.io/v1beta1, acme.cert-manager.io/v1alpha2, acme.cert-manager.io/v1alpha3, acme.cert-manager.io/v1beta1 APIs. These APIs will be removed in cert-manager v1.6 (#​4021, @​irbekrm)
• Optimistic locking messages (the object has been modified) are now logged at the Info level instead of the Error level, as cert-manager controllers will automatically retry until successful. (#​3794, @​JoshVanL)
• Panic when failing to register schemes during initialization for pkg/webhook/server
  Various static analysis fixes across many files including removing unused or redundant code (#​4037, @​SgtCoDFish)
• Testing: Adds Kubernetes CertificateSigningRequest CA Issuer E2E tests. (#​4081, @​JoshVanL)
• Updated details of FindZoneByFqdn error message when an unexpected DNS response code is received. (#​3906, @​clatour)
• Updates Kubernetes libaries to v1.21.0 (#​3926, @​tamalsaha)
• Updates distroless/static base image to latest version as of 2021-05-20 (#​4039, @​SgtCoDFish)
• Validating webhook returns a warning if the legacy ACME issuer EAB key algorithm is set. (#​3936, @​irbekrm)

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by Renovate Bot.