build(deps): bump github.com/cert-manager/cert-manager from 1.12.6 to 1.12.7

[dependabot]

Bumps github.com/cert-manager/cert-manager from 1.12.6 to 1.12.7.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.12.7

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2382: Denial of service via chunk extensions in net/http

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Feature

• cert-manager is now built with Go 1.20.12 (#6543, @​wallrj).

Bug or Regression

• The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @​inteon).
• The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @​inteon).
• The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @​inteon).
• Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances (#6539, @​wallrj).
• Upgrade otel and docker to fix: CVE-2023-47108 and GHSA-jq35-85cj-fj4p (#6513, @​inteon).

Dependencies

Added

• cloud.google.com/go/dataproc/v2: v2.0.1

Changed

• cloud.google.com/go/aiplatform: v1.45.0 → v1.48.0
• cloud.google.com/go/analytics: v0.21.2 → v0.21.3
• cloud.google.com/go/baremetalsolution: v0.5.0 → v1.1.1
• cloud.google.com/go/batch: v0.7.0 → v1.3.1
• cloud.google.com/go/beyondcorp: v0.6.1 → v1.0.0
• cloud.google.com/go/bigquery: v1.52.0 → v1.53.0
• cloud.google.com/go/cloudbuild: v1.10.1 → v1.13.0
• cloud.google.com/go/cloudtasks: v1.11.1 → v1.12.1
• cloud.google.com/go/compute: v1.21.0 → v1.23.0
• cloud.google.com/go/contactcenterinsights: v1.9.1 → v1.10.0
• cloud.google.com/go/container: v1.22.1 → v1.24.0
• cloud.google.com/go/datacatalog: v1.14.1 → v1.16.0
• cloud.google.com/go/dataplex: v1.8.1 → v1.9.0
• cloud.google.com/go/datastore: v1.12.1 → v1.13.0
• cloud.google.com/go/datastream: v1.9.1 → v1.10.0
• cloud.google.com/go/deploy: v1.11.0 → v1.13.0
• cloud.google.com/go/dialogflow: v1.38.0 → v1.40.0
• cloud.google.com/go/documentai: v1.20.0 → v1.22.0
• cloud.google.com/go/eventarc: v1.12.1 → v1.13.0
• cloud.google.com/go/firestore: v1.11.0 → v1.12.0

... (truncated)

Commits

• 6d7629b Merge pull request #6543 from wallrj/release-1.12-go-1.20.12
• 67abf2b Bump to go 1.20.12
• 9c94184 Merge pull request #6539 from wallrj/backport-6534-to-release-1.12
• cad1189 Add ReadHeaderTimeout to all http.Server where that setting is missing
• 9604d5a Merge pull request #6513 from inteon/release-1.12_bump
• 4cdd39c upgrade otel and docker to fix CVE alerts
• 393faa2 Merge pull request #6506 from jetstack-bot/cherry-pick-6498-to-release-1.12
• 2334716 limit webhook admission input
• ead93cc Merge pull request #6483 from jetstack-bot/cherry-pick-6479-to-release-1.12
• 86b1ef8 Use explicit debian version for base images
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

Merging #6020 (88b9c72) into release-1.26 (4cb6d5a) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@              Coverage Diff              @@
##           release-1.26    #6020   +/-   ##
=============================================
  Coverage         78.59%   78.59%           
=============================================
  Files               138      138           
  Lines             19192    19192           
=============================================
  Hits              15083    15083           
  Misses             3822     3822           
  Partials            287      287