commit d16454badc639bcec7ab4b54e7fe6a897b6052af
author Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 17:21:49 2019 +0200
committer Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 17:21:49 2019 +0200
tree aa6350b48c7fdf16066a28b8bc083eec79ec9bfe
parent ef93747aec53bb5c826e0b1316cd5d534f9b1112

cert-manager: bump to v0.9.1

We just got this email:

We've been working with Jetstack, the authors of cert-manager, on a
series of fixes to the client. Cert-manager sometimes falls into a
traffic pattern where it sends really excessive traffic to Let's
Encrypt's servers, continuously. To mitigate this, we plan to start
blocking all traffic from cert-manager versions less than 0.8.0 (the
current semver minor release), as of November 1, 2019. Please upgrade
all of your cert-manager instances before then.

We're sending this email because this is the contact address of your
cert-manager instance at:

 185.236.240.37 .

Version 0.8.0 is much better but we still observe excessive traffic in
some cases. We're working with Jetstack to improve these cases. As new
versions of cert-manager are released, we will add the non-current
versions to our block list after 3 months. We strongly encourage
cert-manager users to stay up-to-date with new versions.

Also, there is an opportunity to help both Jetstack and Let's Encrypt.
Once you've upgraded, please check the logs for your cert-manager
instances from time to time. Are they making excessive requests to Let's
Encrypt (more than, say, 10 per day over multiple days)? If so, please
share details at https://github.com/jetstack/cert-manager/issues/1948 .

Thanks,
Let's Encrypt Team

Change-Id: Ic7152150ac1c96941423878c6d4b6209e07429cf

cluster/kube/lib/cert-manager.libsonnet

diff --git a/cluster/kube/lib/cert-manager.libsonnet b/cluster/kube/lib/cert-manager.libsonnet
index 2598798..e9e4a4b 100644
--- a/cluster/kube/lib/cert-manager.libsonnet
+++ b/cluster/kube/lib/cert-manager.libsonnet
@@ -11,6 +11,7 @@
         cfg:: {
             namespace: "cert-manager",
             enableWebhook: false,
+            version: "v0.9.1",
         },
 
         metadata:: {
@@ -389,7 +390,7 @@
                             serviceAccountName: env.sas.cainjector.metadata.name,
                             containers_: {
                                 cainjector: kube.Container("cainjector") {
-                                    image: "quay.io/jetstack/cert-manager-cainjector:v0.7.0",
+                                    image: "quay.io/jetstack/cert-manager-cainjector:" + cfg.version,
                                     args: [
                                         "--leader-election-namespace=%s" % [cfg.namespace],
                                     ],
@@ -415,7 +416,7 @@
                             serviceAccountName: env.sas.webhook.metadata.name,
                             containers_: {
                                 webhook: kube.Container("webhook") {
-                                    image: "quay.io/jetstack/cert-manager-webhook:v0.7.0",
+                                    image: "quay.io/jetstack/cert-manager-webhook:" + cfg.version,
                                     args: [
                                         "--v=12",
                                         "--secure-port=6443",
@@ -452,7 +453,7 @@
                             serviceAccountName: env.sas.certmanager.metadata.name,
                             containers_: {
                                 webhook: kube.Container("cert-manager") {
-                                    image: "quay.io/jetstack/cert-manager-controller:v0.7.0",
+                                    image: "quay.io/jetstack/cert-manager-controller:" + cfg.version,
                                     args: [
                                         "--cluster-resource-namespace=%s" % [cfg.namespace],
                                         "--leader-election-namespace=%s" % [cfg.namespace],