From b7e8ad6d0ec6e0045c357427283bd98433cca093 Mon Sep 17 00:00:00 2001
From: Alex Ellwein <alex.ellwein@gmail.com>
Date: Wed, 14 Jun 2023 13:36:19 +0200
Subject: [PATCH] feat: use Busybox Docker image and Go 1.20.5 for
 build/release

Base Docker image adaptions because of CVE-2023-2650 mitigation.
---
 Dockerfile                                    |   6 +-
 Makefile                                      |   2 +-
 charts/cert-manager-webhook-netcup-1.0.16.tgz | Bin 0 -> 4496 bytes
 ...ert-manager-webhook-netcup-1.0.16.tgz.prov |  52 +++++++++++++++
 charts/index.yaml                             |  59 ++++++++++++++----
 charts/release.sh                             |   2 +-
 deploy/cert-manager-webhook-netcup/Chart.yaml |  10 +--
 .../cert-manager-webhook-netcup/values.yaml   |   2 +-
 8 files changed, 108 insertions(+), 25 deletions(-)
 create mode 100644 charts/cert-manager-webhook-netcup-1.0.16.tgz
 create mode 100644 charts/cert-manager-webhook-netcup-1.0.16.tgz.prov

diff --git a/Dockerfile b/Dockerfile
index 1721ed9..5466327 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.20.3-alpine3.17 AS build
-RUN apk add --no-cache git
+FROM --platform=$BUILDPLATFORM golang:1.20.5 AS build
 WORKDIR /workspace
 COPY go.mod go.sum .
 RUN go mod download
@@ -7,7 +6,6 @@ COPY . .
 ARG TARGETOS TARGETARCH
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o webhook -ldflags '-w -extldflags "-static"' .
 
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates
+FROM busybox:1.36.1-glibc
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 ENTRYPOINT ["webhook"]
diff --git a/Makefile b/Makefile
index 7d0417e..303cce6 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ OS ?= $(shell go env GOOS)
 ARCH ?= $(shell go env GOARCH)
 
 IMAGE_NAME := "elvino76/cert-manager-webhook-netcup"
-IMAGE_TAG := "1.0.15"
+IMAGE_TAG := "1.0.16"
 
 OUT := $(shell pwd)/_out
 
diff --git a/charts/cert-manager-webhook-netcup-1.0.16.tgz b/charts/cert-manager-webhook-netcup-1.0.16.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..d690b93cb0f78dd9ec981cfe5e1f2f5a08875562
GIT binary patch
literal 4496
zcmV;B5pV7viwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH>ebK5qu{TYA7KKb3`<C)Zlzf#TR&G{TRm${4UiPPTPbUHOe
zu1M4%zyhEgHSPP`-vA&fl9uGpbJCnJ6Gb9{#bS4{y8ssJ2$cykDrkZ#xWq{+<wYRS
zL`B{|N~tp8oM!y1dzHapFxcPSb^i|rgYN&s{n5c!!`<E8(az4!U~m7c!Ek?XF!%}v
z_v`j%rO<||uLk$-t2?+qNTEVVLk*Kcj|l)(hD~W?(qa-a*^g2x64Yb(jQ{`yaKS`8
zhAI1iv3mj#qmC5IErc=j3XSmBLeD4i0}R8R{cs3VsbE4i0?TNEU?gPBu!I_fqwkM{
z(O|R_jP~~iy;c`Aj#qT?*MjjFE}2Q;wS-|f8iaejC8$ebC=>b&qe3w=|1OWIu|w$@
zRp62aoJA-!j^Qw;QHsGR99*rGQRcv+Y7j-x%r@ir0ggGpL?%kaF{6x+fpYv1qJQ(3
z#6AlnnOz00St9<9^9t~ki3C-ym@s4Lee?D3>*4Ov@z?wN2m8mP!Pkc`M!SR2*MsBZ
zZ$<|P2ZOzx!-H4DLr=y+@iC;v<a*riU*Oy_z;;1PH2Qgx|8#+K9a0?;nzQdwX-D7L
zkkCA@e-6VzINT>K797IgkY^BC_2AfRl?aqd1WF|WTJjkx_x|wc?J>MMIU5XZBhFDI
zNC0Mx!iiHgB$bwg6~YN~B#C6UKzNO!A}q3KRjn1h3_XNGqq1^<!Z=_}80{Y!)dp3c
z%S5`5Fc%5A!1<+Au^y8Enzcz#4Uz=F(P$Krn&*ZDP$Cq#A(Oxlns@<OH-cG*-j6o_
z*XjQm<pt{d8-Q!{|7dr2udDwLcJ?;<|1ruIyiXBcD_P_xG($*HAutVv#@Om=7Nan1
zI)}L|6ht!1shERR>4jzjwT414116=0Y(b=u8rv{sx|$;)*@ADR0{lR;oa45CnbA2+
z5PCGqFwEv9U^`2Dw!wQ_$4(o#WSoOQkIe)@;S?2$2xDLZkVYxI(YiqOM8kR6<vD0W
z#jg~MBwN75RI02s{XkCP(hb!}&?sU!s`Sz+opVWJP^e|0BGk4UsbW+fnp10FQtT?U
z8tudq(<84_S@77R{rq_$*e?Y>f4&W=MIS8v5>HlnDJs%F(GW{(Wyn^|3x$!)G88e!
zAt6b{tFdhp`neib3W?ZZzV)ND2Hm2ea~gH@4*}4qW-P+PD3XORCs$MyA<kf1APRG-
znUQKf2IMm)<iY-0g$!V5QY$lnEzl{2l<E{BDl9!J`O-N?R=m7(P^!UgU_u+DvE`GY
z2?5u33_WYz@`CeI$yqcX!<*@eG^YwR3PYTp{dR^*u^3(DX~FrGhol_29hsTuIEEu$
zSoQzr)IyiajA3_ohmcwXY|W3qyK(%}qFzwW=L@!gkfu477^k%0rXfO9xWRIyPIj0E
zs)0fzg^rjkv;!Tbl11nYrWG%1yh1Nglxqo0*x98~Tagoy|6dsmst_OrpqMcwMTWv?
z?;dex3`YmMMr9jx5v8{Kw@k2$VuB&OnOZS~Si&V0t&udE6~d3!IOL|1b9u=`;-GV@
z3ATa8KNs4)&uj+*Bh;Fz`L-Ls!c3MkCn^-5!$eU>o2fwsPZq>}5|%(SW*q6a0HVAY
z!*DRj{Lc(CCyc|<i?^&C;4cO0o7E>m#(0JtBO}$=a+Vm$QI&2m{O}_obUI~%nYnxY
zsg?A<v8=QI2D6-7r@4Rf?fc`i(0nj=>f;*w@4mO}|H!ThH}?NA%FX!yQ;IxCr9+e7
z!4<rQ|2zBpUH%UT2OIuBO8NM){~Ts48-qpzQ^wJn#Fv>ROO)amp7($Mo!DCB_(SgO
zSc=}cv9{SNbGJ)G%6fsdeoP?r)<{-p+xH+?v~cz^^czmj4-LQfi;t%DhTp)bLPW5?
z<G!-&te8&O2j~S0VAdYn?;htP=a2%e`>-Ct9DXS%XH$kT(A>LfA^9hI=&ru8eb|v{
zm|#Q;ji6<Q@b_YZN}$2gJDoD*u?DKp+bi$XI1B%DGOyf3Th}^!)~r4Y$(t!C<kpsZ
zAk|hyxuSN@nDL%(<tjOU!6IK`dn<BRZqR~CY+6&e>m${5R#vzX8@OIT`foR+@ynZY
zx`Ag+9S<dZ=Sk-q*SNNx-Wox-$ufoBpLFmi-RnT}{oY3QR()^DWP{muT9vM^Wwc{>
zDLuXxrxWD2WV&nFTRFrg2mJSP&j)_9{ywJ>LhpZi(EF)(+j)00{510E8A}Ale*IQ~
zYGP{ZXqJc`JY^!{MSNpH51+wZ5mQo{qr=rmMf4M(bA-yUDYM$?Gr-BMphR*FQdJ|v
z^`l~EfxNNn$&;?m!z?%RTI0AiXXsX?SCAjONz$sgSOs@p7@ELUt<nJYms<dH=&aTu
z4{iT%=Ks;0m5b)P>;_(U{xjO$@A`jx`@0+e?=ebq>!0RKVZyZWE8+0sg$|kQ&xXXG
z$sC@(IrCCLGBh-%hE`ilW0(yo&r>=KKYpwwy56d?0uA1ZxfMECziSL1Kf;Z)La7lv
z6!13j=B-OZST`?yF9)D)>B|Z!DrRWXsZkEySLz&_L2KvC5{-$UF)~3!gQ=3)7<%2#
z+@>7-{(JwX!&s(s?U;JRx|J3SM{bYwat64cr;16%%=|4AEGsg%O)?-*IUv>RF%0(>
zyM%s_p3^r)xS`7{$~JZ*SJ7jE$wH>S<PDflTyCcSW6ZgnXDIFz4sebB-yQ7iboKxK
z;9#TwAEUJOf36qW{#DKMCEEVZI^c`30hQ9VYb6#@-O{_|!y{P;<00y5yV*g{sEN{l
zG)QqjVq80(Y9^PxH`r+lZy|DDRBk}rigxb%l4GcQSQx1G3s5yi6fDHHx$te^4E_Y_
zc6~P%8Q~IOr;UTEhH!X4e{qV{Zb?<rK-?oA*d<ipu$eNBFZ+gT`!9@?Sz0w$Y(@<R
z7dY><xWIX%1&Ud>FHfk~@4o%+^rw@<x5us504^qAg^%$Y{8C8MA!{y`xiTQ%i3`~1
zz^}P?TA#zUE96QV8A(2d_eZCVcbv^opw_2KPO#md?dLU`aR-u)QnYCN?fv`Hvu-cc
zq+{r(NV!RW?Y?xVb+K1SWA;fgm`Pq__}0#&6%@B3)TMZ4>!14G4DY_Rqxx3x`525U
zur=KJaP;FxF!EnC;|={+oqYZVOvES*3`YyO@Q5y%pI!VkMyg9T|Lk^(VwLag0Nd5I
zJ1?zwA{)np3#40zhRrcA#`vNM(k|Fn^-!HIE}+-vjrWAyILKT8Z=P=69R8<vO*Z8b
z%FX=${DR#h4D1^Je{Z<g-TxVkM#GK&{}?3*0<s15F<G_Yj&T`PwcQMVD&xC=f|Am}
z(V<h=rACFRRAdWmYbKIK7^qjh&6>IuaN6BDsTUv~fqN`IuAVTII{(^jh?Xbw#VuJD
zbn(G2RtCrxyhdTIgk|s1AvA2|B3O$hqQ%HMSg8s>yAfj>pzp!mCFdd=_Imc--a%ST
z%((EL!x(mVUJM2)Y{8ygLNGU_-r@8vTZ1cSW+byr3Xgj)qTyN!Hs19dMn{LGn_7u<
zrPoBMOkA9*6=&_FmQLghAt~iP?kY4R{U}Sf^l_9{`}A=m(RLV7xmEFyl3j_&H%w5@
z=i9XyI4gL?W_2~46^=sVV=BBgi<tj#`FP+Z;X>uTIM{a@Z+LHww{%*^LOT{&fWh5&
zz3$pHTyqBV;4niyi#AKj&#v5T{ih~0y88lf{rYb>8VtMVKZBi}oz431F-qs^pSM?M
ztv&h8@y`;|<JZlv6)i7BRBl0zDr4Hk(HZG>Pu=SyDW)uWOY>@j+qxI_#Uh}TY(W`j
z<L)w*7aCHeF{&V<LBkoTuNp1DG7YpaGNXn??siIb6|0ORYy_^>y@W0A#m#YAm{cnE
z>+%4Qcaq~@nTVN49!x04)mz&&3X8t&J5X-mZQtgim|&pi+F<r2$&!*BOSgjN?6r^L
zSji3ou;4~beEeWgSVjgldsk3Y7n7ecGNse8=&<K+4lmUJxA%AM82sU<RXqeq(3DHH
z!lXfr9207!0!uPG!OAE8J;WF>?Y6$%RXrC!D-|x_-B#esi(&s3xo?kXBhO7@*R=JM
zy-TY<fCzib(7JQlHVre%S?o90tSyj*dJr*vIQjI~Py>IB|BDjOf@4Q?>Z8bDP4ryr
z%(JTg<oOf#eTHh%eC*Bd6DJLy12?B!URu{fN&cV1%U)yD;ll0l1n;e6scq$s=Ba+N
zc$$}iksN2pBj<RP`viKq2ymuNqx~f{QQG*Opt-MjJh)BzQl;eK4AKJ-_OrKMpOHX*
zxkl)di)5R$_ZG^^Xg2asgjZwxR*2$~w&I>r`LO2G?=UZ2l&+jg*Vv|&_NV7N)4k;p
zK8wxnu3J*?CEHd@f_!#Y1QB%%S1&=+Tl{i%t9MrxJh(=<6DJ;Ef&C!pe%7l0Q*T9X
z$|oo{+yB4E<-Z%;{~PQNujGH&-{k*#l(KIBf3xww=FHh=j%qkB)f}-eJhVpWdr*dK
zFR5=|G(vT$O3<8MiSJ$(_TG-7Z{IMv4~^Fn=~D~rraWj_r~ktgdBzeU72d0lYxMtM
zZ+JET<0k*_<CHBprN*FgXC~m84VNhjm=ug#*Bx>iUC;z|ed?%-+^IIuDRK@8mlJ=Z
zjfrI2Y7c7I4BZWu#&arSvIPPY=WD~$T%pS&>{mDc^(=&M1)qZyuBAl@a#Sw2Tu8!K
zXFr`8sgP{Jk&6+8?~l$PW=fMVVW#gsJ^Cb^{HpryvwDywefv@U)HBgv0GiO~qR3tD
zBTb%%`Z6ca!wJ10&qI^t<oW-RE%=@)CJPO3UL9)^=1N*Oo`ft$+V}O8{P~Zl8`sVM
zcgKgX-X4cpe9u0vng2TnqhWXc4@R5&zmHPZW$}Eux)Ab1v*nLZtK`d_7|3UJU<Au@
zju{G{HNk~b78;40{6F|C&<iM+mzPyyQ!JiY=V!*^GMTiN+y!U;P-T@4218P3Vbv>9
z>BlnC{no~PpGFz>W1$Db{<Dyf?=(%21c3_;{iY1~^mqh5B_@lY1!3D|&TQqVt?x)Q
zLOc8}z;-kE!{^g2w2>Jq5JfgYwGD@-Z{PywE+drvo>Q$arHWz7lr|wD|B{7Ep&CnI
z1~|KD<l@{0mw(geZYmGI6-LHi+H{F*{nIR?A|4ZRetxb~a#2h$GQ2|E<Lbj<SyT_-
zKMh3tOfzulEdtIAD#~A0;|ctDUjEsRGUz=0-)<|Kv)}^fFaKPA@o&qHW2)1Mq$*z8
ztfG%^Tm4!Az>b$3x^$y%tW^w7gFBA1o_OcyK3enqynlXPWr!`GfSeLLG-otZTBbFv
z8PS#zcuF-;t&0rf?TWlilgNr}480bGdye&7MlN`ViN(%M+lB8v^Zc7<{5FB<0I=n9
zFT0eo6L;66IW!W6Az56{_M5}?8ph3(#cj-TYPYXvu1`<gtm%RKs&(GrMe#K3UYV_e
zec$19+?LH16;D<qK(?}Ar+8)^o)`^fTyI0})AG3_(~h@y(j{Bf8zz##Jql_C6;#TM
zkP~^i?Soq)Q&3*3$}&YV6WVwYnK9Z(xj%NeTi@IzW(FF^>vGH2W2jQ;m&x(nA4yna
z{e5=fKJh)3$Urs^*7da(;F@+pu#oesY*I4wH#c(0gz+@<(b$VQ8<)2^7Ad#s#K#CZ
zIU`FlcIz_s;{1FKYUk%6A><X)5vMFe<;_EBBi;bb+$5E7X(!cm$~bc~S1LQ@W#oT3
zE9Z@z&joGW=*o*^8e;49G6C5fbWW`TVj0?g|Ka~A1*v=d!T)s%7(w~!$ERWcA8(G1
iPtJ~?5kmfmKIo=w%BFmp^8Wz<0RR6LHU$F!Y5)LJQ{V9b

literal 0
HcmV?d00001

diff --git a/charts/cert-manager-webhook-netcup-1.0.16.tgz.prov b/charts/cert-manager-webhook-netcup-1.0.16.tgz.prov
new file mode 100644
index 0000000..3f2b2bc
--- /dev/null
+++ b/charts/cert-manager-webhook-netcup-1.0.16.tgz.prov
@@ -0,0 +1,52 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+annotations:
+  artifacthub.io/changes: |
+    - kind: fixed
+      description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+    - kind: added
+      description: "Build with Go 1.20.5"
+  artifacthub.io/containsSecurityUpdates: "true"
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/maintainers: |
+    - name: Alex Ellwein
+      email: alex.ellwein@gmail.com
+  artifacthub.io/signKey: |
+    fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
+    url: https://keybase.io/aellwein/pgp_keys.asc
+apiVersion: v1
+appVersion: 1.0.16
+description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
+  via Netcup
+home: https://github.com/aellwein/cert-manager-webhook-netcup
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo.png
+keywords:
+- - cert-manager
+- - webhook
+- - letsencrypt
+- - netcup
+- - ACME
+- - DNS01
+name: cert-manager-webhook-netcup
+version: 1.0.16
+
+...
+files:
+  ./cert-manager-webhook-netcup-1.0.16.tgz: sha256:631bd4ef439724ca4b9b070011fa2c87c3ae5978018adca0d3825f165ce20d9f
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEE1HATsJzIi3L2TkHNV/husVzFn5YFAmSJti4ACgkQV/husVzF
+n5Z5yhAAj+wjY4xuaCLup6z1wuTrWaqNWcdXJsfG/ZQp91zOyV0NBonS9CdO8E1i
+91TYxMSNa2wWzc3mFC/o7oFYCmtAPaVTFCsqZ/7N6K2wjSkChiGgmPxxyOIpQeOu
+Og2jDjh1DHWYL7qcC1w4X/d6biMQASiDANLAPoM+uzCdBxi7og+sLHPR5JpePepD
+yEzOHUcy9vn0eHe9MX0EITRNHoMO6WJ2nCMsnTSFtB3yIkRAUOF1ZbL7xRftdowe
+xyxbVZVD0JCrSQGFsTqW13F6gMmtDvR2Y1grAlk9SbUzr2vygWqzxAZYkU3PO1d5
+yhiVCPuho+6N5pI+vX6TGu9JYAWs7mm5/Ej36USh+PNf0fTwmf9Sbs4NrrEurJAh
+AvfdP+ncYJlolc984rkCzzeF5TdLjfVnjXABLSQS0bciCn3KwxP+LMhJaS5r9CYF
+6o3CsKFH7Wt6pAhta6/4jvGMnpLLJCp0EkIC4GPq+vc3MIc4ZnHgy7KPZcGobOhc
+eAMaMe8oxnd9yG1Napd3OVHX51ky1Gxc7zbKK25nQUzD2+uxZ8ZH4UHchSspaKD5
+S41/0WYDFqq1yT8YAncNnT78x0Nv2a675yXLtLvkRI1fDpOrnLvEZ14tfs1fvAEV
+zn7+MITKpB9w+UoizrN5HjcEqA7aRs4PHbcgUDB4qdn2ZnAxgnk=
+=59Ki
+-----END PGP SIGNATURE-----
diff --git a/charts/index.yaml b/charts/index.yaml
index 9b587cb..62d3179 100644
--- a/charts/index.yaml
+++ b/charts/index.yaml
@@ -1,6 +1,39 @@
 apiVersion: v1
 entries:
   cert-manager-webhook-netcup:
+  - annotations:
+      artifacthub.io/changes: |
+        - kind: fixed
+          description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+        - kind: added
+          description: "Build with Go 1.20.5"
+      artifacthub.io/containsSecurityUpdates: "true"
+      artifacthub.io/license: Apache-2.0
+      artifacthub.io/maintainers: |
+        - name: Alex Ellwein
+          email: alex.ellwein@gmail.com
+      artifacthub.io/signKey: |
+        fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
+        url: https://keybase.io/aellwein/pgp_keys.asc
+    apiVersion: v1
+    appVersion: 1.0.16
+    created: "2023-06-14T14:44:31.610422+02:00"
+    description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
+      via Netcup
+    digest: 631bd4ef439724ca4b9b070011fa2c87c3ae5978018adca0d3825f165ce20d9f
+    home: https://github.com/aellwein/cert-manager-webhook-netcup
+    icon: https://raw.githubusercontent.com/cert-manager/cert-manager/master/logo/logo.png
+    keywords:
+    - cert-manager
+    - webhook
+    - letsencrypt
+    - netcup
+    - ACME
+    - DNS01
+    name: cert-manager-webhook-netcup
+    urls:
+    - cert-manager-webhook-netcup-1.0.16.tgz
+    version: 1.0.16
   - annotations:
       artifacthub.io/changes: |
         - kind: added
@@ -17,7 +50,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.15
-    created: "2023-05-11T20:06:17.515664+02:00"
+    created: "2023-06-14T14:44:31.610197+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 9004dfab480013735a304222d6cb258e1abf4ce6f2d91d6ab9079b6a143dbc6b
@@ -52,7 +85,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.14
-    created: "2023-05-11T20:06:17.515422+02:00"
+    created: "2023-06-14T14:44:31.609957+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 5ae3d345efadfd55f8b3c154fd81f2ccd95896bed24ee918c9d71d495021a6b5
@@ -85,7 +118,7 @@ entries:
         url: https://keybase.io/aellwein/pgp_keys.asc
     apiVersion: v1
     appVersion: 1.0.13
-    created: "2023-05-11T20:06:17.515142+02:00"
+    created: "2023-06-14T14:44:31.609717+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: 68f71804f042cf7d2a6a2470cb4dfb8c48c26389f07f66e266ae9a0619a15c21
@@ -145,7 +178,7 @@ entries:
           email: alex.ellwein@gmail.com
     apiVersion: v1
     appVersion: 1.0.12
-    created: "2023-05-11T20:06:17.514915+02:00"
+    created: "2023-06-14T14:44:31.609475+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: bede761557c38f373c3923f9d9128f77c8fc32d2b1d79f1fda4cb548c031f62d
@@ -172,7 +205,7 @@ entries:
           email: alex.ellwein@gmail.com
     apiVersion: v1
     appVersion: 1.0.11
-    created: "2023-05-11T20:06:17.514648+02:00"
+    created: "2023-06-14T14:44:31.609214+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: aa66de90af78012c0521d3ec48265746ee97f26640248e4b68328331c4ce6f2d
@@ -200,7 +233,7 @@ entries:
           email: alex.ellwein@gmail.com
     apiVersion: v1
     appVersion: 1.0.10
-    created: "2023-05-11T20:06:17.5144+02:00"
+    created: "2023-06-14T14:44:31.608962+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: f6ec08186bf14c204eef0971e9c84545b5a8bb3d455d7cdcca488ddc71830695
@@ -229,7 +262,7 @@ entries:
           email: alex.ellwein@gmail.com
     apiVersion: v1
     appVersion: 1.0.9
-    created: "2023-05-11T20:06:17.517446+02:00"
+    created: "2023-06-14T14:44:31.613685+02:00"
     description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge
       via Netcup
     digest: d3b6eab27e21af3ae6fb5473e4b0e5db8d75c95bf5ee9b7f1b2e25e98b488bd3
@@ -248,7 +281,7 @@ entries:
     version: 1.0.9
   - apiVersion: v1
     appVersion: 1.0.8
-    created: "2023-05-11T20:06:17.517135+02:00"
+    created: "2023-06-14T14:44:31.61345+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 4b1c49ef9ab1c57428cff35824dd7cb13f187af74fa7dcd560dd788aa0dce892
     name: cert-manager-webhook-netcup
@@ -257,7 +290,7 @@ entries:
     version: 1.0.8
   - apiVersion: v1
     appVersion: 1.0.7
-    created: "2023-05-11T20:06:17.516919+02:00"
+    created: "2023-06-14T14:44:31.613223+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 0d262079f7326e41020df239298f5106bebaf9d797a9ce61550caa6457237a69
     name: cert-manager-webhook-netcup
@@ -266,7 +299,7 @@ entries:
     version: 1.0.7
   - apiVersion: v1
     appVersion: 1.0.6
-    created: "2023-05-11T20:06:17.516498+02:00"
+    created: "2023-06-14T14:44:31.611014+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: f1eb0f11758d480a6fa187a54cdca8669b1ccdb75f022b53d84253723827b7c7
     name: cert-manager-webhook-netcup
@@ -275,7 +308,7 @@ entries:
     version: 1.0.6
   - apiVersion: v1
     appVersion: 1.0.5
-    created: "2023-05-11T20:06:17.516045+02:00"
+    created: "2023-06-14T14:44:31.61082+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 24df7547c2509b06972440c318a22e7e62c0c00c55a796b2c71b70c2e6a1f9bf
     name: cert-manager-webhook-netcup
@@ -284,11 +317,11 @@ entries:
     version: 1.0.5
   - apiVersion: v1
     appVersion: 1.0.3
-    created: "2023-05-11T20:06:17.515853+02:00"
+    created: "2023-06-14T14:44:31.610623+02:00"
     description: Allow cert-manager to solve DNS challenges using Netcup DNS API
     digest: 03f7f124bb6d76a606a9ed598466b1f4aa422c4406bde52cfff1202a209cd9fd
     name: cert-manager-webhook-netcup
     urls:
     - cert-manager-webhook-netcup-1.0.3.tgz
     version: 1.0.3
-generated: "2023-05-11T20:06:17.514043+02:00"
+generated: "2023-06-14T14:44:31.60859+02:00"
diff --git a/charts/release.sh b/charts/release.sh
index 53dce81..38f2656 100755
--- a/charts/release.sh
+++ b/charts/release.sh
@@ -2,5 +2,5 @@
 
 helm package ../deploy/cert-manager-webhook-netcup && \
 find . -name "*.tgz" | while read f; do \
-helm gpg sign $f ; helm gpg verify $f ; done && \
+if [ ! -e "$f.prov" ]; then helm gpg sign $f ; helm gpg verify $f ; fi; done && \
 helm repo index .
diff --git a/deploy/cert-manager-webhook-netcup/Chart.yaml b/deploy/cert-manager-webhook-netcup/Chart.yaml
index 3e57112..9c55924 100644
--- a/deploy/cert-manager-webhook-netcup/Chart.yaml
+++ b/deploy/cert-manager-webhook-netcup/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "1.0.15"
-version: 1.0.15
+appVersion: "1.0.16"
+version: 1.0.16
 description: A Helm chart for cert manager webhook solver for ACME DNS01 challenge via Netcup
 name: cert-manager-webhook-netcup
 home: https://github.com/aellwein/cert-manager-webhook-netcup
@@ -19,10 +19,10 @@ annotations:
       email: alex.ellwein@gmail.com
   artifacthub.io/containsSecurityUpdates: "true"
   artifacthub.io/changes: |
-    - kind: added
-      description: "use Alpine 3.18 base image"
     - kind: fixed
-      description: "upgrade base image to mitigate openssl CVE-2023-1255"
+      description: "use Busybox 1.36.1 for base image to mitigate CVE-2023-2650"
+    - kind: added
+      description: "Build with Go 1.20.5"
   artifacthub.io/signKey: |
     fingerprint: "F91914CE96676E209A8240290EEF2777053A7D1A"
     url: https://keybase.io/aellwein/pgp_keys.asc
diff --git a/deploy/cert-manager-webhook-netcup/values.yaml b/deploy/cert-manager-webhook-netcup/values.yaml
index c89d755..da1b5b8 100644
--- a/deploy/cert-manager-webhook-netcup/values.yaml
+++ b/deploy/cert-manager-webhook-netcup/values.yaml
@@ -15,7 +15,7 @@ certManager:
 
 image:
   repository: elvino76/cert-manager-webhook-netcup
-  tag: 1.0.15
+  tag: 1.0.16
   # sha hash can be used to specify image version, instead of tag
   hash: ""
   pullPolicy: IfNotPresent