Bump the all group with 6 updates

[dependabot]

Bumps the all group with 6 updates:

Package	From	To
github.com/cert-manager/cert-manager	1.13.2	1.13.3
github.com/go-logr/logr	1.3.0	1.4.1
golang.org/x/sync	0.5.0	0.6.0
k8s.io/api	0.28.4	0.29.0
k8s.io/apiextensions-apiserver	0.28.4	0.29.0
k8s.io/klog/v2	2.110.1	2.120.0

Updates github.com/cert-manager/cert-manager from 1.13.2 to 1.13.3

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.13.3

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @​inteon)
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#6507, @​inteon)
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6507, @​inteon)
• Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#6538, @​wallrj)
• Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#6514, @​inteon)

Dependencies

Added

Nothing has changed.

Changed

• cloud.google.com/go/firestore: v1.11.0 → v1.12.0
• cloud.google.com/go: v0.110.6 → v0.110.7
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
• github.com/go-logr/logr: v1.2.4 → v1.3.0
• github.com/golang/glog: v1.1.0 → v1.1.2
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
• go.opentelemetry.io/otel: v1.19.0 → v1.20.0
• go.uber.org/goleak: v1.2.1 → v1.3.0
• golang.org/x/sys: v0.13.0 → v0.14.0
• google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
• google.golang.org/genproto: f966b18 → b8732ec
• google.golang.org/grpc: v1.58.3 → v1.59.0

... (truncated)

Commits

• 876e386 Merge pull request #6538 from wallrj/backport-6534-to-release-1.13
• d080cec Add ReadHeaderTimeout to all http.Server where that setting is missing
• d1e2d25 Merge pull request #6514 from inteon/release-1.13_bump
• 9f704ed upgrade otel, docker and jose to fix CVE alerts
• 751e082 Merge pull request #6507 from jetstack-bot/cherry-pick-6498-to-release-1.13
• 0ad1184 limit webhook admission input
• 895a19e Merge pull request #6484 from jetstack-bot/cherry-pick-6479-to-release-1.13
• d8e97d4 Use explicit debian version for base images
• e997b73 Merge pull request #6480 from jetstack-bot/cherry-pick-6477-to-release-1.13
• 53520d1 regenerate hardcoded certs
• See full diff in compare view

Updates github.com/go-logr/logr from 1.3.0 to 1.4.1

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.1

What's Changed

• slogr: fix unintended API break in v1.4.0 by @​pohly in go-logr/logr#253

Full Changelog: go-logr/logr@v1.4.0...v1.4.1

v1.4.0

This release dramatically improves interoperability with Go's log/slog package. In particular, logr.NewContext and logr.NewContextWithSlogLogger use the same context key, which allows logr.FromContext and logr.FromContextAsSlogLogger to return logr.Logger or *slog.Logger respectively, including transparently converting each to the other as needed.

Functions logr/slogr.NewLogr and logr/slogr.ToSlogHandler have been superceded by logr.FromSlogHandler and logr.ToSlogHandler respectively, and type logr/slogr.SlogSink has been superceded by logr.SlogSink. All of the old names in logr/slogr remain, for compatibility.

Package logr/funcr now supports logr.SlogSink, meaning that it's output passes all but one of the Slog conformance tests (that exception being that funcr handles the timestamp itself).

Users who have a logr.Logger and need a *slog.Logger can call slog.New(logr.ToSlogHandler(...)) and all output will go through the same stack.

Users who have a *slog.Logger or slog.Handler can call logr.FromSlogHandler(...) and all output will go through the same stack.

What's Changed

• slog context support by @​pohly in go-logr/logr#237
• slog support: fix WithGroup + WithValues combination by @​pohly in go-logr/logr#243
• Add tests for context with slog by @​thockin in go-logr/logr#246
• sloghandler: unnamed groups should be inlined by @​thockin in go-logr/logr#245
• Add SlogSink support to funcr by @​thockin in go-logr/logr#241
• funcr: Add LogInfoLevel Option to skip logging level in the info log by @​spacewander in go-logr/logr#240

New Contributors

• @​spacewander made their first contribution in go-logr/logr#240

Full Changelog: go-logr/logr@v1.3.0...v1.4.0

Commits

• dcdc3f2 slogr: fix unintended API break in v0.8.0 (#253)
• 5d88f52 funcr: Add LogInfoLevel Option to skip logging level in the info log (#240)
• 177005d build(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0
• e7f489a build(deps): bump github/codeql-action from 2.22.9 to 3.22.11
• cf56c3b build(deps): bump actions/setup-go from 4 to 5
• 2ad296e build(deps): bump github/codeql-action from 2.22.8 to 2.22.9
• d55b4e2 Merge pull request #241 from thockin/master
• 98ee9d9 Clean up slog testing and restore coverage
• b228ba8 Break examples to new file
• 6432877 Add benchmarks for slogSink
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.5.0 to 0.6.0

Commits

• 59c1ca1 errgroup: add reference to sync.WaitGroup
• See full diff in compare view

Updates k8s.io/api from 0.28.4 to 0.29.0

Commits

• 12b5cfd Update dependencies to v0.29.0 tag
• 0d77c34 Merge remote-tracking branch 'origin/master' into release-1.29
• bb0a75c add beta comment for pod replacement policy
• 0099855 update go.mod
• d4b94f4 Merge pull request #121765 from mimowo/ready-pods-stable-api
• 8391a3f Merge pull request #121764 from mimowo/backoff-limit-per-index-beta-api
• 7e58e00 Fix API comment for the Job ready field
• 5a2bc70 Fix API comment for the FailIndex Job pod failure policy action
• cca653e Merge pull request #113374 from ahmedtd/kep-3257-projected-types
• d23b507 Regenerate for ClusterTrustBundlePEM projected volume API
• Additional commits viewable in compare view

Updates k8s.io/apiextensions-apiserver from 0.28.4 to 0.29.0

Commits

• 5624a82 Update dependencies to v0.29.0 tag
• 249827f update go.mod
• 4bb4c02 Merge pull request #121034 from alexzielenski/apiserver/apiextensions/ratchet...
• f68866b codegen
• 5321cf0 validate defaults across an update from nil to ensure create ratcheting rules...
• efc67b4 ratcheting-cel: use Optional[T] for oldSelf when optionalOldSelf is true
• 0889c57 ratcheting-cel: add optionalOldSelf field
• 2c1c704 refactor: rename TransitionRule to UsesOldSelf
• 915de7b Merge pull request #121573 from tukwila/bump_etcd_v3.5.10
• d1c742e Merge pull request #121552 from pohly/klog-update
• Additional commits viewable in compare view

Updates k8s.io/klog/v2 from 2.110.1 to 2.120.0

Release notes

Sourced from k8s.io/klog/v2's releases.

Prepare klog release for Kubernetes v1.30 (Take 1)

What's Changed

• OWNERS: remove serathius, add mengjiao-liu, promote pohly by @​pohly in kubernetes/klog#394
• docs: clarify relationship between different features by @​pohly in kubernetes/klog#395
• Add SafePtr wrapper by @​kaisoz in kubernetes/klog#393
• logr v1.4.1 + SetSlogLogger by @​pohly in kubernetes/klog#396

New Contributors

• @​kaisoz made their first contribution in kubernetes/klog#393

Full Changelog: kubernetes/klog@v2.110.1...v2.120.0

Commits

• 2d08296 Merge pull request #396 from pohly/slog-helper
• e4deee8 slog: use main logr package instead of logr/slogr
• 5d1d2d5 add SetSlogLogger
• 39afdba dependencies: logr v1.4.1
• 2086216 Merge pull request #393 from kaisoz/add-safeptr
• 881fa0b Add SafePtr wrapper
• 8dd3f2e Merge pull request #395 from pohly/readme-update
• d3dd725 docs: clarify relationship between different features
• 761b630 Merge pull request #394 from pohly/owners-update
• f33bd6c OWNERS: remove serathius, add mengjiao-liu, promote pohly
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[inteon]

/approve
/lgtm

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [inteon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment