CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

PillaiManish · 2025-12-08T09:50:36Z

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.2.

Prerequisite: Downstream v1.19.2 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags
Remove

replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc

Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream [email protected]

go get github.com/cert-manager/[email protected]
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/[email protected]
go mod tidy && go mod vendor

Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS

- replace CERT_MANAGER_VERSION  ->  "v1.19.2"
- * make update
* make bundle

More manual replacements

- replace "1.18.3" -> "1.19.2" (operand)

Update docker files images to golang-1.25 (and openshift-4.21)
Fixes for latest version updates

openshift-ci-robot · 2025-12-08T09:50:41Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2025-12-08T09:50:44Z

Walkthrough

Upgrades cert-manager from v1.18.3→v1.19.2 and Go toolchain from 1.24→1.25. Changes include dependency bumps, builder image tag updates, CRD schema extensions (list/map typing, new RFC2136 protocol, issuerRef description), bundle/operator metadata and many manifest image/version updates, plus small code and asset adjustments.

Changes

Cohort / File(s)	Summary
Build images & toolchain `\.ci-operator.yaml`, `Dockerfile`, `images/ci/*Dockerfile`, `images/ci/operand.Dockerfile`, `bundle.Dockerfile`, `go.mod`	Bump Go toolchain and builder images to 1.25 / rhel-9-golang-1.25-openshift-4.21; large dependency version updates in `go.mod` including cert-manager v1.19.2 and Kubernetes-related modules.
Makefile & bundle metadata `Makefile`, `bundle/metadata/annotations.yaml`	BUNDLE_VERSION/CERT_MANAGER_VERSION and CHANNELS updated to 1.19.x; DEFAULT_CHANNEL added; CONTAINER_IMAGE_NAME updated; bundle channels annotation adjusted.
Bindata manifests (cert-manager deployment) `bindata/cert-manager-deployment/...` (cainjector, controller, webhook)	App/version labels and container image tags updated v1.18.3→v1.19.2; tokenrequest RB asset filename/path corrected (moved/renamed).
Bundle & operator CSV / manager manifests `bundle/manifests/.clusterserviceversion.yaml`, `config/manifests/bases/.clusterserviceversion.yaml`, `config/manager/manager.yaml`	Operator CSV metadata/version fields bumped (operator and operand versions, olm.skipRange, minKubeVersion); relatedImages and env vars updated to 1.19.x.
CRD schema updates (bundle & config/crd/bases) `bundle/manifests/`, `config/crd/bases/.yaml` (certificates, certificaterequests, issuers, clusterissuers, challenges, orders, istio csrs, operator.openshift.io_*.yaml)	Extensive OpenAPI/CRD changes: add `app.kubernetes.io/component: crds`, bump app version to v1.19.2, add `x-kubernetes-list-type`/`x-kubernetes-list-map-keys`/map list metadata, add `protocol` field (RFC2136 DNS01 nameserver, TCP/UDP), add podTemplate `resources` blocks, update issuerRef descriptions/defaults, remove beta-field notes, and adjust printer jsonPath spacing.
Generated code & applyconfigurations `api/operator/v1alpha1/zz_generated.deepcopy.go`, `pkg/operator/applyconfigurations/operator/v1alpha1/*.go`, `pkg/operator/applyconfigurations/internal/internal.go`, `pkg/operator/applyconfigurations/utils.go`	DeepCopy for IssuerRef changed to call DeepCopyInto; CertManager/IstioCSR apply-configuration types gain IsApplyConfiguration and Get* getters; CertManagerConfigApplyConfiguration.IssuerRef type changed to `v1.IssuerReference`; structured-merge-diff import upgraded (v4→v6); TypeConverter signature switched to managedfields.TypeConverter.
Assets & bindata regen `pkg/operator/assets/bindata.go`	Regenerated bindata: moved/renamed tokenrequest RB asset path, updated embedded manifest contents/versions, updated asset maps and helpers.
Controller, deployment & tests `pkg/controller/deployment/.go`, `pkg/controller/_test.go`, `pkg/operator/clientset/versioned/fake/clientset_generated.go`	Asset path reference corrected in deployment, test string literals and image expectations updated to v1.19.2, minor typo fix in fake client watch reactor (watchActcion→watchAction).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Areas requiring extra attention:

CRD schema changes (x-kubernetes-list-type/map-keys additions, new protocol and podTemplate resources) — verify OpenAPI correctness and intended patch/merge semantics.
Apply-configuration API changes: IssuerRef type change and added getters/methods — check caller impact and compatibility.
Large dependency upgrades in go.mod and Go toolchain bump — ensure builds and generated code are compatible.
Asset path/name change for tokenrequest RB and bindata regeneration — confirm all references updated and nothing still references the old path.
Affinity/weight description changes in CRDs — confirm these are documentation/description-only or reflect intended behavioral adjustments.

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2025-12-09T04:11:54Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.1.

Prerequisite: Downstream v1.19.1 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags

Remove
replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc
Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream [email protected]
go get github.com/cert-manager/[email protected]
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/[email protected]
go mod tidy && go mod vendor
Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS
- replace CERT_MANAGER_VERSION  ->  "v1.19.1"
- * make update
* make bundle
More manual replacements
- replace "1.18.3" -> "1.19.1" (operand)
Update docker files images to golang-1.25 (and openshift-4.21)

Fixes for latest version updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

lunarwhite

Thanks for your work. Some suggestions:

Could we squash commits cd70d9e and 4e1e232 since they are doing the same thing?
Along with this commit 7817403, we should also update this line: https://github.com/PillaiManish/cert-manager-operator/blob/e3cf35386610052dd0bf89303ccb4c1e7238d429/config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml#L115
It would be great if we could still keep the commit messages verbose like what we did in the past.
Ideally we should bump with 1.19.2 which just got released days ago to reduce future work.

PillaiManish · 2025-12-16T04:37:20Z

Ideally we should bump with 1.19.2 which just got released days ago to reduce future work

https://github.com/openshift/jetstack-cert-manager/tags right now we dont have the required tag.

openshift-ci-robot · 2025-12-16T05:08:19Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.2.

Prerequisite: Downstream v1.19.2 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags

Remove
replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc
Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream [email protected]
go get github.com/cert-manager/[email protected]
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/[email protected]
go mod tidy && go mod vendor
Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS
- replace CERT_MANAGER_VERSION  ->  "v1.19.2"
- * make update
* make bundle
More manual replacements
- replace "1.18.3" -> "1.19.2" (operand)
Update docker files images to golang-1.25 (and openshift-4.21)

Fixes for latest version updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 8

🧹 Nitpick comments (5)

.idea/.gitignore (1)

1-8: Consider using repository-root .gitignore or global gitignore instead.

IDE-specific configuration directories like .idea/ should typically not be committed to the repository. Different team members may use different IDEs (VS Code, vim, emacs, etc.), and IDE-specific ignore files create unnecessary repository clutter.

Consider either:

Adding these patterns to the repository's root .gitignore file, or

Using a global gitignore configuration (~/.gitignore_global)

.idea/cert-manager-operator.iml (1)

1-4: Consider adding .idea/ to .gitignore.

IDE configuration files are typically user-specific and can cause merge conflicts. Consider excluding the .idea/ directory unless the team has explicitly decided to version-control IDE settings.
rebase_automation.sh (3)
13-14: Remove unused REPO_ROOT variable.

REPO_ROOT is defined but never referenced in the script. Based on static analysis (SC2034).
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_ROOT="$SCRIPT_DIR"
358-361: Word boundary pattern may cause unintended matches.

The pattern \b${old_version}\b could match version substrings in edge cases (e.g., "1.18.0" within a hypothetical "v1.18.0-rc1" or similar). Consider using more restrictive anchoring if precision is critical.

314-320: Array assignment from command substitution is fragile for filenames with spaces.

Shellcheck SC2207: If any file has spaces or newlines in its name, word splitting will corrupt the array. In this OpenShift repo context, this is unlikely, but using mapfile with null-delimited find would be more robust.
-    local files_to_check=(
-        $(find . -type f $ -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" $ \
-          -not -path "./vendor/*" \
-          -not -path "./.git/*" \
-          -not -path "./testbin/*" \
-          | grep -v "go.sum")
-    )
+    local files_to_check=()
+    while IFS= read -r -d '' file; do
+        [[ "$file" != *"go.sum"* ]] && files_to_check+=("$file")
+    done < <(find . -type f $ -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" $ \
+          -not -path "./vendor/*" \
+          -not -path "./.git/*" \
+          -not -path "./testbin/*" \
+          -print0)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between dc0f25f and 7036f01.

⛔ Files ignored due to path filters (215)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/auth_scheme_preference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/enums.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/backoff.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/error.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/exponential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/ticker.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/timer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/LICENSES is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeauthorization.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverdns01.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01gatewayhttproute.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingressobjectmeta.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodobjectmeta.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodresources.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodsecuritycontext.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodtemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresstemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeexternalaccountbinding.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01provideracmedns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerakamai.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerazuredns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerclouddns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providercloudflare.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerdigitalocean.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerrfc2136.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerroute53.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerwebhook.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/azuremanagedidentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/certificatednsnameselector.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challengespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challengestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/orderspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/orderstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/route53auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/route53kubernetesauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/serviceaccountref.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/caissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificateadditionaloutputformat.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatecondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatekeystores.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificateprivatekey.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequestcondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequestspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequeststatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatesecrettemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/clusterissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuercondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/jkskeystore.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/nameconstraintitem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/nameconstraints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/othername.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/pkcs12keystore.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/selfsignedissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/serviceaccountref.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultapprole.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultclientcertificateauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultkubernetesauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venaficloud.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venafiissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venafitpp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/x509subject.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/issuerreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/localobjectreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/secretkeyselector.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/acme_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certmanager_client.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (85)

.ci-operator.yaml (1 hunks)
.idea/.gitignore (1 hunks)
.idea/cert-manager-operator.iml (1 hunks)
.idea/golinter.xml (1 hunks)
.idea/vcs.xml (1 hunks)
Dockerfile (1 hunks)
Makefile (2 hunks)
api/operator/v1alpha1/zz_generated.deepcopy.go (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml (1 hunks)
bundle.Dockerfile (1 hunks)
bundle/manifests/acme.cert-manager.io_challenges.yaml (19 hunks)
bundle/manifests/acme.cert-manager.io_orders.yaml (6 hunks)
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (4 hunks)
bundle/manifests/cert-manager.io_certificaterequests.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificates.yaml (14 hunks)
bundle/manifests/cert-manager.io_clusterissuers.yaml (25 hunks)
bundle/manifests/cert-manager.io_issuers.yaml (25 hunks)
bundle/manifests/operator.openshift.io_certmanagers.yaml (7 hunks)
bundle/manifests/operator.openshift.io_istiocsrs.yaml (4 hunks)
bundle/metadata/annotations.yaml (1 hunks)
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml (5 hunks)
config/crd/bases/certificates.cert-manager.io-crd.yaml (14 hunks)
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (19 hunks)
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/issuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/operator.openshift.io_certmanagers.yaml (7 hunks)
config/crd/bases/operator.openshift.io_istiocsrs.yaml (4 hunks)
config/crd/bases/orders.acme.cert-manager.io-crd.yaml (6 hunks)
config/manager/manager.yaml (1 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (3 hunks)
go.mod (11 hunks)
images/ci/Dockerfile (1 hunks)
images/ci/operand.Dockerfile (1 hunks)
pkg/controller/deployment/cert_manager_controller_deployment.go (1 hunks)
pkg/controller/deployment/deployment_overrides_test.go (3 hunks)
pkg/controller/istiocsr/deployments_test.go (1 hunks)
pkg/operator/applyconfigurations/internal/internal.go (1 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go (2 hunks)
pkg/operator/applyconfigurations/utils.go (2 hunks)
pkg/operator/assets/bindata.go (51 hunks)
pkg/operator/clientset/versioned/fake/clientset_generated.go (1 hunks)
rebase_automation.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
bundle.Dockerfile
pkg/operator/clientset/versioned/fake/clientset_generated.go
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
images/ci/Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
pkg/operator/applyconfigurations/utils.go
images/ci/operand.Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
config/manager/manager.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go
Dockerfile
api/operator/v1alpha1/zz_generated.deepcopy.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
go.mod
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
bundle/manifests/cert-manager.io_certificates.yaml
bundle/metadata/annotations.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
pkg/controller/istiocsr/deployments_test.go
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
Makefile
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
bundle/manifests/acme.cert-manager.io_challenges.yaml
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
pkg/controller/deployment/cert_manager_controller_deployment.go
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
pkg/controller/deployment/deployment_overrides_test.go
rebase_automation.sh
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
bundle/manifests/cert-manager.io_certificaterequests.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
config/crd/bases/issuers.cert-manager.io-crd.yaml
config/crd/bases/operator.openshift.io_istiocsrs.yaml
bundle/manifests/cert-manager.io_issuers.yaml
bundle/manifests/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_orders.yaml
bundle/manifests/cert-manager.io_clusterissuers.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
config/crd/bases/operator.openshift.io_certmanagers.yaml
config/crd/bases/orders.acme.cert-manager.io-crd.yaml
config/crd/bases/certificates.cert-manager.io-crd.yaml
bundle/manifests/operator.openshift.io_certmanagers.yaml
pkg/operator/assets/bindata.go
pkg/operator/applyconfigurations/internal/internal.go

🪛 Shellcheck (0.11.0)

rebase_automation.sh

[warning] 14-14: REPO_ROOT appears unused. Verify use (or export if used externally).

(SC2034)

[warning] 143-143: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 197-197: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 198-198: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 272-272: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 273-273: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 280-280: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 281-281: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 315-319: Prefer mapfile or read -a to split command output (or quote to avoid splitting).

(SC2207)

[warning] 335-335: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 407-407: Prefer mapfile or read -a to split command output (or quote to avoid splitting).

(SC2207)

.idea/vcs.xml

coderabbitai · 2025-12-16T05:21:20Z

bundle/manifests/acme.cert-manager.io_challenges.yaml

+                                              compute a sum by iterating through the elements of this field and subtracting
+                                              "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                              node(s) with the highest sum are the most preferred.


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's check the file exists and read the specific lines cd bundle/manifests && ls -la acme.cert-manager.io_challenges.yaml 2>/dev/null || cd ../.. && ls -la bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 280

🏁 Script executed:

# Read lines around 1435-1437 sed -n '1430,1445p' bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 1599

🏁 Script executed:

# Read lines around 2738-2740 sed -n '2733,2750p' bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 1751

🌐 Web query:

Kubernetes WeightedPodAffinityTerm documentation weight calculation subtract or add

💡 Result:

The weight is added (summed) to the node's score — Kubernetes iterates preferred rules a node satisfies and adds each rule's weight to the node's score (it is not subtracted). [1][2]

Sources:
[1] Kubernetes docs — Assigning Pods to Nodes (pod/node affinity weight described).
[2] Kubernetes v1.33 docs — node/pod affinity preferred weight explanation.

Fix contradictory PodAntiAffinity documentation: change "subtracting" to "adding"

The current text states the scheduler computes "a sum by iterating through the elements of this field and subtracting weight from the sum," but then concludes "the node(s) with the highest sum are the most preferred." This is contradictory—subtracting weight would make lower sums preferred. Kubernetes documentation explicitly states that weights are added per-node to find the most preferred node(s), not subtracted.

- compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the

Also applies to: 2738-2740

🤖 Prompt for AI Agents

In bundle/manifests/acme.cert-manager.io_challenges.yaml around lines 1435-1437 (and also apply the same change at lines 2738-2740), update the PodAntiAffinity description to remove the contradiction by replacing the term "subtracting weight from the sum" with "adding weight to the sum"; ensure the sentence reads that the scheduler computes a sum by iterating through the elements of this field and adding the corresponding "weight" when a node has matching pods so that the node(s) with the highest sum are the most preferred.

coderabbitai · 2025-12-16T05:21:20Z

bundle/manifests/cert-manager.io_clusterissuers.yaml

+    app.kubernetes.io/component: crds
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.18.3
+    app.kubernetes.io/version: v1.19.2


⚠️ Potential issue | 🟡 Minor

Verify app.kubernetes.io/version matches the actual cert-manager operand version

The label is set to v1.19.2, while the PR description talks about rebasing against cert-manager v1.19.1. If the shipped operand (images, Go module replace, etc.) is actually v1.19.1, this label will be misleading for users and tooling that rely on it for debugging and inventory.

Recommend aligning this label with the real operand version (or updating the operand to match the label), and ensuring the same value is used consistently across all cert-manager bundle/CRD manifests.

🤖 Prompt for AI Agents

In bundle/manifests/cert-manager.io_clusterissuers.yaml around lines 10 to 13, the app.kubernetes.io/version label is set to v1.19.2 but the PR indicates the operand was rebased to v1.19.1; update this label to match the actual shipped cert-manager operand version (or update the operand to v1.19.2 if that was intended) and then ensure the same version string is used consistently across all cert-manager bundle and CRD manifests in the repo (search and replace occurrences, and verify container image tags/Go module replaces align with the chosen version).

coderabbitai · 2025-12-16T05:21:20Z

config/crd/bases/issuers.cert-manager.io-crd.yaml

+                                                      compute a sum by iterating through the elements of this field and subtracting
+                                                      "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                                      node(s) with the highest sum are the most preferred.


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's read the file to see the exact content at the specified lines wc -l config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 129

🏁 Script executed:

# Read lines around 1472-1474 to see the full context sed -n '1465,1480p' config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 1864

🏁 Script executed:

# Read lines around 2683-2685 to see the full context sed -n '2676,2691p' config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 1864

🌐 Web query:

Kubernetes PodAntiAffinity weight preferredDuringSchedulingIgnoredDuringExecution documentation

💡 Result:

What it is: the weight field on a preferredDuringSchedulingIgnoredDuringExecution podAntiAffinity rule gives that rule a numeric importance (soft preference) used by the scheduler when scoring nodes. [1]

Semantics: for each node that satisfies the pod’s other scheduling requirements, the scheduler iterates every preferred podAffinity/podAntiAffinity rule that the node satisfies and adds that rule’s weight to the node’s score; nodes with higher total score are preferred. The rule remains "soft" — it can be violated if no node meets the preference. [1][2]

Value/range: integer 1–100. [1]

Key bits to include in YAML:

podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution: a list of {weight, podAffinityTerm}

podAffinityTerm contains labelSelector and topologyKey (topologyKey cannot be empty for pod anti-affinity). Example: weight: 100 with topologyKey: topology.kubernetes.io/zone. [1][2]

Sources: [1] Kubernetes docs — Assigning Pods to Nodes (pod affinity/anti‑affinity and weight). [2] Kubernetes v1.32 docs / examples.

🏁 Script executed:

# Look for upstream cert-manager types or schema find . -name "*.go" -type f | head -20

Repository: openshift/cert-manager-operator

Length of output: 939

🌐 Web query:

cert-manager upstream issuer CRD PodAntiAffinity weight types

💡 Result:

In cert-manager’s upstream Issuer/ClusterIssuer PodAntiAffinity CRD the "weight" field is an integer (int32) in the range 1–100 used on Preferred (preferredDuringSchedulingIgnoredDuringExecution) rules; Required rules (requiredDuringSchedulingIgnoredDuringExecution) do not use a weight. [1][2]

Sources:
[1] cert-manager CRD schema showing podAntiAffinity weight as integer 1–100.
[2] cert-manager/clusterissuer CRD docs listing preferred vs required affinity and weight semantics.

🏁 Script executed:

# Check if there's any indication this file is generated head -20 config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 626

🏁 Script executed:

# Let's check the git history or any comments about how this file is maintained head -100 config/crd/bases/issuers.cert-manager.io-crd.yaml | tail -80

Repository: openshift/cert-manager-operator

Length of output: 4260

🏁 Script executed:

# Search for any scripts or docs that manage this CRD file find . -name "*.md" -o -name "*.sh" | xargs grep -l "issuers.cert-manager.io-crd" 2>/dev/null | head -5

Repository: openshift/cert-manager-operator

Length of output: 57

🌐 Web query:

cert-manager 1.19.2 upstream Issuer CRD PodAntiAffinity description subtracting adding

💡 Result:

Short answer: the upstream cert-manager v1.19.x CRDs include an Issuer/ClusterIssuer schema field podAntiAffinity (with the standard Kubernetes podAntiAffinity description and properties). This was present in the generated CRD templates used by the chart/CRD YAML (see the podAntiAffinity description and preferredDuringSchedulingIgnoredDuringExecution text). See the cert-manager releases/docs and the CRD template showing the podAntiAffinity description. [1][2]

Sources:

cert-manager v1.19 release notes. [1]

cert-manager CRD template showing podAntiAffinity description/properties (charts/templates/crds.yaml). [2]

🏁 Script executed:

# Let's look at the exact context around both locations to understand the internal contradiction sed -n '1468,1485p' config/crd/bases/issuers.cert-manager.io-crd.yaml | cat -n

Repository: openshift/cert-manager-operator

Length of output: 2146

🏁 Script executed:

# Check the second location as well sed -n '2679,2696p' config/crd/bases/issuers.cert-manager.io-crd.yaml | cat -n

Repository: openshift/cert-manager-operator

Length of output: 2146

🌐 Web query:

cert-manager v1.19.2 upstream source code issuer_types podAntiAffinity weight

💡 Result:

In cert-manager v1.19.2 the Issuer/ClusterIssuer pod template affinity fields reuse Kubernetes' core/v1 PodAffinity/PodAntiAffinity types; the "weight" is the Kubernetes WeightedPodAffinityTerm.weight (an int32 in range 1–100). [1][2]

Sources:

cert-manager API types (pkg/apis/certmanager/v1) — cert-manager uses k8s PodTemplateSpec/Affinity types. [1]

Kubernetes core/v1 WeightedPodAffinityTerm: Weight int32 (range 1–100). [2]

🏁 Script executed:

# Let's verify this is indeed generated from upstream by checking for generation markers grep -i "generated\|autogenerated\|do not edit" config/crd/bases/issuers.cert-manager.io-crd.yaml | head -5

Repository: openshift/cert-manager-operator

Length of output: 158

🏁 Script executed:

# Check if there's a script or make target that regenerates this CRD find . -name "Makefile" -o -name "*.mk" | xargs grep -l "crd\|generate" 2>/dev/null | head -3

Repository: openshift/cert-manager-operator

Length of output: 85

🏁 Script executed:

# Check the Makefile for CRD generation targets cat Makefile | grep -A 10 -B 2 "crd\|generate" | head -60

Repository: openshift/cert-manager-operator

Length of output: 3118

🏁 Script executed:

# Look for any documentation about the CRD source find . -name "*.md" | xargs grep -l "CRD\|crd" 2>/dev/null | head -3

Repository: openshift/cert-manager-operator

Length of output: 86

🏁 Script executed:

# Let's check the README for more context about upstream sources head -50 README.md

Repository: openshift/cert-manager-operator

Length of output: 1895

🏁 Script executed:

# Let's verify the exact Kubernetes upstream documentation behavior with a final check # Looking at the structure - the main description contradicts the items description # Let's see both full descriptions in context sed -n '1450,1500p' config/crd/bases/issuers.cert-manager.io-crd.yaml | grep -A 20 "preferredDuringScheduling"

Repository: openshift/cert-manager-operator

Length of output: 2359

PodAntiAffinity weight description uses "subtracting" but should use "adding"

Lines 1472–1474 (and 2683–2685) describe the scheduler as "subtracting 'weight'" when in fact it adds weights to the node score. This contradicts both the Kubernetes upstream documentation and the immediately following description in the same CRD (at the items level) which correctly states "The weights... are added per-node." The scheduler selects the node with the highest sum of added weights, not subtracted ones. Since this file is generated from cert-manager v1.19.2, this error likely originates in the upstream schema and should be fixed there and regenerated rather than hand-edited downstream.

🤖 Prompt for AI Agents

In config/crd/bases/issuers.cert-manager.io-crd.yaml around lines 1472-1474 (and also 2683-2685), the PodAntiAffinity description incorrectly says the scheduler "subtracts" the weight when computing node scores; change the wording to state that the weights are "added" to the per-node sum and that the scheduler selects the node(s) with the highest total, and then regenerate this CRD from the corrected cert-manager v1.19.2 schema upstream (or fix the upstream schema and re-run the CRD generation) so the correction is applied consistently rather than hand-editing the generated file.

rebase_automation.sh

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (2)

config/crd/bases/issuers.cert-manager.io-crd.yaml (1)

1472-1474: PodAntiAffinity weight description still uses “subtracting” instead of “adding”

These descriptions say the scheduler subtracts weight per matched term, but Kubernetes actually adds weights to compute node scores, and the surrounding text already speaks about the “greatest sum of weights.” This is a documentation inconsistency with scheduler behavior and the item-level description just below.

Consider aligning both blocks with the wording used for podAffinity/nodeAffinity (i.e., weights are added to the per-node sum) in the upstream schema or generator, then regenerating this CRD rather than hand-editing the generated YAML.

Also applies to: 2683-2685
bundle/manifests/acme.cert-manager.io_challenges.yaml (1)
1427-1437: Fix podAntiAffinity weight description: “subtracting” should be “adding”

The description currently says the scheduler computes a sum by subtracting weight, yet concludes that nodes with the highest sum are preferred. In reality, weights are added per matching term; the current text is self‑contradictory.
-          compute a sum by iterating through the elements of this field and subtracting
-          "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+          compute a sum by iterating through the elements of this field and adding
+          "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
Apply the same change in both occurrences (Line 1435-1437 and Line 2738-2740).

Also applies to: 2730-2740

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7036f01 and 13f4052.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (80)

.ci-operator.yaml (1 hunks)
Dockerfile (1 hunks)
Makefile (2 hunks)
api/operator/v1alpha1/zz_generated.deepcopy.go (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml (1 hunks)
bundle.Dockerfile (1 hunks)
bundle/manifests/acme.cert-manager.io_challenges.yaml (19 hunks)
bundle/manifests/acme.cert-manager.io_orders.yaml (6 hunks)
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificaterequests.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificates.yaml (14 hunks)
bundle/manifests/cert-manager.io_clusterissuers.yaml (25 hunks)
bundle/manifests/cert-manager.io_issuers.yaml (25 hunks)
bundle/manifests/operator.openshift.io_certmanagers.yaml (7 hunks)
bundle/manifests/operator.openshift.io_istiocsrs.yaml (4 hunks)
bundle/metadata/annotations.yaml (1 hunks)
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml (5 hunks)
config/crd/bases/certificates.cert-manager.io-crd.yaml (14 hunks)
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (19 hunks)
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/issuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/operator.openshift.io_certmanagers.yaml (7 hunks)
config/crd/bases/operator.openshift.io_istiocsrs.yaml (4 hunks)
config/crd/bases/orders.acme.cert-manager.io-crd.yaml (6 hunks)
config/manager/manager.yaml (1 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (4 hunks)
go.mod (11 hunks)
images/ci/Dockerfile (1 hunks)
images/ci/operand.Dockerfile (1 hunks)
pkg/controller/deployment/cert_manager_controller_deployment.go (1 hunks)
pkg/controller/deployment/deployment_overrides_test.go (3 hunks)
pkg/controller/istiocsr/deployments_test.go (1 hunks)
pkg/operator/applyconfigurations/internal/internal.go (1 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go (2 hunks)
pkg/operator/applyconfigurations/utils.go (2 hunks)
pkg/operator/assets/bindata.go (51 hunks)
pkg/operator/clientset/versioned/fake/clientset_generated.go (1 hunks)

✅ Files skipped from review due to trivial changes (1)

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml

🚧 Files skipped from review as they are similar to previous changes (39)

bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
config/manager/manager.yaml
.ci-operator.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
bundle.Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
pkg/controller/deployment/cert_manager_controller_deployment.go
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
pkg/controller/istiocsr/deployments_test.go
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
api/operator/v1alpha1/zz_generated.deepcopy.go
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go
pkg/operator/applyconfigurations/utils.go
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
images/ci/Dockerfile
config/crd/bases/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
pkg/operator/applyconfigurations/internal/internal.go
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
pkg/operator/clientset/versioned/fake/clientset_generated.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
Dockerfile
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
bundle/metadata/annotations.yaml
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
bundle/manifests/operator.openshift.io_certmanagers.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
bundle/manifests/cert-manager.io_issuers.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go
config/crd/bases/certificates.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_challenges.yaml
Makefile
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
images/ci/operand.Dockerfile
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
bundle/manifests/cert-manager.io_clusterissuers.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
pkg/controller/deployment/deployment_overrides_test.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
config/crd/bases/operator.openshift.io_certmanagers.yaml
go.mod
config/crd/bases/orders.acme.cert-manager.io-crd.yaml
pkg/operator/assets/bindata.go
config/crd/bases/issuers.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
bundle/manifests/cert-manager.io_certificates.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go
bundle/manifests/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
bundle/manifests/cert-manager.io_certificaterequests.yaml
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_orders.yaml

🔇 Additional comments (73)

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1)

9-9: Version label correctly updated.

The version label update to v1.19.2 aligns with the PR objective to upgrade cert-manager.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1)

9-9: LGTM!

The version label update to v1.19.2 is correct and consistent with the cert-manager upgrade objective.

pkg/controller/deployment/deployment_overrides_test.go (1)

35-35: LGTM! Version bump correctly applied.

The test expectations have been consistently updated to reflect the cert-manager v1.19.2 upgrade. All occurrences of the acme-http01-solver-image version string are correctly updated across default args and test expectations.

Also applies to: 123-123, 175-175

bundle/manifests/operator.openshift.io_certmanagers.yaml (3)

5-5: LGTM!

Controller-gen version bump to v0.19.0 aligns with the upstream cert-manager v1.19.2 update.

63-159: LGTM!

The fileKeyRef addition and env var name description update align with upstream Kubernetes API changes. The schema is properly structured with required fields (key, path, volumeName), sensible defaults (optional: false), and clear documentation noting the alpha EnvFiles feature gate dependency.

344-440: LGTM!

The fileKeyRef and env var name description changes are consistently applied across controllerConfig and webhookConfig, matching the cainjectorConfig section. Good schema consistency.

Also applies to: 939-1035

pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (1)

67-67: LGTM! Generated methods follow established patterns.

The added marker method IsApplyConfiguration() and getter methods (GetKind, GetAPIVersion, GetNamespace) are correctly implemented:

IsApplyConfiguration() serves as an interface marker (standard pattern)

GetKind() and GetAPIVersion() safely access the value-embedded TypeMetaApplyConfiguration

GetNamespace() properly calls ensureObjectMetaApplyConfigurationExists() before accessing the pointer field, consistent with the existing GetName() implementation

These are generated additions from the upstream cert-manager v1.19.2 bump with no concerns.

Also applies to: 243-263

pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (1)

12-12: No action needed — WithIssuerRef is not called anywhere in the codebase.

The file is correctly generated code. The IssuerRef field type (v1.IssuerReference) and the WithIssuerRef method are defined properly in the apply configuration, but the method has no actual callers. No call sites require updates because this method is not used.

Likely an incorrect or invalid review comment.

config/crd/bases/operator.openshift.io_certmanagers.yaml (3)

6-6: LGTM: Controller-gen version bump.

The controller-gen version update from v0.15.0 to v0.19.0 aligns with the upstream cert-manager v1.19.2 upgrade.

708-712: Unable to verify AI summary claims due to lack of git history in the repository. The current protocol field definition (lines 708-712) contains a description stating "If not specified, this field defaults to TCP" but no explicit default: TCP property is present. Without access to previous commits, the claim that a default value was removed cannot be confirmed. If this change is significant for users upgrading NetworkPolicy resources, it should be documented in release notes regardless of whether an explicit schema default was removed.

63-66: No action required - this uses standard Kubernetes EnvVar validation.

The overrideEnv field uses Kubernetes' standard corev1.EnvVar type, and the CRD description is auto-generated from that standard type. The description "May consist of any printable ASCII characters except '='" reflects the standard Kubernetes behavior for environment variable names, not a custom relaxation. The codebase does not implement custom validation; it relies entirely on the upstream Kubernetes API types in v0.34.1. No compatibility concerns exist.

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, consistent with the PR's upstream bump objective.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, aligning with the cert-manager upgrade.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector leaderelection Role.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector ClusterRole.

bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the controller challenges ClusterRole.

bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the controller orders ClusterRoleBinding.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector Service, completing the consistent version bump across all reviewed manifests.

images/ci/operand.Dockerfile (1)

1-3: Base image upgrade is properly applied across configuration files.

The base builder image has been updated to golang-1.25-openshift-4.21 and is consistently referenced in operand.Dockerfile, images/ci/Dockerfile, and the Makefile. The release branch is correctly set to v1.19.2. However, image availability cannot be verified in this environment and requires manual confirmation that the base image exists in the registry.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1)

9-9: LGTM! Version label correctly updated.

The version label update from v1.18.3 to v1.19.2 aligns with the upstream cert-manager upgrade objective.

bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1)

9-9: LGTM! Version label correctly updated.

The version label update to v1.19.2 is consistent with the cert-manager upgrade.

bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1)

10-10: LGTM! Version label correctly updated.

The ServiceAccount version label update aligns with the v1.19.2 upgrade.

bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1)

9-9: LGTM! Version label correctly updated.

The Service version label update is consistent with the cert-manager v1.19.2 upgrade.

bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1)

9-9: LGTM! Version label correctly updated.

The ClusterRole version label update aligns with the v1.19.2 upgrade.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (1)

9-9: LGTM! Version labels and image tag correctly updated.

The webhook deployment version labels and container image tag are consistently updated to v1.19.2, aligning with the cert-manager upgrade.

Also applies to: 30-30, 46-46

bundle/metadata/annotations.yaml (1)

7-7: LGTM! Bundle channel correctly updated.

The channel update from stable-v1.18 to stable-v1.19 correctly reflects the version series upgrade to v1.19.x.

bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1)

9-9: LGTM! Version label correctly updated.

The ClusterRoleBinding version label update to v1.19.2 is consistent with the cert-manager upgrade.

bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, consistent with the upstream cert-manager version bump.

bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (1)

9-9: LGTM!

All version labels and image tags are consistently updated to v1.19.2:

Metadata and pod template labels (lines 9, 30)

ACME HTTP01 solver image argument (line 37)

Controller container image (line 47)

Also applies to: 30-30, 37-37, 47-47

bundle/manifests/cert-manager.io_certificates.yaml (3)

10-13: LGTM!

Added crds component label and version bump to v1.19.2 aligns with the upstream cert-manager release.

104-104: LGTM!

The x-kubernetes-list-type: atomic annotations are correctly applied to list fields. This ensures proper Server-Side Apply (SSA) semantics where these lists are replaced entirely rather than merged, which is appropriate for certificate configuration arrays like additionalOutputFormats, dnsNames, emailAddresses, and ipAddresses.

Also applies to: 120-120, 136-136, 149-149

170-181: LGTM!

The issuerRef field descriptions now explicitly document the default values for group (cert-manager.io) and kind (Issuer). This improves API discoverability without changing behavior.

Makefile (3)

6-7: LGTM!

Version variables correctly updated:

BUNDLE_VERSION to 1.19.0 (operator bundle version)

CERT_MANAGER_VERSION to v1.19.2 (upstream cert-manager operand version)

The distinction between bundle version (1.19.0) and operand version (v1.19.2) is appropriate for operator lifecycle management.

15-15: LGTM!

Channel configuration properly updated for v1.19 release:

CHANNELS updated to include stable-v1.19

DEFAULT_CHANNEL set to stable-v1 for OLM default channel handling

BUNDLE_METADATA_OPTS correctly includes both channel flags

Also applies to: 25-29

89-89: LGTM!

Container image updated to rhel-9-golang-1.25-openshift-4.21, aligning with the Go 1.25 toolchain requirement for cert-manager v1.19.2 and targeting OpenShift 4.21.

config/crd/bases/orders.acme.cert-manager.io-crd.yaml (3)

12-12: LGTM!

Version label correctly updated to v1.19.2, consistent with other CRD manifests.

80-80: LGTM!

x-kubernetes-list-type: atomic correctly applied to ACME Order arrays (dnsNames, ipAddresses, challenges, authorizations). These fields should be replaced atomically during updates rather than merged.

Also applies to: 94-94, 184-184, 222-222

104-115: LGTM!

The issuerRef field descriptions are updated consistently with other CRDs, documenting default values for group and kind fields.

bundle/manifests/cert-manager.io_issuers.yaml (5)

13-13: Version label and printer columns look consistent with the v1.19.2 bump

app.kubernetes.io/version and the Ready/Status jsonPath expressions are updated in a purely cosmetic, upstream-aligned way; no behavioral change or risk here.

Also applies to: 29-32

543-550: RFC2136 protocol enum is backward compatible and well-scoped

Adding the optional protocol field with enum {TCP, UDP} under the RFC2136 DNS01 solver is schema-correct and keeps existing manifests valid since the field isn’t required; the default behavior can continue to be implied by the controller.

644-644: New x-kubernetes-* list/map markers align with structural schema best practices

Marking these arrays (audiences, parentRefs, imagePullSecrets, supplementalGroups, sysctls, tolerations, dnsNames/dnsZones, CA/selfSigned/Vault lists) as atomic or map with x-kubernetes-list-map-keys matches Kubernetes structural schema guidance and should improve merge behavior without changing semantics.

Also applies to: 923-924, 1949-1951, 2117-2117, 2140-2140, 2185-2185, 3276-3278, 3444-3444, 3467-3467, 3512-3512, 3542-3542, 3557-3557, 3568-3568, 3587-3587, 3596-3596, 3607-3607, 3629-3629, 3758-3758

1566-1568: Pod anti-affinity weight wording change is documentation-only

The updated description about “subtracting weight” for preferred anti-affinity terms is confined to comments, keeps the schema unchanged, and is consistent across both podAntiAffinity blocks; nothing to adjust from an operator perspective.

Also applies to: 2893-2895

1963-1996: ACME HTTP01 solver resources overrides are modeled correctly

The new resources objects for HTTP01 solver pod templates use the standard resource.Quantity pattern and x-kubernetes-int-or-string semantics for limits/requests, are optional, and don’t introduce new required fields—this is a safe, backwards-compatible enhancement.

Also applies to: 3290-3323

bundle/manifests/cert-manager.io_certificaterequests.yaml (4)

10-13: LGTM! Version bump and metadata update are correct.

The version update to v1.19.2 and the addition of the app.kubernetes.io/component: crds label align with upstream cert-manager v1.19.2 and follow standard Kubernetes labeling conventions.

30-45: LGTM! JSONPath formatting improvements are consistent.

The spacing around the equality operator in JSONPath expressions improves readability and follows standard formatting conventions. These changes are valid and consistent across all printer columns.

136-147: LGTM! Improved issuerRef field documentation.

The updated descriptions for issuerRef fields clarify the default values (group defaults to 'cert-manager.io', kind defaults to 'Issuer'), which improves API documentation and user understanding.

236-236: LGTM! Appropriate list type annotation.

The x-kubernetes-list-type: atomic annotation is correct for the usages field, which contains key usage enums. This ensures proper merge behavior where the entire list is treated as a single atomic unit.

bundle/manifests/acme.cert-manager.io_orders.yaml (4)

13-13: LGTM! Version bump is consistent.

The version update to v1.19.2 matches the PR objective and is consistent with other CRD manifests in this upgrade.

84-98: LGTM! Appropriate list type annotations for spec fields.

The x-kubernetes-list-type: atomic annotations for dnsNames and ipAddresses are correct. These fields should be treated as atomic units during updates, which is appropriate for DNS name and IP address lists.

108-119: LGTM! Consistent issuerRef documentation improvements.

The issuerRef field descriptions match the improvements in the certificaterequests CRD, providing clear default values and improving API documentation consistency across all cert-manager CRDs.

188-228: LGTM! Appropriate list type annotations for status fields.

The x-kubernetes-list-type: atomic annotations for authorizations and nested challenges arrays are correct. These status fields contain ACME server responses and should be treated atomically, which aligns with their usage pattern where the controller replaces the entire list during reconciliation.

config/crd/bases/issuers.cert-manager.io-crd.yaml (3)

12-12: Version label and printer column JSONPath updates are fine

Label bump to v1.19.2 and JSONPath spacing changes are metadata-only and keep behavior unchanged; no issues.

Also applies to: 28-31

526-531: RFC2136 protocol field addition looks correct

Optional protocol enum (TCP/UDP) under rfc2136.nameserver is well-scoped, non-breaking (not required), and matches the described behavior; schema is consistent.

623-623: CRD list semantics and solver pod resource overrides align with Kubernetes schema best practices

The added x-kubernetes-list-type/x-kubernetes-list-map-keys markers for lists (audiences, parentRefs, imagePullSecrets, tolerations, string arrays, etc.) plus the new resources overrides for HTTP01 solver pods and related issuer fields improve structural schema fidelity and patch/apply behavior, and appear consistent and non-breaking across the CRD.

Also applies to: 900-900, 1822-1869, 1985-1985, 2005-2005, 2049-2049, 3033-3035, 3047-3080, 3196-3196, 3216-3216, 3260-3260, 3290-3290, 3305-3305, 3316-3316, 3335-3335, 3344-3344, 3355-3355, 3377-3377, 3505-3505

bundle/manifests/acme.cert-manager.io_challenges.yaml (1)

10-13: CRD schema, list markers, and resource fields look consistent with upstream and safe

The added labels, issuerRef description tweaks, new RFC2136 protocol field, list/map metadata (x-kubernetes-*), and HTTP01 solver pod template resources blocks are structurally sound and improve clarity and merge semantics without changing controller behavior. No issues from an operator/CRD perspective.

Also applies to: 81-105, 415-468, 647-2049, 2137-3357, 3367-3395

go.mod (1)

3-352: Toolchain and dependency bumps look coherent; rely on CI/e2e to catch regressions

The Go version bump and broad upgrade of cert-manager, Kubernetes, controller-runtime/tools, AWS SDK, OTel, and related libraries, plus the cert-manager → jetstack-cert-manager v1.19.2 replace, form a consistent stack and align with the stated upgrade to cert-manager v1.19.2. I don't see any obviously mismatched module versions or suspect replaces here; the graph looks internally consistent for a rebase of this scope.

Given the size of the change surface, please rely on CI and targeted e2e runs (especially AWS, Gateway API, and CRD-heavy paths) to validate runtime compatibility and uncover any subtle behavior changes introduced by upstream dependencies.

Also applies to: 354-355

bundle/manifests/cert-manager.io_clusterissuers.yaml (7)

8-13: Metadata labels and version bump look consistent

app.kubernetes.io/component: crds and app.kubernetes.io/version: v1.19.2 align with this being the CRD bundle for the v1.19.2 cert-manager operand; no concerns here. Just keep this version label consistent with other cert-manager CRDs/bundle manifests in the repo.

28-35: Ready/Status printer columns JSONPath remains correct

The additionalPrinterColumns JSONPath expressions for Ready and Status still correctly select the Ready condition’s status and message. The minor formatting change is harmless and keeps kubectl output stable.

537-551: RFC2136 DNS01 protocol field is well-scoped

The new spec.acme.solvers[].dns01.rfc2136.protocol field is constrained to TCP/UDP and clearly documents UDP as the default when unset. This matches the expected RFC2136 usage pattern and doesn’t introduce schema or validation risks.

645-647: x-kubernetes list metadata additions improve SSA/merge semantics

The added x-kubernetes-list-type: atomic (here for serviceAccountRef.audiences) and similar x-kubernetes-list-type / x-kubernetes-list-map-keys annotations throughout the schema bring these CRD fields in line with core Kubernetes API conventions, improving server-side apply and patch behavior without changing stored data.

1932-1952: HTTP01 solver podTemplate: imagePullSecrets + resources extensions look correct

Switching imagePullSecrets to a map list keyed by name (with x-kubernetes-list-map-keys/x-kubernetes-list-type: map) matches core PodSpec behavior and gives better patch semantics.

The new podTemplate.spec.resources block for HTTP01 solver pods uses the standard resource.Quantity schema (x-kubernetes-int-or-string with the usual quantity regex) and cleanly documents interaction with global controller flags.

These changes are consistent with upstream cert-manager and should be safe for existing manifests.

Also applies to: 1964-1997, 3259-3279, 3291-3324

2106-2142: PodSecurityContext list fields marked atomic are aligned with core API

Marking supplementalGroups and sysctls as x-kubernetes-list-type: atomic for the solver pod securityContext matches how these lists behave in core PodSecurityContext, preventing surprising merge behavior. No issues from a validation or security perspective.

Also applies to: 3433-3468

3531-3570: Selector and issuer list fields now explicitly atomic—matches intent

The additions of x-kubernetes-list-type: atomic for:

selector.dnsNames and selector.dnsZones,

the top-level acme.solvers list,

CA/self-signed crlDistributionPoints / issuingCertificateURLs / ocspServers,

Vault serviceAccountRef.audiences,

all reflect these as flat lists of scalar values where full replacement on patch is expected. That aligns with how these fields are typically used and shouldn’t affect existing consumers.

Also applies to: 3580-3631, 3752-3760

config/crd/bases/certificates.cert-manager.io-crd.yaml (1)

9-12: CRD label, printer column, and list-type updates align with upstream cert-manager schema

The label/version bump, jsonPath spacing tweak, issuerRef description clarification, and the added x-kubernetes-list-type: atomic annotations on the various arrays all look consistent with the v1.19.2 cert-manager CRDs and should not change behavior beyond improving structural schema semantics for SSA and validation.

Please just confirm this CRD was regenerated from upstream (e.g., via the usual controller-gen/make flow) rather than hand-edited, so it stays in lockstep with the source API.

Also applies to: 29-40, 100-133, 141-146, 156-180, 331-387, 389-411, 571-595, 610-623, 624-688

pkg/operator/assets/bindata.go (1)

34-35: Generated bindata changes and new cert-manager-tokenrequest RB asset are internally consistent

All the app.kubernetes.io/version: v1.19.2 label bumps and the controller/cainjector/webhook image updates to quay.io/jetstack/*:v1.19.2 are coherent across assets.

The new cert-manager-tokenrequest-rb.yaml RoleBinding asset, its byte var, helper functions, _bindata map entry, and _bintree node all use the same path (cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml) and correctly bind the cert-manager-tokenrequest Role to the cert-manager ServiceAccount in the cert-manager namespace.

I don’t see any leftover references to the old tokenrequest RB asset name in this file.

Since this file is generated by go-bindata, please confirm it was fully regenerated from the updated YAML sources (rather than edited by hand) so future updates don’t accidentally overwrite these changes.

Also applies to: 119-128, 203-212, 238-268, 280-281, 467-476, 504-513, 539-548, 656-665, 693-702, 778-787, 813-822, 969-978, 1031-1040, 1066-1075, 1151-1160, 1186-1195, 1283-1292, 1365-1374, 1400-1430, 1446-1447, 1497-1506, 1556-1565, 1592-1601, 1637-1647, 1666-1675, 1705-1739, 1741-1750, 1938-1947, 1974-1983, 2020-2031, 2071-2081, 2100-2109, 2134-2143, 2169-2178, 2212-2223, 3158-3159, 3235-3275

bundle/manifests/operator.openshift.io_istiocsrs.yaml (1)

5-5: IstioCSR CRD description/controller-gen updates are doc-only and safe

The controller-gen version annotation bump, the refined pod (anti)affinity weighting text, the DynamicResourceAllocation note on resources.claims, and the clarified certManager.issuerRef group/kind/name descriptions are all documentation/metadata-only; schema, validation rules, and defaults remain unchanged, so existing IstioCSR resources won’t be affected.

Please confirm this CRD was regenerated with the updated controller-gen / API definitions rather than edited manually, to keep it aligned with upstream.

Also applies to: 294-305, 652-662, 1015-1027, 1237-1243

config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (6)

9-12: Metadata labels/version bump LGTM

app.kubernetes.io/component: crds and app.kubernetes.io/version: v1.19.2 are consistent with the operand upgrade and CRD role; nothing else needed here.

84-96: issuerRef description updates match Issuer defaults

Clarified descriptions for issuerRef.group, issuerRef.kind, and issuerRef.name accurately describe the issuer context and documented defaults, without changing the schema itself.

414-419: New RFC2136 protocol field is a safe extension

Adding optional protocol with enum TCP / UDP (default via controller behavior) keeps nameserver as the only required property, so existing RFC2136 configurations remain valid while allowing more explicit transport selection.

1710-1712: PodTemplate imagePullSecrets + resources schema look correct

Using x-kubernetes-list-type: map with x-kubernetes-list-map-keys: [name] for imagePullSecrets and introducing a resources object shaped like core ResourceRequirements are both consistent with Kubernetes API patterns and provide predictable merge behavior for solver pods.

Also applies to: 1724-1757, 2921-2923, 2935-2968

511-511: x-kubernetes-list-type annotations are appropriate

Marking these arrays (audiences, parentRefs, supplementalGroups, sysctls, tolerations, and selector DNS lists) as atomic or map-based provides explicit structural metadata and aligns with expected server-side apply/patch semantics without altering existing valid objects.

Also applies to: 789-789, 1873-1873, 1893-1893, 1937-1937, 3084-3084, 3104-3104, 3148-3148, 3178-3178, 3193-3193

1360-1362: PodAntiAffinity weight description change is documentation-only

The updated explanation about subtracting weight in preferred anti-affinity terms corrects the textual behavior description while leaving the schema unchanged, so there’s no impact on validation or stored CRs.

Also applies to: 2571-2573

config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (1)

9-12: CRD schema bump (labels, RFC2136 protocol, solver resources, list/map markers) looks consistent with upstream

Label and app.kubernetes.io/version changes align with the v1.19.2 bump.

New spec.acme.dns01.rfc2136.nameserver.protocol string enum (TCP/UDP) is additive and keeps existing CRs valid; description matches expected behavior.

Added podTemplate.spec.resources blocks for HTTP01 solvers (gateway and ingress) use the standard resource quantity schema and are also additive.

The various new x-kubernetes-list-type / x-kubernetes-list-map-keys annotations on lists (imagePullSecrets, audiences, dnsNames/dnsZones, CRL/OCSP lists, etc.) follow Kubernetes structural schema and SSA best practices and should only improve patch/merge semantics rather than change meaning.

From what’s shown here, I don’t see any breaking or security-impacting changes; keeping this file generated and in lockstep with the upstream cert-manager v1.19.2 types is the right approach. Please just ensure all other CRD copies/bundles (e.g., under bundle/manifests) were regenerated from the same upstream revision and that CI/CRD validation passes with these enums and annotations.

Also applies to: 28-31, 528-532, 1823-1825, 1838-1870, 3035-3037, 3049-3081, 3291-3292, 3306-3307, 3334-3337, 3338-3345, 3347-3356, 3376-3378, 3504-3507

coderabbitai · 2025-12-16T06:55:06Z

config/crd/bases/operator.openshift.io_certmanagers.yaml

+                            fileKeyRef:
+                              description: |-
+                                FileKeyRef selects a key of the env file.
+                                Requires the EnvFiles feature gate to be enabled.
+                              properties:
+                                key:
+                                  description: |-
+                                    The key within the env file. An invalid key will prevent the pod from starting.
+                                    The keys defined within a source may consist of any printable ASCII characters except '='.
+                                    During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+                                  type: string
+                                optional:
+                                  default: false
+                                  description: |-
+                                    Specify whether the file or its key must be defined. If the file or key
+                                    does not exist, then the env var is not published.
+                                    If optional is set to true and the specified key does not exist,
+                                    the environment variable will not be set in the Pod's containers.
+
+                                    If optional is set to false and the specified key does not exist,
+                                    an error will be returned during Pod creation.
+                                  type: boolean
+                                path:
+                                  description: |-
+                                    The path within the volume from which to select the file.
+                                    Must be relative and may not contain the '..' path or start with '..'.
+                                  type: string
+                                volumeName:
+                                  description: The name of the volume mount containing
+                                    the env file.
+                                  type: string
+                              required:
+                              - key
+                              - path
+                              - volumeName
+                              type: object
+                              x-kubernetes-map-type: atomic


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the repository structure git ls-files | head -20

Repository: openshift/cert-manager-operator

Length of output: 565

🏁 Script executed:

# Check for go.mod to find Kubernetes version cat go.mod | grep -i 'k8s.io' | head -10

Repository: openshift/cert-manager-operator

Length of output: 392

🏁 Script executed:

# Search for any documentation about EnvFiles or feature gates find . -type f $ -name "*.md" -o -name "*.txt" -o -name "*.adoc" $ | xargs grep -l -i 'envfiles\|feature.gate' 2>/dev/null | head -10

Repository: openshift/cert-manager-operator

Length of output: 57

🏁 Script executed:

# Check operator code for feature gate handling and fileKeyRef references rg -n 'fileKeyRef|EnvFiles' --type go --type yaml | head -20

Repository: openshift/cert-manager-operator

Length of output: 2676

🏁 Script executed:

# Look at the OpenShift/K8s version in the repo rg -n 'openshift.io|kubernetes.io' go.mod | head -10

Repository: openshift/cert-manager-operator

Length of output: 57

🌐 Web query:

EnvFiles Kubernetes feature gate status 2024 2025 stable alpha beta

💡 Result:

Summary — EnvFiles feature-gate

2024: Not present in mainline Kubernetes (no EnvFiles gate listed). [1]

2025: Introduced as an Alpha feature (EnvFiles, default=false) in the v1.34 cycle and documented on the Kubernetes feature-gates page and v1.34 blog. [2][3]

Later in 2025 (v1.35 beta snapshot): promoted to Beta and enabled by default (announcement in the v1.35 beta notes). [4]

Sources

Kubernetes Feature Gates reference (shows EnvFiles = Alpha / default=false). [1]

Kubernetes v1.34 release/blog announcing EnvFiles (alpha) and feature details. [2]

Kubernetes v1.34 release notes / blog (release context). [3]

v1.35 beta announcement noting EnvFiles promoted to Beta and enabled by default. [4]

🏁 Script executed:

# Check for README and installation documentation find . -type f $ -name "README*" -o -name "INSTALL*" -o -name "*.md" $ | head -20

Repository: openshift/cert-manager-operator

Length of output: 156

🏁 Script executed:

# Check if there are any operator webhook or validation handlers for feature gates rg -n 'webhook|validation|mutate|validate' --type go api/ | head -15

Repository: openshift/cert-manager-operator

Length of output: 1330

🏁 Script executed:

# Look for any documentation about prerequisites or feature gates cat README.md 2>/dev/null | head -100

Repository: openshift/cert-manager-operator

Length of output: 4113

🏁 Script executed:

# Check for any OpenShift or Kubernetes version requirements documented in the repo rg -n 'openshift.*version|kubernetes.*version|4\.21|4\.22|1\.34|1\.35' --type md --type txt | head -15

Repository: openshift/cert-manager-operator

Length of output: 57

Add operator-level validation or documentation for EnvFiles feature gate requirement.

The new fileKeyRef field requires the alpha EnvFiles feature gate to be enabled in Kubernetes 1.34 (where it defaults to disabled). While the CRD field descriptions already state this requirement, users may not discover it until pod creation fails at runtime.

Address this by either:

Adding operator-level validation/warnings when pods attempt to use fileKeyRef without the feature gate enabled

Documenting the requirement explicitly in user-facing documentation (README or installation guide)

This becomes less critical in Kubernetes 1.35+ where EnvFiles is promoted to Beta and enabled by default, but remains a risk for 1.34 deployments.

🤖 Prompt for AI Agents

In config/crd/bases/operator.openshift.io_certmanagers.yaml around lines 123 to 159, the new fileKeyRef field depends on the alpha EnvFiles feature gate in Kubernetes 1.34 which is disabled by default; add operator-level validation or documentation to prevent runtime failures: implement an operator startup or admission check that detects CRs using fileKeyRef and emits a clear validation error or warning when running on a cluster where the EnvFiles feature gate is not enabled, or alternatively update the repository README/installation guide and CRD description to prominently document the EnvFiles feature gate requirement for Kubernetes 1.34 (include exact kube version and remediation steps to enable the gate), ensuring users are informed before pod creation.

bharath-b-rh

/lgtm

bharath-b-rh · 2025-12-17T07:36:57Z

bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml

-    app.kubernetes.io/version: v1.18.3
-  name: cert-manager-cert-manager-tokenrequest
+    app.kubernetes.io/version: v1.19.2
+  name: cert-manager-tokenrequest


Not directly related to the changes. But how do we manage the renamed resource in upgraded clusters.

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

openshift-ci · 2025-12-17T07:57:54Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh, PillaiManish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2025-12-19T07:41:21Z

New changes are detected. LGTM label has been removed.

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 13f4052 and 179c4a6.

📒 Files selected for processing (2)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (5 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

🔇 Additional comments (8)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (6)

253-253: LGTM!

The skipRange is correctly set to allow upgrades from 1.18.x versions to this 1.19.0 release.

274-274: LGTM!

Metadata name correctly updated to reflect version 1.19.0.

701-715: LGTM!

All environment variables are consistently updated:

cert-manager components to v1.19.2

Operator version to 1.19.0

IstioCSR appropriately remains at v0.14.2

813-813: LGTM!

The minKubeVersion has been appropriately updated to 1.31.0 as per previous review feedback.

817-826: LGTM!

Related images are consistently updated to v1.19.2 for all cert-manager components and correctly aligned with the environment variables defined earlier in the manifest.

827-828: LGTM!

The version field (1.19.0) and replaces field (cert-manager-operator.v1.18.0) correctly define the upgrade path from the previous release.

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (2)

21-21: LGTM!

The OLM version metadata updates are internally consistent and follow the correct upgrade pattern from v1.18.0 to v1.19.0.

Also applies to: 41-41, 152-153

149-149: The minKubeVersion change from 1.27.0 to 1.31.0 is correct. cert-manager v1.19.2 requires Kubernetes v1.31 or newer (supported range: v1.31 → v1.34), and this aligns with OpenShift 4.21 (Kubernetes 1.34) and 4.22 (Kubernetes 1.35) as mentioned in the PR comments.

coderabbitai · 2025-12-19T07:50:19Z

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

      version: v1
  description: |
-    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.18.3](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
+    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.


⚠️ Potential issue | 🟡 Minor

Fix the stale documentation URL.

The description text references cert-manager v1.19.2, but the URL still points to v1.18.3. This will mislead users to outdated documentation.

🔎 Proposed fix

- The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management. + The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

🤖 Prompt for AI Agents

In bundle/manifests/cert-manager-operator.clusterserviceversion.yaml around line 348, the description references cert-manager v1.19.2 but the URL points to v1.18.3; update the URL to the matching v1.19.2 release (https://github.com/cert-manager/cert-manager/tree/v1.19.2) so the documentation link matches the cited version and doesn't mislead users.

coderabbitai · 2025-12-19T07:50:19Z

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

      version: v1alpha1
  description: |
-    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.18.3](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
+    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.


⚠️ Potential issue | 🟡 Minor

Fix the inconsistent version reference in the GitHub URL.

The description text references "cert-manager v1.19.2", but the GitHub URL still points to the old version "v1.18.3". This inconsistency will mislead users to outdated documentation.

🔎 Proposed fix

- The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management. + The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

🤖 Prompt for AI Agents

In config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml around line 115, the description text claims "cert-manager v1.19.2" but the GitHub URL points to "v1.18.3"; update the URL to reference the matching tag v1.19.2 (i.e., change the GitHub link suffix from v1.18.3 to v1.19.2) so the version in the link and the description are consistent.

openshift-ci · 2025-12-19T09:34:30Z

@PillaiManish: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

lunarwhite

It would be great if we could add one more line to each commit message explaining the context for the change, just for future reference. Especially for

abb105b (The reason you've already explained in the PR description, it's good to include same as part of the commit)
b2a5388 (It would be clearer to mention exactly which packages are being bumped and which latest is being referred to, but I think it should be a specific tag not the drifting latest?)
179c4a6 (The context would be lost in a review comment)

lunarwhite · 2025-12-23T06:23:22Z

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

      version: v1alpha1
  description: |
-    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.18.3](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
+    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.


Suggested change

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 8, 2025

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 8, 2025

openshift-ci bot requested review from mytreya-rh and swghosh December 8, 2025 09:52

PillaiManish force-pushed the CM-825 branch from 2cb30cd to e3cf353 Compare December 9, 2025 03:59

PillaiManish changed the title ~~WIP: CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release~~ CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release Dec 9, 2025

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 9, 2025

lunarwhite reviewed Dec 12, 2025

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 12, 2025

removes replaces for controller-tools

abb105b

Bump deps with upstream [email protected]

ff5f2ae

PillaiManish force-pushed the CM-825 branch from e3cf353 to 7036f01 Compare December 16, 2025 05:07

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 16, 2025

PillaiManish changed the title ~~CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release~~ CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release Dec 16, 2025

coderabbitai bot reviewed Dec 16, 2025

View reviewed changes

PillaiManish added 6 commits December 16, 2025 12:08

Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS

aa1382d

Update CSV: OLM bundle name, version, replaces, skipRange and skips

ca7f100

More manual replacements

3846317

updates golang version from 1.24 to 1.25 for openshift-4.21

de87c63

updates libraries to latest version

b2a5388

fixes for latest version

13f4052

PillaiManish force-pushed the CM-825 branch from 7036f01 to 13f4052 Compare December 16, 2025 06:40

coderabbitai bot reviewed Dec 16, 2025

View reviewed changes

bharath-b-rh approved these changes Dec 17, 2025

View reviewed changes

openshift-ci bot assigned bharath-b-rh Dec 17, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 17, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2025

updates minKubeVersion to 1.31.0

179c4a6

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 19, 2025

coderabbitai bot reviewed Dec 19, 2025

View reviewed changes

lunarwhite reviewed Dec 23, 2025

View reviewed changes

	The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
	The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

Are you sure you want to change the base?

CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

Uh oh!

Conversation

PillaiManish commented Dec 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Dec 8, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Dec 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

openshift-ci-robot commented Dec 9, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lunarwhite left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

PillaiManish commented Dec 16, 2025

Uh oh!

openshift-ci-robot commented Dec 16, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

bharath-b-rh left a comment

Choose a reason for hiding this comment

Uh oh!

bharath-b-rh Dec 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci bot commented Dec 17, 2025

Uh oh!

openshift-ci bot commented Dec 19, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Dec 19, 2025

Uh oh!

lunarwhite left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

lunarwhite Dec 23, 2025

PillaiManish commented Dec 8, 2025 •

edited

Loading

openshift-ci-robot commented Dec 8, 2025 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Dec 8, 2025 •

edited

Loading

openshift-ci-robot commented Dec 9, 2025 •

edited by openshift-ci bot

Loading

lunarwhite left a comment •

edited

Loading

openshift-ci-robot commented Dec 16, 2025 •

edited by openshift-ci bot

Loading

bharath-b-rh Dec 17, 2025 •

edited

Loading

lunarwhite left a comment •

edited

Loading