deps: update bazel (plugins)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
com_github_kubernetes_sigs_aws_load_balancer_controller	http_archive	minor	v2.11.0 -> v2.12.0
rules_oci	http_archive	patch	v2.2.1 -> v2.2.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubernetes-sigs/aws-load-balancer-controller (com_github_kubernetes_sigs_aws_load_balancer_controller)

v2.12.0

Compare Source

v2.12.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

In v2.12.0, we have changed the default policy of the LBC webhook from Fail to Ignore in order to improve disaster recovery. See our documentation for how to change the policy back to Fail if you want better guarantees for having readiness gates getting attached to your pods.

We’ve added new fields to both the IngressClassParams and
TargetGroupBinding. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS ALB now supports integrating with AWS VPC IPAM (ec2:DescribeIpamPools, elasticloadbalancing:ModifyIpPools). We also have added new IAM permissions (elasticloadbalancing:SetRulePriorities) in order to effectively manage your ALB listener rules. We've updated the reference IAM policies to explicitly add new permissions to allow for usage of the features.

What’s new

• Support AWS VPC IPAM with Application Load Balancers.
  • Application Load Balancer (ALB) now supports BYOIP (Bring your own IP) utilizing AWS VPC IP Manager.
• Application Load Balancer now supports Advertise CA when using mTLS.
  • When you enable Advertise CA subject names, the Application Load Balancer will advertise the list of Certificate Authorities (CAs) subject names that it trusts, based on the trust store it's associated with. When a client connects to a target through the Application Load Balancer, the client receives the list of trusted CA subject names.
• NLB now supports path discovery using ICMP.
  • It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them. This work introduces a Service annotation that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
• The LBC now supports registering targets in cross account target groups.
  • You can now use the iamRoleArnToAssume field in the TargetGroupBinding CRD to allow for registration and deregistration of IP targets into Target Groups outside the account that owns the cluster.
• The LBC now supports multiple references to the same Target Group.
  • In previous releases there was an enforced 1-1 mapping of TargetGroupBinding to Target Group. v2.12.0 removes this limitation if the MultiCluster flag is set on each binding.

Enhancement and Fixes

• ListenerRule modification have been refactored to allow for no downtime changes to routing rules.
• SG ingress and egress rule modifications are re-ordered to prevent outage on mis-configured SG setting.
• Fixed a bug that prevented the controller from setting Dualstack mode.
• Used better metric buckets for publishing readiness gate latency.
• Added support for karpenter.sh/disrupted:NoSchedule taint to improve application availability during node patching and scaling.

Changelog since v2.11.0

• Add ALB IPAM Support (#​4081, @​zac-nixon)
• Update rule management to avoid sporadic 503 errors (#​4039, @​shraddhabang)
• Fix TGB webhook error message to report changes to immutable field (#​4070, @​maruina)
• Do not render .spec.replicas if Autoscaling is Enabled (#​4059, @​sherifabdlnaby)
• add toggle to adjust failurePolicy of pod webhook and documentations (#​4063, @​M00nF1sh)
• [feat] allow multiple targetgroupbindings to reference same tg arn if using multicluster mode (#​4021, @​zac-nixon)
• Checking for taint karpenter.sh/disrupted:NoSchedule while checking if node is suitable to handle traffic. (#​4022, @​kahirokunn)
• Added ISO Policy for iso-e and iso-f in example docs, and updated integration test script based on testing already done (#​4032, @​orsenthil)
• TargetGroupBindings can now manipulate target groups from different aws accounts (#​3691, @​marcosdiez)
• bug fix: use reasonable buckets for readiness gate flip metrics (#​4001, @​zac-nixon)
• Fix CVE-2024-45338 - golang.org/x/net (#​4010, @​shraddhabang)
• bug fix: try SG permission add prior to revoke (#​3952, @​zac-nixon)
• fix(helm): change topologySpreadConstraints default value (#​3983, @​yann-soubeyrand)
• fix: Cannot set the IPv6 addresses in dualstack mode during modification (#​3959, @​wweiwei-li)
• feat: add advertise ca for mtls listener (#​3974, @​zac-nixon)
• feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery (#​3939, @​chriswachira)

bazel-contrib/rules_oci (rules_oci)

v2.2.3

Compare Source

Using bzlmod with Bazel 6 or later:

1. Add common --enable_bzlmod to .bazelrc.

2. Add to your MODULE.bazel file:

bazel_dep(name = "rules_oci", version = "2.2.3")

### For testing, we also recommend https://registry.bazel.build/modules/container_structure_test

oci = use_extension("@​rules_oci//oci:extensions.bzl", "oci")

### Declare external images you need to pull, for example: 
oci.pull(
    name = "distroless_base",

### 'latest' is not reproducible, but it's convenient.
### During the build we print a WARNING message that includes recommended 'digest' and 'platforms'

### values which you can use here in place of 'tag' to pin for reproducibility.
    tag = "latest",
    image = "gcr.io/distroless/base",
    platforms = ["linux/amd64"],
)

### For each oci.pull call, repeat the "name" here to expose them as dependencies.
use_repo(oci, "distroless_base")

Using WORKSPACE:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "rules_oci",
    sha256 = "1e7759852e8cad966ca793412d292f1d4af5831940fb2cb573f1890ad1e9641e",
    strip_prefix = "rules_oci-2.2.3",
    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.3/rules_oci-v2.2.3.tar.gz",
)

load("@​rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")

rules_oci_dependencies()

load("@​rules_oci//oci:repositories.bzl", "oci_register_toolchains")

oci_register_toolchains(name = "oci")

### You can pull your base images using oci_pull like this:
load("@​rules_oci//oci:pull.bzl", "oci_pull")

oci_pull(
    name = "distroless_base",
    digest = "sha256:ccaef5ee2f1850270d453fdf700a5392534f8d1a8ca2acda391fbb6a06b81c86",
    image = "gcr.io/distroless/base",
    platforms = [
        "linux/amd64",
        "linux/arm64",
    ],
)

What's Changed

• Add --use --bootstrap to dockerfile builder example by @​vinnybod in https://github.com/bazel-contrib/rules_oci/pull/775
• authn: allow builtin credential handling to fail conditionally by @​malt3 in https://github.com/bazel-contrib/rules_oci/pull/778

Full Changelog: bazel-contrib/rules_oci@v2.2.2...v2.2.3

v2.2.2

Compare Source

Using bzlmod with Bazel 6 or later:

1. Add common --enable_bzlmod to .bazelrc.

2. Add to your MODULE.bazel file:

bazel_dep(name = "rules_oci", version = "2.2.2")

### For testing, we also recommend https://registry.bazel.build/modules/container_structure_test

oci = use_extension("@​rules_oci//oci:extensions.bzl", "oci")

### Declare external images you need to pull, for example: 
oci.pull(
    name = "distroless_base",

### 'latest' is not reproducible, but it's convenient.
### During the build we print a WARNING message that includes recommended 'digest' and 'platforms'

### values which you can use here in place of 'tag' to pin for reproducibility.
    tag = "latest",
    image = "gcr.io/distroless/base",
    platforms = ["linux/amd64"],
)

### For each oci.pull call, repeat the "name" here to expose them as dependencies.
use_repo(oci, "distroless_base")

Using WORKSPACE:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "rules_oci",
    sha256 = "8676144f96dd63294333906b26dea2388f61cadaf1dea59a225e7dbc52cc72fa",
    strip_prefix = "rules_oci-2.2.2",
    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.2/rules_oci-v2.2.2.tar.gz",
)

load("@​rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")

rules_oci_dependencies()

load("@​rules_oci//oci:repositories.bzl", "oci_register_toolchains")

oci_register_toolchains(name = "oci")

### You can pull your base images using oci_pull like this:
load("@​rules_oci//oci:pull.bzl", "oci_pull")

oci_pull(
    name = "distroless_base",
    digest = "sha256:ccaef5ee2f1850270d453fdf700a5392534f8d1a8ca2acda391fbb6a06b81c86",
    image = "gcr.io/distroless/base",
    platforms = [
        "linux/amd64",
        "linux/arm64",
    ],
)

What's Changed

• refactor: remove workspace by @​alexeagle in https://github.com/bazel-contrib/rules_oci/pull/767
• fix: drop embedded config data from manifest image by @​plobsing in https://github.com/bazel-contrib/rules_oci/pull/774

Full Changelog: bazel-contrib/rules_oci@v2.2.1...v2.2.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for constellation-docs canceled.

Name	Link
🔨 Latest commit	5af4822
🔍 Latest deploy log	https://app.netlify.com/sites/constellation-docs/deploys/67cba1206042370008e1b0e0