If you were sent here from a reminder in #cert-manager-dev do the following:

• Run make update-base-images
• See below about kind images
• See below about makefile-modules base images

If anything was changed, create a PR for the changes to be merged.

Kind images can't currently be easily automatically updated because you need to use SHAs which match those given in Kind release notes, but we have a helper script. Check https://github.com/cert-manager/cert-manager/blob/master/make/kind_images.sh

In addition, you might want to check and update makefile-modules using the instructions in that file.

In #3740 an out-of-date base image resulted in a failed vulnerability scan. There likely wasn't any actual security issue, but the risk of ca-certificates and tzdata getting out of date in cert-manager containers that we distribute is non-trivial.

We should investigate how we can prevent this from happening again.

Discussions in the biweekly meeting on 19/05 included:

• Switching to using a tag rather than a digest for base images (e.g. by changing this)
• Embedding certs / tzdata into cert-manager binaries and using scratch over distroless as a base (this doesn't help on its own, but might accompany a different solution)
• Adding automation to detect an out-of-date base image

/kind feature