CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

PillaiManish · 2025-12-08T09:50:36Z

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.2.

Prerequisite: Downstream v1.19.2 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags
Remove

replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc

Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream cert-manager@v1.19.2

go get github.com/cert-manager/cert-manager@v1.19.2
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/jetstack-cert-manager@v1.19.2
go mod tidy && go mod vendor

Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS

- replace CERT_MANAGER_VERSION  ->  "v1.19.2"
- * make update
* make bundle

More manual replacements

- replace "1.18.3" -> "1.19.2" (operand)

Update docker files images to golang-1.25 (and openshift-4.21)
Fixes for latest version updates

openshift-ci-robot · 2025-12-08T09:50:41Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2025-12-08T09:50:44Z

Walkthrough

Bumps cert-manager v1.18.3→v1.19.2 and Go toolchain 1.24→1.25; upgrades builder images and dependencies; large CRD/OpenAPI schema enrichments (list/map metadata, RFC2136 protocol, podTemplate resources, issuerRef descriptions); bundle/CSV/manifest image and metadata updates; small code, test, and bindata adjustments.

Changes

Cohort / File(s)	Summary
Build images & toolchain `/.ci-operator.yaml`, `Dockerfile`, `images/ci/*Dockerfile`, `images/ci/operand.Dockerfile`, `bundle.Dockerfile`, `go.mod`	Upgrade Go to 1.25, bump builder base images to rhel-9-golang-1.25-openshift-4.21, and large dependency upgrades in `go.mod` (including cert-manager v1.19.2).
Makefile & bundle metadata `Makefile`, `bundle/metadata/annotations.yaml`	Bumped `BUNDLE_VERSION`, `CERT_MANAGER_VERSION`, `CHANNELS`; added `DEFAULT_CHANNEL`; updated `BUNDLE_METADATA_OPTS` and `CONTAINER_IMAGE_NAME`; updated bundle channels annotation.
CRDs & OpenAPI schemas `bundle/manifests/`, `config/crd/bases/.yaml`, `bundle/manifests/operator.openshift.io_.yaml`, `config/crd/bases/operator.openshift.io_.yaml`	Extensive CRD/schema changes: add `app.kubernetes.io/component: crds`, version bumps to v1.19.2, add `x-kubernetes-list-type`/`x-kubernetes-list-map-keys`, add RFC2136 `protocol` enum, add solver `podTemplate.resources`, update `issuerRef` descriptions/defaults, remove beta notes, normalize JSONPath spacing, and controller-gen annotation bumps.
Bindata manifests (cert-manager deployment) `bindata/cert-manager-deployment/...`	Bumped `app.kubernetes.io/version` and container image tags to v1.19.2 across multiple manifests; updated SA/Role/RoleBinding metadata.
Embedded assets / bindata regen `pkg/operator/assets/bindata.go`, `pkg/operator/assets/*`	Regenerated embedded assets: moved/renamed tokenrequest RB (`cert-manager-cert-manager-tokenrequest-rb.yaml` → `cert-manager-tokenrequest-rb.yaml`), added new asset accessors, removed old entries, and updated embedded manifest contents/version strings.
Bundle / CSV / manager manifests `bundle/manifests/cert-manager-operator.clusterserviceversion.yaml`, `config/manifests/bases/*.clusterserviceversion.yaml`, `config/manager/manager.yaml`	CSV/operator metadata bumped (operator/operand versions, `olm.skipRange`, `minKubeVersion`, `replaces`/`version`); relatedImages and manager image refs updated to 1.19.x.
Generated code & applyconfigurations `api/operator/v1alpha1/zz_generated.deepcopy.go`, `pkg/operator/applyconfigurations/operator/v1alpha1/*.go`, `pkg/operator/applyconfigurations/internal/internal.go`, `pkg/operator/applyconfigurations/utils.go`	DeepCopy change to use `IssuerRef.DeepCopyInto`; `CertManagerConfigApplyConfiguration.IssuerRef` type changed to `v1.IssuerReference`; added `IsApplyConfiguration`/`Get*` helpers; migrated structured-merge-diff import v4→v6; type-converter switched to managedfields.
Controller, deployment & tests `pkg/controller/deployment/.go`, `pkg/controller/_test.go`, `pkg/controller/istiocsr/deployments_test.go`, `pkg/operator/clientset/versioned/fake/clientset_generated.go`	Updated asset reference for tokenrequest RB; test expectations updated to v1.19.2 and adjusted error string quoting; fixed a typo in fake client watch reactor.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 23cbf74 and bfc925b.

📒 Files selected for processing (2)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

🔇 Additional comments (2)

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (1)

21-21: LGTM! Version updates are correct and consistent.

The version bump from 1.18.x to 1.19.0 is properly coordinated across all relevant fields:

olm.skipRange correctly specifies the upgrade window

name, replaces, and version fields follow proper OLM upgrade semantics

Description URL correctly references v1.19.2

minKubeVersion bump to 1.31.0 aligns with OpenShift 4.18-4.21 support

Also applies to: 41-41, 115-115, 149-149, 152-153

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (1)

253-253: LGTM! Comprehensive and consistent version upgrade.

All version-related changes are correct and properly coordinated:

Metadata fields (olm.skipRange, name, version, replaces, minKubeVersion) match the base manifest and follow proper OLM semantics

All cert-manager component images (webhook, ca-injector, controller, acmesolver) consistently updated to v1.19.2

Environment variables (OPERAND_IMAGE_VERSION, OPERATOR_IMAGE_VERSION) correctly set

relatedImages section properly mirrors the environment variable references, ensuring runtime/manifest alignment

Also applies to: 274-274, 348-348, 701-707, 711-711, 715-715, 813-813, 817-823, 827-828

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2025-12-09T04:11:54Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.1.

Prerequisite: Downstream v1.19.1 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags

Remove
replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc
Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream cert-manager@v1.19.1
go get github.com/cert-manager/cert-manager@v1.19.1
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/jetstack-cert-manager@v1.19.1
go mod tidy && go mod vendor
Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS
- replace CERT_MANAGER_VERSION  ->  "v1.19.1"
- * make update
* make bundle
More manual replacements
- replace "1.18.3" -> "1.19.1" (operand)
Update docker files images to golang-1.25 (and openshift-4.21)

Fixes for latest version updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

lunarwhite

Thanks for your work. Some suggestions:

Could we squash commits cd70d9e and 4e1e232 since they are doing the same thing?
Along with this commit 7817403, we should also update this line: https://github.com/PillaiManish/cert-manager-operator/blob/e3cf35386610052dd0bf89303ccb4c1e7238d429/config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml#L115
It would be great if we could still keep the commit messages verbose like what we did in the past.
Ideally we should bump with 1.19.2 which just got released days ago to reduce future work.

PillaiManish · 2025-12-16T04:37:20Z

Ideally we should bump with 1.19.2 which just got released days ago to reduce future work

https://github.com/openshift/jetstack-cert-manager/tags right now we dont have the required tag.

openshift-ci-robot · 2025-12-16T05:08:19Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.2.

Prerequisite: Downstream v1.19.2 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags

Remove
replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc
Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream cert-manager@v1.19.2
go get github.com/cert-manager/cert-manager@v1.19.2
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/jetstack-cert-manager@v1.19.2
go mod tidy && go mod vendor
Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS
- replace CERT_MANAGER_VERSION  ->  "v1.19.2"
- * make update
* make bundle
More manual replacements
- replace "1.18.3" -> "1.19.2" (operand)
Update docker files images to golang-1.25 (and openshift-4.21)

Fixes for latest version updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 8

🧹 Nitpick comments (5)

.idea/.gitignore (1)

1-8: Consider using repository-root .gitignore or global gitignore instead.

IDE-specific configuration directories like .idea/ should typically not be committed to the repository. Different team members may use different IDEs (VS Code, vim, emacs, etc.), and IDE-specific ignore files create unnecessary repository clutter.

Consider either:

Adding these patterns to the repository's root .gitignore file, or

Using a global gitignore configuration (~/.gitignore_global)

.idea/cert-manager-operator.iml (1)

1-4: Consider adding .idea/ to .gitignore.

IDE configuration files are typically user-specific and can cause merge conflicts. Consider excluding the .idea/ directory unless the team has explicitly decided to version-control IDE settings.
rebase_automation.sh (3)
13-14: Remove unused REPO_ROOT variable.

REPO_ROOT is defined but never referenced in the script. Based on static analysis (SC2034).
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_ROOT="$SCRIPT_DIR"
358-361: Word boundary pattern may cause unintended matches.

The pattern \b${old_version}\b could match version substrings in edge cases (e.g., "1.18.0" within a hypothetical "v1.18.0-rc1" or similar). Consider using more restrictive anchoring if precision is critical.

314-320: Array assignment from command substitution is fragile for filenames with spaces.

Shellcheck SC2207: If any file has spaces or newlines in its name, word splitting will corrupt the array. In this OpenShift repo context, this is unlikely, but using mapfile with null-delimited find would be more robust.
-    local files_to_check=(
-        $(find . -type f $ -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" $ \
-          -not -path "./vendor/*" \
-          -not -path "./.git/*" \
-          -not -path "./testbin/*" \
-          | grep -v "go.sum")
-    )
+    local files_to_check=()
+    while IFS= read -r -d '' file; do
+        [[ "$file" != *"go.sum"* ]] && files_to_check+=("$file")
+    done < <(find . -type f $ -name "*.go" -o -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.md" -o -name "*.Dockerfile" $ \
+          -not -path "./vendor/*" \
+          -not -path "./.git/*" \
+          -not -path "./testbin/*" \
+          -print0)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between dc0f25f and 7036f01.

⛔ Files ignored due to path filters (215)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Masterminds/semver/v3/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/auth_scheme_preference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sso/serializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/enums.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoot.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/serializers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/sts/validators.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/backoff.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/error.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/exponential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/retry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/ticker.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cenkalti/backoff/v5/timer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/LICENSES is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeauthorization.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverdns01.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01gatewayhttproute.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingressobjectmeta.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodobjectmeta.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodresources.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodsecuritycontext.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresspodtemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmechallengesolverhttp01ingresstemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeexternalaccountbinding.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01provideracmedns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerakamai.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerazuredns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerclouddns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providercloudflare.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerdigitalocean.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerrfc2136.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerroute53.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerdns01providerwebhook.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/acmeissuerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/azuremanagedidentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/certificatednsnameselector.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challengespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/challengestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/orderspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/orderstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/route53auth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/route53kubernetesauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/acme/v1/serviceaccountref.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/caissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificateadditionaloutputformat.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatecondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatekeystores.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificateprivatekey.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequestcondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequestspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificaterequeststatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatesecrettemplate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/certificatestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/clusterissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuercondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/issuerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/jkskeystore.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/nameconstraintitem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/nameconstraints.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/othername.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/pkcs12keystore.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/selfsignedissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/serviceaccountref.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultapprole.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultclientcertificateauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/vaultkubernetesauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venaficloud.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venafiissuer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/venafitpp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/certmanager/v1/x509subject.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/issuerreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/localobjectreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/meta/v1/secretkeyselector.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/acme_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/challenge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/acme/v1/order.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certificate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certificaterequest.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1/certmanager_client.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (85)

.ci-operator.yaml (1 hunks)
.idea/.gitignore (1 hunks)
.idea/cert-manager-operator.iml (1 hunks)
.idea/golinter.xml (1 hunks)
.idea/vcs.xml (1 hunks)
Dockerfile (1 hunks)
Makefile (2 hunks)
api/operator/v1alpha1/zz_generated.deepcopy.go (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml (1 hunks)
bundle.Dockerfile (1 hunks)
bundle/manifests/acme.cert-manager.io_challenges.yaml (19 hunks)
bundle/manifests/acme.cert-manager.io_orders.yaml (6 hunks)
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (4 hunks)
bundle/manifests/cert-manager.io_certificaterequests.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificates.yaml (14 hunks)
bundle/manifests/cert-manager.io_clusterissuers.yaml (25 hunks)
bundle/manifests/cert-manager.io_issuers.yaml (25 hunks)
bundle/manifests/operator.openshift.io_certmanagers.yaml (7 hunks)
bundle/manifests/operator.openshift.io_istiocsrs.yaml (4 hunks)
bundle/metadata/annotations.yaml (1 hunks)
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml (5 hunks)
config/crd/bases/certificates.cert-manager.io-crd.yaml (14 hunks)
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (19 hunks)
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/issuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/operator.openshift.io_certmanagers.yaml (7 hunks)
config/crd/bases/operator.openshift.io_istiocsrs.yaml (4 hunks)
config/crd/bases/orders.acme.cert-manager.io-crd.yaml (6 hunks)
config/manager/manager.yaml (1 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (3 hunks)
go.mod (11 hunks)
images/ci/Dockerfile (1 hunks)
images/ci/operand.Dockerfile (1 hunks)
pkg/controller/deployment/cert_manager_controller_deployment.go (1 hunks)
pkg/controller/deployment/deployment_overrides_test.go (3 hunks)
pkg/controller/istiocsr/deployments_test.go (1 hunks)
pkg/operator/applyconfigurations/internal/internal.go (1 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go (2 hunks)
pkg/operator/applyconfigurations/utils.go (2 hunks)
pkg/operator/assets/bindata.go (51 hunks)
pkg/operator/clientset/versioned/fake/clientset_generated.go (1 hunks)
rebase_automation.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
bundle.Dockerfile
pkg/operator/clientset/versioned/fake/clientset_generated.go
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
images/ci/Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
pkg/operator/applyconfigurations/utils.go
images/ci/operand.Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
config/manager/manager.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go
Dockerfile
api/operator/v1alpha1/zz_generated.deepcopy.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
go.mod
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
bundle/manifests/cert-manager.io_certificates.yaml
bundle/metadata/annotations.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
pkg/controller/istiocsr/deployments_test.go
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
Makefile
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
bundle/manifests/acme.cert-manager.io_challenges.yaml
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
pkg/controller/deployment/cert_manager_controller_deployment.go
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
pkg/controller/deployment/deployment_overrides_test.go
rebase_automation.sh
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
bundle/manifests/cert-manager.io_certificaterequests.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
config/crd/bases/issuers.cert-manager.io-crd.yaml
config/crd/bases/operator.openshift.io_istiocsrs.yaml
bundle/manifests/cert-manager.io_issuers.yaml
bundle/manifests/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_orders.yaml
bundle/manifests/cert-manager.io_clusterissuers.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
config/crd/bases/operator.openshift.io_certmanagers.yaml
config/crd/bases/orders.acme.cert-manager.io-crd.yaml
config/crd/bases/certificates.cert-manager.io-crd.yaml
bundle/manifests/operator.openshift.io_certmanagers.yaml
pkg/operator/assets/bindata.go
pkg/operator/applyconfigurations/internal/internal.go

🪛 Shellcheck (0.11.0)

rebase_automation.sh

[warning] 14-14: REPO_ROOT appears unused. Verify use (or export if used externally).

(SC2034)

[warning] 143-143: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 197-197: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 198-198: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 272-272: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 273-273: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 280-280: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 281-281: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 315-319: Prefer mapfile or read -a to split command output (or quote to avoid splitting).

(SC2207)

[warning] 335-335: Declare and assign separately to avoid masking return values.

(SC2155)

[warning] 407-407: Prefer mapfile or read -a to split command output (or quote to avoid splitting).

(SC2207)

.idea/vcs.xml

coderabbitai · 2025-12-16T05:21:20Z

bundle/manifests/acme.cert-manager.io_challenges.yaml

+                                              compute a sum by iterating through the elements of this field and subtracting
+                                              "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                              node(s) with the highest sum are the most preferred.


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's check the file exists and read the specific lines cd bundle/manifests && ls -la acme.cert-manager.io_challenges.yaml 2>/dev/null || cd ../.. && ls -la bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 280

🏁 Script executed:

# Read lines around 1435-1437 sed -n '1430,1445p' bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 1599

🏁 Script executed:

# Read lines around 2738-2740 sed -n '2733,2750p' bundle/manifests/acme.cert-manager.io_challenges.yaml

Repository: openshift/cert-manager-operator

Length of output: 1751

🌐 Web query:

Kubernetes WeightedPodAffinityTerm documentation weight calculation subtract or add

💡 Result:

The weight is added (summed) to the node's score — Kubernetes iterates preferred rules a node satisfies and adds each rule's weight to the node's score (it is not subtracted). [1][2]

Sources:
[1] Kubernetes docs — Assigning Pods to Nodes (pod/node affinity weight described).
[2] Kubernetes v1.33 docs — node/pod affinity preferred weight explanation.

Fix contradictory PodAntiAffinity documentation: change "subtracting" to "adding"

The current text states the scheduler computes "a sum by iterating through the elements of this field and subtracting weight from the sum," but then concludes "the node(s) with the highest sum are the most preferred." This is contradictory—subtracting weight would make lower sums preferred. Kubernetes documentation explicitly states that weights are added per-node to find the most preferred node(s), not subtracted.

- compute a sum by iterating through the elements of this field and subtracting - "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the

Also applies to: 2738-2740

🤖 Prompt for AI Agents

In bundle/manifests/acme.cert-manager.io_challenges.yaml around lines 1435-1437 (and also apply the same change at lines 2738-2740), update the PodAntiAffinity description to remove the contradiction by replacing the term "subtracting weight from the sum" with "adding weight to the sum"; ensure the sentence reads that the scheduler computes a sum by iterating through the elements of this field and adding the corresponding "weight" when a node has matching pods so that the node(s) with the highest sum are the most preferred.

bundle/manifests/cert-manager.io_clusterissuers.yaml

coderabbitai · 2025-12-16T05:21:20Z

config/crd/bases/issuers.cert-manager.io-crd.yaml

+                                                      compute a sum by iterating through the elements of this field and subtracting
+                                                      "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                                      node(s) with the highest sum are the most preferred.


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's read the file to see the exact content at the specified lines wc -l config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 129

🏁 Script executed:

# Read lines around 1472-1474 to see the full context sed -n '1465,1480p' config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 1864

🏁 Script executed:

# Read lines around 2683-2685 to see the full context sed -n '2676,2691p' config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 1864

🌐 Web query:

Kubernetes PodAntiAffinity weight preferredDuringSchedulingIgnoredDuringExecution documentation

💡 Result:

What it is: the weight field on a preferredDuringSchedulingIgnoredDuringExecution podAntiAffinity rule gives that rule a numeric importance (soft preference) used by the scheduler when scoring nodes. [1]

Semantics: for each node that satisfies the pod’s other scheduling requirements, the scheduler iterates every preferred podAffinity/podAntiAffinity rule that the node satisfies and adds that rule’s weight to the node’s score; nodes with higher total score are preferred. The rule remains "soft" — it can be violated if no node meets the preference. [1][2]

Value/range: integer 1–100. [1]

Key bits to include in YAML:

podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution: a list of {weight, podAffinityTerm}

podAffinityTerm contains labelSelector and topologyKey (topologyKey cannot be empty for pod anti-affinity). Example: weight: 100 with topologyKey: topology.kubernetes.io/zone. [1][2]

Sources: [1] Kubernetes docs — Assigning Pods to Nodes (pod affinity/anti‑affinity and weight). [2] Kubernetes v1.32 docs / examples.

🏁 Script executed:

# Look for upstream cert-manager types or schema find . -name "*.go" -type f | head -20

Repository: openshift/cert-manager-operator

Length of output: 939

🌐 Web query:

cert-manager upstream issuer CRD PodAntiAffinity weight types

💡 Result:

In cert-manager’s upstream Issuer/ClusterIssuer PodAntiAffinity CRD the "weight" field is an integer (int32) in the range 1–100 used on Preferred (preferredDuringSchedulingIgnoredDuringExecution) rules; Required rules (requiredDuringSchedulingIgnoredDuringExecution) do not use a weight. [1][2]

Sources:
[1] cert-manager CRD schema showing podAntiAffinity weight as integer 1–100.
[2] cert-manager/clusterissuer CRD docs listing preferred vs required affinity and weight semantics.

🏁 Script executed:

# Check if there's any indication this file is generated head -20 config/crd/bases/issuers.cert-manager.io-crd.yaml

Repository: openshift/cert-manager-operator

Length of output: 626

🏁 Script executed:

# Let's check the git history or any comments about how this file is maintained head -100 config/crd/bases/issuers.cert-manager.io-crd.yaml | tail -80

Repository: openshift/cert-manager-operator

Length of output: 4260

🏁 Script executed:

# Search for any scripts or docs that manage this CRD file find . -name "*.md" -o -name "*.sh" | xargs grep -l "issuers.cert-manager.io-crd" 2>/dev/null | head -5

Repository: openshift/cert-manager-operator

Length of output: 57

🌐 Web query:

cert-manager 1.19.2 upstream Issuer CRD PodAntiAffinity description subtracting adding

💡 Result:

Short answer: the upstream cert-manager v1.19.x CRDs include an Issuer/ClusterIssuer schema field podAntiAffinity (with the standard Kubernetes podAntiAffinity description and properties). This was present in the generated CRD templates used by the chart/CRD YAML (see the podAntiAffinity description and preferredDuringSchedulingIgnoredDuringExecution text). See the cert-manager releases/docs and the CRD template showing the podAntiAffinity description. [1][2]

Sources:

cert-manager v1.19 release notes. [1]

cert-manager CRD template showing podAntiAffinity description/properties (charts/templates/crds.yaml). [2]

🏁 Script executed:

# Let's look at the exact context around both locations to understand the internal contradiction sed -n '1468,1485p' config/crd/bases/issuers.cert-manager.io-crd.yaml | cat -n

Repository: openshift/cert-manager-operator

Length of output: 2146

🏁 Script executed:

# Check the second location as well sed -n '2679,2696p' config/crd/bases/issuers.cert-manager.io-crd.yaml | cat -n

Repository: openshift/cert-manager-operator

Length of output: 2146

🌐 Web query:

cert-manager v1.19.2 upstream source code issuer_types podAntiAffinity weight

💡 Result:

In cert-manager v1.19.2 the Issuer/ClusterIssuer pod template affinity fields reuse Kubernetes' core/v1 PodAffinity/PodAntiAffinity types; the "weight" is the Kubernetes WeightedPodAffinityTerm.weight (an int32 in range 1–100). [1][2]

Sources:

cert-manager API types (pkg/apis/certmanager/v1) — cert-manager uses k8s PodTemplateSpec/Affinity types. [1]

Kubernetes core/v1 WeightedPodAffinityTerm: Weight int32 (range 1–100). [2]

🏁 Script executed:

# Let's verify this is indeed generated from upstream by checking for generation markers grep -i "generated\|autogenerated\|do not edit" config/crd/bases/issuers.cert-manager.io-crd.yaml | head -5

Repository: openshift/cert-manager-operator

Length of output: 158

🏁 Script executed:

# Check if there's a script or make target that regenerates this CRD find . -name "Makefile" -o -name "*.mk" | xargs grep -l "crd\|generate" 2>/dev/null | head -3

Repository: openshift/cert-manager-operator

Length of output: 85

🏁 Script executed:

# Check the Makefile for CRD generation targets cat Makefile | grep -A 10 -B 2 "crd\|generate" | head -60

Repository: openshift/cert-manager-operator

Length of output: 3118

🏁 Script executed:

# Look for any documentation about the CRD source find . -name "*.md" | xargs grep -l "CRD\|crd" 2>/dev/null | head -3

Repository: openshift/cert-manager-operator

Length of output: 86

🏁 Script executed:

# Let's check the README for more context about upstream sources head -50 README.md

Repository: openshift/cert-manager-operator

Length of output: 1895

🏁 Script executed:

# Let's verify the exact Kubernetes upstream documentation behavior with a final check # Looking at the structure - the main description contradicts the items description # Let's see both full descriptions in context sed -n '1450,1500p' config/crd/bases/issuers.cert-manager.io-crd.yaml | grep -A 20 "preferredDuringScheduling"

Repository: openshift/cert-manager-operator

Length of output: 2359

PodAntiAffinity weight description uses "subtracting" but should use "adding"

Lines 1472–1474 (and 2683–2685) describe the scheduler as "subtracting 'weight'" when in fact it adds weights to the node score. This contradicts both the Kubernetes upstream documentation and the immediately following description in the same CRD (at the items level) which correctly states "The weights... are added per-node." The scheduler selects the node with the highest sum of added weights, not subtracted ones. Since this file is generated from cert-manager v1.19.2, this error likely originates in the upstream schema and should be fixed there and regenerated rather than hand-edited downstream.

🤖 Prompt for AI Agents

In config/crd/bases/issuers.cert-manager.io-crd.yaml around lines 1472-1474 (and also 2683-2685), the PodAntiAffinity description incorrectly says the scheduler "subtracts" the weight when computing node scores; change the wording to state that the weights are "added" to the per-node sum and that the scheduler selects the node(s) with the highest total, and then regenerate this CRD from the corrected cert-manager v1.19.2 schema upstream (or fix the upstream schema and re-run the CRD generation) so the correction is applied consistently rather than hand-editing the generated file.

rebase_automation.sh

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (2)

config/crd/bases/issuers.cert-manager.io-crd.yaml (1)

1472-1474: PodAntiAffinity weight description still uses “subtracting” instead of “adding”

These descriptions say the scheduler subtracts weight per matched term, but Kubernetes actually adds weights to compute node scores, and the surrounding text already speaks about the “greatest sum of weights.” This is a documentation inconsistency with scheduler behavior and the item-level description just below.

Consider aligning both blocks with the wording used for podAffinity/nodeAffinity (i.e., weights are added to the per-node sum) in the upstream schema or generator, then regenerating this CRD rather than hand-editing the generated YAML.

Also applies to: 2683-2685
bundle/manifests/acme.cert-manager.io_challenges.yaml (1)
1427-1437: Fix podAntiAffinity weight description: “subtracting” should be “adding”

The description currently says the scheduler computes a sum by subtracting weight, yet concludes that nodes with the highest sum are preferred. In reality, weights are added per matching term; the current text is self‑contradictory.
-          compute a sum by iterating through the elements of this field and subtracting
-          "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+          compute a sum by iterating through the elements of this field and adding
+          "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
Apply the same change in both occurrences (Line 1435-1437 and Line 2738-2740).

Also applies to: 2730-2740

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7036f01 and 13f4052.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (80)

.ci-operator.yaml (1 hunks)
Dockerfile (1 hunks)
Makefile (2 hunks)
api/operator/v1alpha1/zz_generated.deepcopy.go (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml (1 hunks)
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1 hunks)
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml (1 hunks)
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (3 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml (1 hunks)
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml (1 hunks)
bundle.Dockerfile (1 hunks)
bundle/manifests/acme.cert-manager.io_challenges.yaml (19 hunks)
bundle/manifests/acme.cert-manager.io_orders.yaml (6 hunks)
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificaterequests.yaml (5 hunks)
bundle/manifests/cert-manager.io_certificates.yaml (14 hunks)
bundle/manifests/cert-manager.io_clusterissuers.yaml (25 hunks)
bundle/manifests/cert-manager.io_issuers.yaml (25 hunks)
bundle/manifests/operator.openshift.io_certmanagers.yaml (7 hunks)
bundle/manifests/operator.openshift.io_istiocsrs.yaml (4 hunks)
bundle/metadata/annotations.yaml (1 hunks)
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml (5 hunks)
config/crd/bases/certificates.cert-manager.io-crd.yaml (14 hunks)
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (19 hunks)
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/issuers.cert-manager.io-crd.yaml (25 hunks)
config/crd/bases/operator.openshift.io_certmanagers.yaml (7 hunks)
config/crd/bases/operator.openshift.io_istiocsrs.yaml (4 hunks)
config/crd/bases/orders.acme.cert-manager.io-crd.yaml (6 hunks)
config/manager/manager.yaml (1 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (4 hunks)
go.mod (11 hunks)
images/ci/Dockerfile (1 hunks)
images/ci/operand.Dockerfile (1 hunks)
pkg/controller/deployment/cert_manager_controller_deployment.go (1 hunks)
pkg/controller/deployment/deployment_overrides_test.go (3 hunks)
pkg/controller/istiocsr/deployments_test.go (1 hunks)
pkg/operator/applyconfigurations/internal/internal.go (1 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (2 hunks)
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go (2 hunks)
pkg/operator/applyconfigurations/utils.go (2 hunks)
pkg/operator/assets/bindata.go (51 hunks)
pkg/operator/clientset/versioned/fake/clientset_generated.go (1 hunks)

✅ Files skipped from review due to trivial changes (1)

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml

🚧 Files skipped from review as they are similar to previous changes (39)

bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
config/manager/manager.yaml
.ci-operator.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
bundle.Dockerfile
bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
pkg/controller/deployment/cert_manager_controller_deployment.go
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
pkg/controller/istiocsr/deployments_test.go
bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
api/operator/v1alpha1/zz_generated.deepcopy.go
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/istiocsr.go
pkg/operator/applyconfigurations/utils.go
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
images/ci/Dockerfile
config/crd/bases/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
pkg/operator/applyconfigurations/internal/internal.go
bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
pkg/operator/clientset/versioned/fake/clientset_generated.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
Dockerfile
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
bundle/metadata/annotations.yaml
bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
bundle/manifests/operator.openshift.io_certmanagers.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
bundle/manifests/cert-manager.io_issuers.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go
config/crd/bases/certificates.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_challenges.yaml
Makefile
bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
images/ci/operand.Dockerfile
bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
bundle/manifests/cert-manager.io_clusterissuers.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
pkg/controller/deployment/deployment_overrides_test.go
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
config/crd/bases/operator.openshift.io_certmanagers.yaml
go.mod
config/crd/bases/orders.acme.cert-manager.io-crd.yaml
pkg/operator/assets/bindata.go
config/crd/bases/issuers.cert-manager.io-crd.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
bundle/manifests/cert-manager.io_certificates.yaml
bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go
bundle/manifests/operator.openshift.io_istiocsrs.yaml
bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
bundle/manifests/cert-manager.io_certificaterequests.yaml
config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
bundle/manifests/acme.cert-manager.io_orders.yaml

🔇 Additional comments (73)

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml (1)

9-9: Version label correctly updated.

The version label update to v1.19.2 aligns with the PR objective to upgrade cert-manager.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml (1)

9-9: LGTM!

The version label update to v1.19.2 is correct and consistent with the cert-manager upgrade objective.

pkg/controller/deployment/deployment_overrides_test.go (1)

35-35: LGTM! Version bump correctly applied.

The test expectations have been consistently updated to reflect the cert-manager v1.19.2 upgrade. All occurrences of the acme-http01-solver-image version string are correctly updated across default args and test expectations.

Also applies to: 123-123, 175-175

bundle/manifests/operator.openshift.io_certmanagers.yaml (3)

5-5: LGTM!

Controller-gen version bump to v0.19.0 aligns with the upstream cert-manager v1.19.2 update.

63-159: LGTM!

The fileKeyRef addition and env var name description update align with upstream Kubernetes API changes. The schema is properly structured with required fields (key, path, volumeName), sensible defaults (optional: false), and clear documentation noting the alpha EnvFiles feature gate dependency.

344-440: LGTM!

The fileKeyRef and env var name description changes are consistently applied across controllerConfig and webhookConfig, matching the cainjectorConfig section. Good schema consistency.

Also applies to: 939-1035

pkg/operator/applyconfigurations/operator/v1alpha1/certmanager.go (1)

67-67: LGTM! Generated methods follow established patterns.

The added marker method IsApplyConfiguration() and getter methods (GetKind, GetAPIVersion, GetNamespace) are correctly implemented:

IsApplyConfiguration() serves as an interface marker (standard pattern)

GetKind() and GetAPIVersion() safely access the value-embedded TypeMetaApplyConfiguration

GetNamespace() properly calls ensureObjectMetaApplyConfigurationExists() before accessing the pointer field, consistent with the existing GetName() implementation

These are generated additions from the upstream cert-manager v1.19.2 bump with no concerns.

Also applies to: 243-263

pkg/operator/applyconfigurations/operator/v1alpha1/certmanagerconfig.go (1)

12-12: No action needed — WithIssuerRef is not called anywhere in the codebase.

The file is correctly generated code. The IssuerRef field type (v1.IssuerReference) and the WithIssuerRef method are defined properly in the apply configuration, but the method has no actual callers. No call sites require updates because this method is not used.

Likely an incorrect or invalid review comment.

config/crd/bases/operator.openshift.io_certmanagers.yaml (3)

6-6: LGTM: Controller-gen version bump.

The controller-gen version update from v0.15.0 to v0.19.0 aligns with the upstream cert-manager v1.19.2 upgrade.

708-712: Unable to verify AI summary claims due to lack of git history in the repository. The current protocol field definition (lines 708-712) contains a description stating "If not specified, this field defaults to TCP" but no explicit default: TCP property is present. Without access to previous commits, the claim that a default value was removed cannot be confirmed. If this change is significant for users upgrading NetworkPolicy resources, it should be documented in release notes regardless of whether an explicit schema default was removed.

63-66: No action required - this uses standard Kubernetes EnvVar validation.

The overrideEnv field uses Kubernetes' standard corev1.EnvVar type, and the CRD description is auto-generated from that standard type. The description "May consist of any printable ASCII characters except '='" reflects the standard Kubernetes behavior for environment variable names, not a custom relaxation. The codebase does not implement custom validation; it relies entirely on the upstream Kubernetes API types in v0.34.1. No compatibility concerns exist.

bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, consistent with the PR's upstream bump objective.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, aligning with the cert-manager upgrade.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector leaderelection Role.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector ClusterRole.

bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the controller challenges ClusterRole.

bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the controller orders ClusterRoleBinding.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2 for the cainjector Service, completing the consistent version bump across all reviewed manifests.

images/ci/operand.Dockerfile (1)

1-3: Base image upgrade is properly applied across configuration files.

The base builder image has been updated to golang-1.25-openshift-4.21 and is consistently referenced in operand.Dockerfile, images/ci/Dockerfile, and the Makefile. The release branch is correctly set to v1.19.2. However, image availability cannot be verified in this environment and requires manual confirmation that the base image exists in the registry.

bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml (1)

9-9: LGTM! Version label correctly updated.

The version label update from v1.18.3 to v1.19.2 aligns with the upstream cert-manager upgrade objective.

bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml (1)

9-9: LGTM! Version label correctly updated.

The version label update to v1.19.2 is consistent with the cert-manager upgrade.

bindata/cert-manager-deployment/controller/cert-manager-sa.yaml (1)

10-10: LGTM! Version label correctly updated.

The ServiceAccount version label update aligns with the v1.19.2 upgrade.

bindata/cert-manager-deployment/controller/cert-manager-svc.yaml (1)

9-9: LGTM! Version label correctly updated.

The Service version label update is consistent with the cert-manager v1.19.2 upgrade.

bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml (1)

9-9: LGTM! Version label correctly updated.

The ClusterRole version label update aligns with the v1.19.2 upgrade.

bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml (1)

9-9: LGTM! Version labels and image tag correctly updated.

The webhook deployment version labels and container image tag are consistently updated to v1.19.2, aligning with the cert-manager upgrade.

Also applies to: 30-30, 46-46

bundle/metadata/annotations.yaml (1)

7-7: LGTM! Bundle channel correctly updated.

The channel update from stable-v1.18 to stable-v1.19 correctly reflects the version series upgrade to v1.19.x.

bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml (1)

9-9: LGTM! Version label correctly updated.

The ClusterRoleBinding version label update to v1.19.2 is consistent with the cert-manager upgrade.

bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml (1)

9-9: LGTM!

Version label correctly updated to v1.19.2, consistent with the upstream cert-manager version bump.

bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml (1)

9-9: LGTM!

All version labels and image tags are consistently updated to v1.19.2:

Metadata and pod template labels (lines 9, 30)

ACME HTTP01 solver image argument (line 37)

Controller container image (line 47)

Also applies to: 30-30, 37-37, 47-47

bundle/manifests/cert-manager.io_certificates.yaml (3)

10-13: LGTM!

Added crds component label and version bump to v1.19.2 aligns with the upstream cert-manager release.

104-104: LGTM!

The x-kubernetes-list-type: atomic annotations are correctly applied to list fields. This ensures proper Server-Side Apply (SSA) semantics where these lists are replaced entirely rather than merged, which is appropriate for certificate configuration arrays like additionalOutputFormats, dnsNames, emailAddresses, and ipAddresses.

Also applies to: 120-120, 136-136, 149-149

170-181: LGTM!

The issuerRef field descriptions now explicitly document the default values for group (cert-manager.io) and kind (Issuer). This improves API discoverability without changing behavior.

Makefile (3)

6-7: LGTM!

Version variables correctly updated:

BUNDLE_VERSION to 1.19.0 (operator bundle version)

CERT_MANAGER_VERSION to v1.19.2 (upstream cert-manager operand version)

The distinction between bundle version (1.19.0) and operand version (v1.19.2) is appropriate for operator lifecycle management.

15-15: LGTM!

Channel configuration properly updated for v1.19 release:

CHANNELS updated to include stable-v1.19

DEFAULT_CHANNEL set to stable-v1 for OLM default channel handling

BUNDLE_METADATA_OPTS correctly includes both channel flags

Also applies to: 25-29

89-89: LGTM!

Container image updated to rhel-9-golang-1.25-openshift-4.21, aligning with the Go 1.25 toolchain requirement for cert-manager v1.19.2 and targeting OpenShift 4.21.

config/crd/bases/orders.acme.cert-manager.io-crd.yaml (3)

12-12: LGTM!

Version label correctly updated to v1.19.2, consistent with other CRD manifests.

80-80: LGTM!

x-kubernetes-list-type: atomic correctly applied to ACME Order arrays (dnsNames, ipAddresses, challenges, authorizations). These fields should be replaced atomically during updates rather than merged.

Also applies to: 94-94, 184-184, 222-222

104-115: LGTM!

The issuerRef field descriptions are updated consistently with other CRDs, documenting default values for group and kind fields.

bundle/manifests/cert-manager.io_issuers.yaml (5)

13-13: Version label and printer columns look consistent with the v1.19.2 bump

app.kubernetes.io/version and the Ready/Status jsonPath expressions are updated in a purely cosmetic, upstream-aligned way; no behavioral change or risk here.

Also applies to: 29-32

543-550: RFC2136 protocol enum is backward compatible and well-scoped

Adding the optional protocol field with enum {TCP, UDP} under the RFC2136 DNS01 solver is schema-correct and keeps existing manifests valid since the field isn’t required; the default behavior can continue to be implied by the controller.

644-644: New x-kubernetes-* list/map markers align with structural schema best practices

Marking these arrays (audiences, parentRefs, imagePullSecrets, supplementalGroups, sysctls, tolerations, dnsNames/dnsZones, CA/selfSigned/Vault lists) as atomic or map with x-kubernetes-list-map-keys matches Kubernetes structural schema guidance and should improve merge behavior without changing semantics.

Also applies to: 923-924, 1949-1951, 2117-2117, 2140-2140, 2185-2185, 3276-3278, 3444-3444, 3467-3467, 3512-3512, 3542-3542, 3557-3557, 3568-3568, 3587-3587, 3596-3596, 3607-3607, 3629-3629, 3758-3758

1566-1568: Pod anti-affinity weight wording change is documentation-only

The updated description about “subtracting weight” for preferred anti-affinity terms is confined to comments, keeps the schema unchanged, and is consistent across both podAntiAffinity blocks; nothing to adjust from an operator perspective.

Also applies to: 2893-2895

1963-1996: ACME HTTP01 solver resources overrides are modeled correctly

The new resources objects for HTTP01 solver pod templates use the standard resource.Quantity pattern and x-kubernetes-int-or-string semantics for limits/requests, are optional, and don’t introduce new required fields—this is a safe, backwards-compatible enhancement.

Also applies to: 3290-3323

bundle/manifests/cert-manager.io_certificaterequests.yaml (4)

10-13: LGTM! Version bump and metadata update are correct.

The version update to v1.19.2 and the addition of the app.kubernetes.io/component: crds label align with upstream cert-manager v1.19.2 and follow standard Kubernetes labeling conventions.

30-45: LGTM! JSONPath formatting improvements are consistent.

The spacing around the equality operator in JSONPath expressions improves readability and follows standard formatting conventions. These changes are valid and consistent across all printer columns.

136-147: LGTM! Improved issuerRef field documentation.

The updated descriptions for issuerRef fields clarify the default values (group defaults to 'cert-manager.io', kind defaults to 'Issuer'), which improves API documentation and user understanding.

236-236: LGTM! Appropriate list type annotation.

The x-kubernetes-list-type: atomic annotation is correct for the usages field, which contains key usage enums. This ensures proper merge behavior where the entire list is treated as a single atomic unit.

bundle/manifests/acme.cert-manager.io_orders.yaml (4)

13-13: LGTM! Version bump is consistent.

The version update to v1.19.2 matches the PR objective and is consistent with other CRD manifests in this upgrade.

84-98: LGTM! Appropriate list type annotations for spec fields.

The x-kubernetes-list-type: atomic annotations for dnsNames and ipAddresses are correct. These fields should be treated as atomic units during updates, which is appropriate for DNS name and IP address lists.

108-119: LGTM! Consistent issuerRef documentation improvements.

The issuerRef field descriptions match the improvements in the certificaterequests CRD, providing clear default values and improving API documentation consistency across all cert-manager CRDs.

188-228: LGTM! Appropriate list type annotations for status fields.

The x-kubernetes-list-type: atomic annotations for authorizations and nested challenges arrays are correct. These status fields contain ACME server responses and should be treated atomically, which aligns with their usage pattern where the controller replaces the entire list during reconciliation.

config/crd/bases/issuers.cert-manager.io-crd.yaml (3)

12-12: Version label and printer column JSONPath updates are fine

Label bump to v1.19.2 and JSONPath spacing changes are metadata-only and keep behavior unchanged; no issues.

Also applies to: 28-31

526-531: RFC2136 protocol field addition looks correct

Optional protocol enum (TCP/UDP) under rfc2136.nameserver is well-scoped, non-breaking (not required), and matches the described behavior; schema is consistent.

623-623: CRD list semantics and solver pod resource overrides align with Kubernetes schema best practices

The added x-kubernetes-list-type/x-kubernetes-list-map-keys markers for lists (audiences, parentRefs, imagePullSecrets, tolerations, string arrays, etc.) plus the new resources overrides for HTTP01 solver pods and related issuer fields improve structural schema fidelity and patch/apply behavior, and appear consistent and non-breaking across the CRD.

Also applies to: 900-900, 1822-1869, 1985-1985, 2005-2005, 2049-2049, 3033-3035, 3047-3080, 3196-3196, 3216-3216, 3260-3260, 3290-3290, 3305-3305, 3316-3316, 3335-3335, 3344-3344, 3355-3355, 3377-3377, 3505-3505

bundle/manifests/acme.cert-manager.io_challenges.yaml (1)

10-13: CRD schema, list markers, and resource fields look consistent with upstream and safe

The added labels, issuerRef description tweaks, new RFC2136 protocol field, list/map metadata (x-kubernetes-*), and HTTP01 solver pod template resources blocks are structurally sound and improve clarity and merge semantics without changing controller behavior. No issues from an operator/CRD perspective.

Also applies to: 81-105, 415-468, 647-2049, 2137-3357, 3367-3395

go.mod (1)

3-352: Toolchain and dependency bumps look coherent; rely on CI/e2e to catch regressions

The Go version bump and broad upgrade of cert-manager, Kubernetes, controller-runtime/tools, AWS SDK, OTel, and related libraries, plus the cert-manager → jetstack-cert-manager v1.19.2 replace, form a consistent stack and align with the stated upgrade to cert-manager v1.19.2. I don't see any obviously mismatched module versions or suspect replaces here; the graph looks internally consistent for a rebase of this scope.

Given the size of the change surface, please rely on CI and targeted e2e runs (especially AWS, Gateway API, and CRD-heavy paths) to validate runtime compatibility and uncover any subtle behavior changes introduced by upstream dependencies.

Also applies to: 354-355

bundle/manifests/cert-manager.io_clusterissuers.yaml (7)

8-13: Metadata labels and version bump look consistent

app.kubernetes.io/component: crds and app.kubernetes.io/version: v1.19.2 align with this being the CRD bundle for the v1.19.2 cert-manager operand; no concerns here. Just keep this version label consistent with other cert-manager CRDs/bundle manifests in the repo.

28-35: Ready/Status printer columns JSONPath remains correct

The additionalPrinterColumns JSONPath expressions for Ready and Status still correctly select the Ready condition’s status and message. The minor formatting change is harmless and keeps kubectl output stable.

537-551: RFC2136 DNS01 protocol field is well-scoped

The new spec.acme.solvers[].dns01.rfc2136.protocol field is constrained to TCP/UDP and clearly documents UDP as the default when unset. This matches the expected RFC2136 usage pattern and doesn’t introduce schema or validation risks.

645-647: x-kubernetes list metadata additions improve SSA/merge semantics

The added x-kubernetes-list-type: atomic (here for serviceAccountRef.audiences) and similar x-kubernetes-list-type / x-kubernetes-list-map-keys annotations throughout the schema bring these CRD fields in line with core Kubernetes API conventions, improving server-side apply and patch behavior without changing stored data.

1932-1952: HTTP01 solver podTemplate: imagePullSecrets + resources extensions look correct

Switching imagePullSecrets to a map list keyed by name (with x-kubernetes-list-map-keys/x-kubernetes-list-type: map) matches core PodSpec behavior and gives better patch semantics.

The new podTemplate.spec.resources block for HTTP01 solver pods uses the standard resource.Quantity schema (x-kubernetes-int-or-string with the usual quantity regex) and cleanly documents interaction with global controller flags.

These changes are consistent with upstream cert-manager and should be safe for existing manifests.

Also applies to: 1964-1997, 3259-3279, 3291-3324

2106-2142: PodSecurityContext list fields marked atomic are aligned with core API

Marking supplementalGroups and sysctls as x-kubernetes-list-type: atomic for the solver pod securityContext matches how these lists behave in core PodSecurityContext, preventing surprising merge behavior. No issues from a validation or security perspective.

Also applies to: 3433-3468

3531-3570: Selector and issuer list fields now explicitly atomic—matches intent

The additions of x-kubernetes-list-type: atomic for:

selector.dnsNames and selector.dnsZones,

the top-level acme.solvers list,

CA/self-signed crlDistributionPoints / issuingCertificateURLs / ocspServers,

Vault serviceAccountRef.audiences,

all reflect these as flat lists of scalar values where full replacement on patch is expected. That aligns with how these fields are typically used and shouldn’t affect existing consumers.

Also applies to: 3580-3631, 3752-3760

config/crd/bases/certificates.cert-manager.io-crd.yaml (1)

9-12: CRD label, printer column, and list-type updates align with upstream cert-manager schema

The label/version bump, jsonPath spacing tweak, issuerRef description clarification, and the added x-kubernetes-list-type: atomic annotations on the various arrays all look consistent with the v1.19.2 cert-manager CRDs and should not change behavior beyond improving structural schema semantics for SSA and validation.

Please just confirm this CRD was regenerated from upstream (e.g., via the usual controller-gen/make flow) rather than hand-edited, so it stays in lockstep with the source API.

Also applies to: 29-40, 100-133, 141-146, 156-180, 331-387, 389-411, 571-595, 610-623, 624-688

pkg/operator/assets/bindata.go (1)

34-35: Generated bindata changes and new cert-manager-tokenrequest RB asset are internally consistent

All the app.kubernetes.io/version: v1.19.2 label bumps and the controller/cainjector/webhook image updates to quay.io/jetstack/*:v1.19.2 are coherent across assets.

The new cert-manager-tokenrequest-rb.yaml RoleBinding asset, its byte var, helper functions, _bindata map entry, and _bintree node all use the same path (cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml) and correctly bind the cert-manager-tokenrequest Role to the cert-manager ServiceAccount in the cert-manager namespace.

I don’t see any leftover references to the old tokenrequest RB asset name in this file.

Since this file is generated by go-bindata, please confirm it was fully regenerated from the updated YAML sources (rather than edited by hand) so future updates don’t accidentally overwrite these changes.

Also applies to: 119-128, 203-212, 238-268, 280-281, 467-476, 504-513, 539-548, 656-665, 693-702, 778-787, 813-822, 969-978, 1031-1040, 1066-1075, 1151-1160, 1186-1195, 1283-1292, 1365-1374, 1400-1430, 1446-1447, 1497-1506, 1556-1565, 1592-1601, 1637-1647, 1666-1675, 1705-1739, 1741-1750, 1938-1947, 1974-1983, 2020-2031, 2071-2081, 2100-2109, 2134-2143, 2169-2178, 2212-2223, 3158-3159, 3235-3275

bundle/manifests/operator.openshift.io_istiocsrs.yaml (1)

5-5: IstioCSR CRD description/controller-gen updates are doc-only and safe

The controller-gen version annotation bump, the refined pod (anti)affinity weighting text, the DynamicResourceAllocation note on resources.claims, and the clarified certManager.issuerRef group/kind/name descriptions are all documentation/metadata-only; schema, validation rules, and defaults remain unchanged, so existing IstioCSR resources won’t be affected.

Please confirm this CRD was regenerated with the updated controller-gen / API definitions rather than edited manually, to keep it aligned with upstream.

Also applies to: 294-305, 652-662, 1015-1027, 1237-1243

config/crd/bases/challenges.acme.cert-manager.io-crd.yaml (6)

9-12: Metadata labels/version bump LGTM

app.kubernetes.io/component: crds and app.kubernetes.io/version: v1.19.2 are consistent with the operand upgrade and CRD role; nothing else needed here.

84-96: issuerRef description updates match Issuer defaults

Clarified descriptions for issuerRef.group, issuerRef.kind, and issuerRef.name accurately describe the issuer context and documented defaults, without changing the schema itself.

414-419: New RFC2136 protocol field is a safe extension

Adding optional protocol with enum TCP / UDP (default via controller behavior) keeps nameserver as the only required property, so existing RFC2136 configurations remain valid while allowing more explicit transport selection.

1710-1712: PodTemplate imagePullSecrets + resources schema look correct

Using x-kubernetes-list-type: map with x-kubernetes-list-map-keys: [name] for imagePullSecrets and introducing a resources object shaped like core ResourceRequirements are both consistent with Kubernetes API patterns and provide predictable merge behavior for solver pods.

Also applies to: 1724-1757, 2921-2923, 2935-2968

511-511: x-kubernetes-list-type annotations are appropriate

Marking these arrays (audiences, parentRefs, supplementalGroups, sysctls, tolerations, and selector DNS lists) as atomic or map-based provides explicit structural metadata and aligns with expected server-side apply/patch semantics without altering existing valid objects.

Also applies to: 789-789, 1873-1873, 1893-1893, 1937-1937, 3084-3084, 3104-3104, 3148-3148, 3178-3178, 3193-3193

1360-1362: PodAntiAffinity weight description change is documentation-only

The updated explanation about subtracting weight in preferred anti-affinity terms corrects the textual behavior description while leaving the schema unchanged, so there’s no impact on validation or stored CRs.

Also applies to: 2571-2573

config/crd/bases/clusterissuers.cert-manager.io-crd.yaml (1)

9-12: CRD schema bump (labels, RFC2136 protocol, solver resources, list/map markers) looks consistent with upstream

Label and app.kubernetes.io/version changes align with the v1.19.2 bump.

New spec.acme.dns01.rfc2136.nameserver.protocol string enum (TCP/UDP) is additive and keeps existing CRs valid; description matches expected behavior.

Added podTemplate.spec.resources blocks for HTTP01 solvers (gateway and ingress) use the standard resource quantity schema and are also additive.

The various new x-kubernetes-list-type / x-kubernetes-list-map-keys annotations on lists (imagePullSecrets, audiences, dnsNames/dnsZones, CRL/OCSP lists, etc.) follow Kubernetes structural schema and SSA best practices and should only improve patch/merge semantics rather than change meaning.

From what’s shown here, I don’t see any breaking or security-impacting changes; keeping this file generated and in lockstep with the upstream cert-manager v1.19.2 types is the right approach. Please just ensure all other CRD copies/bundles (e.g., under bundle/manifests) were regenerated from the same upstream revision and that CI/CRD validation passes with these enums and annotations.

Also applies to: 28-31, 528-532, 1823-1825, 1838-1870, 3035-3037, 3049-3081, 3291-3292, 3306-3307, 3334-3337, 3338-3345, 3347-3356, 3376-3378, 3504-3507

config/crd/bases/operator.openshift.io_certmanagers.yaml

bharath-b-rh

/lgtm

bharath-b-rh · 2025-12-17T07:36:57Z

bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml

-    app.kubernetes.io/version: v1.18.3
-  name: cert-manager-cert-manager-tokenrequest
+    app.kubernetes.io/version: v1.19.2
+  name: cert-manager-tokenrequest


Not directly related to the changes. But how do we manage the renamed resource in upgraded clusters.

@PillaiManish Could you please create a follow-up PR to cleanup the resource with legacy name. Thank you!

@bharath-b-rh I assume we even don't need to handle the legacy resource cleanup. I tested it when making this change through upstream charts: cert-manager/cert-manager#7761, see "Verification".

But it's good to double-check. @PillaiManish could you please examine it (install 1.18.0 -> upgrade to 1.19.0) to see if cert-manager-cert-manager-tokenrequest could be pruned automatically?

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 13f4052 and 179c4a6.

📒 Files selected for processing (2)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (5 hunks)
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

🔇 Additional comments (8)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (6)

253-253: LGTM!

The skipRange is correctly set to allow upgrades from 1.18.x versions to this 1.19.0 release.

274-274: LGTM!

Metadata name correctly updated to reflect version 1.19.0.

701-715: LGTM!

All environment variables are consistently updated:

cert-manager components to v1.19.2

Operator version to 1.19.0

IstioCSR appropriately remains at v0.14.2

813-813: LGTM!

The minKubeVersion has been appropriately updated to 1.31.0 as per previous review feedback.

817-826: LGTM!

Related images are consistently updated to v1.19.2 for all cert-manager components and correctly aligned with the environment variables defined earlier in the manifest.

827-828: LGTM!

The version field (1.19.0) and replaces field (cert-manager-operator.v1.18.0) correctly define the upgrade path from the previous release.

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (2)

21-21: LGTM!

The OLM version metadata updates are internally consistent and follow the correct upgrade pattern from v1.18.0 to v1.19.0.

Also applies to: 41-41, 152-153

149-149: The minKubeVersion change from 1.27.0 to 1.31.0 is correct. cert-manager v1.19.2 requires Kubernetes v1.31 or newer (supported range: v1.31 → v1.34), and this aligns with OpenShift 4.21 (Kubernetes 1.34) and 4.22 (Kubernetes 1.35) as mentioned in the PR comments.

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

lunarwhite

It would be great if we could add one more line to each commit message explaining the context for the change, just for future reference. Especially for

abb105b (The reason you've already explained in the PR description, it's good to include same as part of the commit)
b2a5388 (It would be clearer to mention exactly which packages are being bumped and which latest is being referred to, but I think it should be a specific tag not the drifting latest?)
179c4a6 (The context would be lost in a review comment)

lunarwhite · 2025-12-23T06:23:22Z

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

      version: v1alpha1
  description: |
-    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.18.3](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
+    The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.


Suggested change

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.

The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

Updated, thanks.

coderabbitai

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @go.mod:
- Line 3: Update the Go version in go.mod from "go 1.25.0" to "go 1.25.5" to
apply the security and bugfix patch; open go.mod, locate the existing "go
1.25.0" stanza and change it to "go 1.25.5", then run `go mod tidy` and re-run
CI/build to ensure the toolchain and module graph pick up the patch.

♻️ Duplicate comments (1)

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (1)

149-149: Verify minKubeVersion 1.31.0 requirement (same as bundle manifest).

This base configuration mirrors the minKubeVersion bump to 1.31.0 seen in the bundle manifest. Ensure the same verification steps for compatibility with target OpenShift versions (4.18-4.21) are applied.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 179c4a6 and b99d800.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

.ci-operator.yaml
Dockerfile
Makefile
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
config/manager/manager.yaml
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
go.mod
images/ci/Dockerfile
images/ci/operand.Dockerfile
pkg/controller/deployment/cert_manager_controller_deployment.go
pkg/controller/deployment/deployment_overrides_test.go
pkg/controller/istiocsr/deployments_test.go

🚧 Files skipped from review as they are similar to previous changes (6)

.ci-operator.yaml
Dockerfile
pkg/controller/deployment/deployment_overrides_test.go
images/ci/operand.Dockerfile
pkg/controller/deployment/cert_manager_controller_deployment.go
config/manager/manager.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

images/ci/Dockerfile
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
go.mod
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
Makefile
pkg/controller/istiocsr/deployments_test.go

🔇 Additional comments (14)

pkg/controller/istiocsr/deployments_test.go (1)

788-788: LGTM! Test expectation correctly updated for dependency changes.

The error message expectation now includes quotes around the invalid resource type value "test", which aligns with updated error formatting from the dependency bumps (cert-manager v1.19.2, Go 1.25). The test logic remains sound.

images/ci/Dockerfile (1)

1-1: LGTM!

The base builder image version bump to Go 1.25 and OpenShift 4.21 aligns correctly with the PR objectives and the go.mod toolchain update.

go.mod (2)

354-354: LGTM!

The cert-manager replacement directive correctly points to the OpenShift downstream fork at v1.19.2, which aligns with the PR objectives and version bumps throughout the codebase.

6-46: > Likely an incorrect or invalid review comment.

Makefile (3)

6-15: LGTM!

The version variable updates for BUNDLE_VERSION (1.19.0), CERT_MANAGER_VERSION (v1.19.2), and CHANNELS (stable-v1.19) are consistent with the PR objectives for the v1.19.0 release.

25-29: LGTM!

The addition of DEFAULT_CHANNEL (stable-v1) and its integration into BUNDLE_METADATA_OPTS follows best practices for OLM bundle configuration and allows explicit specification of the default channel.

89-89: LGTM!

The CONTAINER_IMAGE_NAME update to golang-1.25-openshift-4.21 is consistent with the Dockerfile changes and broader version bump strategy.

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (5)

253-253: LGTM!

The OLM metadata updates (skipRange, name, replaces, version) are correctly configured for the v1.19.0 release and maintain proper version succession from v1.18.0.

Also applies to: 274-274, 827-828

348-348: The description URL has been correctly updated.

The GitHub URL now properly references cert-manager v1.19.2, resolving the previously flagged inconsistency.

701-715: LGTM!

The image references and version environment variables are correctly updated to cert-manager v1.19.2 and operator v1.19.0, maintaining consistency across the deployment specification.

817-826: LGTM!

The relatedImages entries correctly reference cert-manager v1.19.2 images, maintaining consistency with the version bump. The istio-csr version remains at v0.14.2 as expected.

813-813: minKubeVersion 1.31.0 requirement is correct and verified.

The minimum Kubernetes version requirement aligns with cert-manager v1.19.2, which requires Kubernetes 1.31 minimum support. This is compatible with the target OpenShift versions where 4.18 (the earliest supported version) uses Kubernetes 1.31, and later versions (4.19-4.21) use 1.32-1.34. No action required.

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml (2)

21-21: LGTM!

The version metadata (skipRange, name, replaces, version) is correctly configured for v1.19.0 and matches the bundle manifest, maintaining consistency across base and generated configurations.

Also applies to: 41-41, 152-153

115-115: The description URL has been correctly updated.

The GitHub URL now properly references cert-manager v1.19.2, addressing the previously flagged URL inconsistency.

lunarwhite · 2026-01-05T11:21:11Z

/label qe-approved

openshift-ci-robot · 2026-01-05T11:21:17Z

@PillaiManish: This pull request references CM-825 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rebase downstream cert-manager-operator for v1.19.0 with upstream cert-manager v1.19.2.

Prerequisite: Downstream v1.19.2 tag is pushed and synced https://github.com/openshift/jetstack-cert-manager/tags

Remove
replace sigs.k8s.io/controller-tools => github.com/openshift/kubernetes-sigs-controller-tools v0.12.1-0.20250220141355-6d2c85031fbc
Since github.com/openshift/kubernetes-sigs-controller-tools is not being maintained in the downstream.

All the following below steps were done with the help of automation script: #309

Bump deps with upstream cert-manager@v1.19.2
go get github.com/cert-manager/cert-manager@v1.19.2
go mod edit -replace github.com/cert-manager/cert-manager=github.com/openshift/jetstack-cert-manager@v1.19.2
go mod tidy && go mod vendor
Update Makefile: BUNDLE_VERSION, CERT_MANAGER_VERSION, CHANNELS
- replace CERT_MANAGER_VERSION  ->  "v1.19.2"
- * make update
* make bundle
More manual replacements
- replace "1.18.3" -> "1.19.2" (operand)
Update docker files images to golang-1.25 (and openshift-4.21)

Fixes for latest version updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

lunarwhite · 2026-01-05T12:31:47Z

@PillaiManish Thanks for your work. For commit updates libraries to latest version, what I was thinking is that we should bump each pkg with a specific version tag rather than the vague (omitted) latest. In this case, it would be

- go get github.com/openshift/api@release-4.21
- go get github.com/openshift/client-go@release-4.21
- go get github.com/openshift/library-go@release-4.21
- go get k8s.io/kubernetes@v1.34.1 # to align with k8s.io/*'s v0.34.1

lunarwhite · 2026-01-05T12:48:07Z

Nit: ac7ac60 should also mention 4.22 as per the lifecycle page: https://docs.google.com/document/d/1K42PhOp_8_izjggMo62J1-5ALkRvYwJ9ned_evl8ins/edit?tab=t.0#bookmark=kix.dk6mmf7269fh

- go get github.com/openshift/api@release-4.21 - go get github.com/openshift/client-go@release-4.21 - go get github.com/openshift/library-go@release-4.21 - go get k8s.io/kubernetes@v1.34.1 # to align with k8s.io/*'s v0.34.1 - go mod tidy && go mod vendor

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @go.mod:
- Line 3: Update the Go version declaration in go.mod from "go 1.25.0" to "go
1.25.5"; after changing the "go" directive, run your usual module/CI
verification (e.g., go mod tidy and your build/test pipeline) to ensure the
project still builds with Go 1.25.5.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ac7ac60 and 23cbf74.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
go.mod
pkg/controller/deployment/cert_manager_controller_deployment.go
pkg/controller/istiocsr/deployments_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

pkg/controller/istiocsr/deployments_test.go
pkg/controller/deployment/cert_manager_controller_deployment.go
config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

go.mod
bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

🔇 Additional comments (2)

go.mod (1)

10-46: Dependency updates look consistent.

The cert-manager v1.19.2 upgrade and associated dependency bumps (Kubernetes v0.34.1, controller-runtime v0.22.3, OpenShift components) align with the PR objectives. Version consistency is maintained throughout the dependency graph.

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml (1)

253-253: Version updates are consistent and well-coordinated.

The CSV updates correctly reflect the cert-manager v1.19.2 and operator v1.19.0 bump:

olm.skipRange properly constrains upgrade path

All related images consistently reference v1.19.2

Version metadata fields (name, replaces, version) follow semantic versioning

minKubeVersion bump to 1.31.0 aligns with the stated support for OpenShift 4.18-4.21

Also applies to: 274-274, 348-348, 701-715, 813-813, 817-828

coderabbitai · 2026-01-06T05:48:31Z

go.mod

 module github.com/openshift/cert-manager-operator

-go 1.24.4
+go 1.25.0


⚠️ Potential issue | 🟡 Minor

Upgrade Go to 1.25.5 for security fixes.

As previously noted, Go 1.25.5 includes security fixes to crypto/x509 and bug fixes in mime and os packages. Since patch updates within the 1.25.x line contain no breaking changes, updating from 1.25.0 to 1.25.5 is a drop-in replacement.

🤖 Prompt for AI Agents

In @go.mod around line 3, Update the Go version declaration in go.mod from "go 1.25.0" to "go 1.25.5"; after changing the "go" directive, run your usual module/CI verification (e.g., go mod tidy and your build/test pipeline) to ensure the project still builds with Go 1.25.5.

- v1.19 will be supported from 4.18-4.22

lunarwhite · 2026-01-06T07:05:22Z

/test e2e-operator-aws-proxy e2e-operator-aws-sts e2e-operator-gcp-ovn e2e-operator-gcp-workload-identity

PillaiManish · 2026-01-06T07:15:12Z

/retest

PillaiManish · 2026-01-06T10:05:53Z

/retest

lunarwhite · 2026-01-06T14:27:53Z

/verified by CIs

Regular e2e-operator + newly added jobs are passing

openshift-ci-robot · 2026-01-06T14:28:05Z

@lunarwhite: This PR has been marked as verified by CIs.

Details

In response to this:

/verified by CIs

Regular e2e-operator + newly added jobs are passing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

lunarwhite · 2026-01-06T14:39:35Z

/cc @bharath-b-rh for final review

openshift-ci · 2026-01-06T14:39:48Z

@lunarwhite: GitHub didn't allow me to request PR reviews from the following users: for, final, review.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @bharath-b-rh for final review

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2026-01-06T14:42:44Z

@PillaiManish: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bharath-b-rh · 2026-01-06T14:53:10Z

/lgtm
/approve

adding other required labels, the relevant doc update will be part of RN.
/label doc-approved
/label px-approved

openshift-ci · 2026-01-06T14:53:34Z

@bharath-b-rh: The label(s) /label doc-approved cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/lgtm
/approve

adding other required labels, the relevant doc update will be part of RN.
/label doc-approved
/label px-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

bharath-b-rh · 2026-01-06T14:53:50Z

/label docs-approved

openshift-ci · 2026-01-06T14:57:21Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh, PillaiManish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 8, 2025

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 8, 2025

openshift-ci bot requested review from mytreya-rh and swghosh December 8, 2025 09:52

PillaiManish force-pushed the CM-825 branch from 2cb30cd to e3cf353 Compare December 9, 2025 03:59

PillaiManish changed the title ~~WIP: CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release~~ CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release Dec 9, 2025

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 9, 2025

lunarwhite reviewed Dec 12, 2025

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 12, 2025

PillaiManish force-pushed the CM-825 branch from e3cf353 to 7036f01 Compare December 16, 2025 05:07

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 16, 2025

PillaiManish changed the title ~~CM-825: release chore: Upstream bump for v1.19.1 and rebase for v1.19.0 release~~ CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release Dec 16, 2025

coderabbitai bot reviewed Dec 16, 2025

View reviewed changes

PillaiManish force-pushed the CM-825 branch from 7036f01 to 13f4052 Compare December 16, 2025 06:40

coderabbitai bot reviewed Dec 16, 2025

View reviewed changes

config/crd/bases/operator.openshift.io_certmanagers.yaml Show resolved Hide resolved

bharath-b-rh approved these changes Dec 17, 2025

View reviewed changes

openshift-ci bot assigned bharath-b-rh Dec 17, 2025

openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm Indicates that a PR is ready to be merged. labels Dec 17, 2025

coderabbitai bot reviewed Dec 19, 2025

View reviewed changes

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml Outdated Show resolved Hide resolved

config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml Outdated Show resolved Hide resolved

lunarwhite reviewed Dec 23, 2025

View reviewed changes

PillaiManish force-pushed the CM-825 branch from 179c4a6 to b99d800 Compare January 5, 2026 10:24

coderabbitai bot reviewed Jan 5, 2026

View reviewed changes

PillaiManish force-pushed the CM-825 branch from b99d800 to c1755f5 Compare January 5, 2026 10:34

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jan 5, 2026

PillaiManish added 2 commits January 6, 2026 11:11

fixes for latest version

b16c8f4

PillaiManish force-pushed the CM-825 branch from ac7ac60 to 23cbf74 Compare January 6, 2026 05:41

coderabbitai bot reviewed Jan 6, 2026

View reviewed changes

updates minKubeVersion to 1.31.0

bfc925b

- v1.19 will be supported from 4.18-4.22

PillaiManish force-pushed the CM-825 branch from 23cbf74 to bfc925b Compare January 6, 2026 06:01

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jan 6, 2026

openshift-ci bot requested a review from bharath-b-rh January 6, 2026 14:39

openshift-ci bot added the px-approved Signifies that Product Support has signed off on this PR label Jan 6, 2026

openshift-ci bot added docs-approved Signifies that Docs has signed off on this PR lgtm Indicates that a PR is ready to be merged. labels Jan 6, 2026

bharath-b-rh mentioned this pull request Jan 6, 2026

CM-826: Rebase istio-csr with upstream v0.15.0 #363

Merged

openshift-merge-bot bot merged commit e553b29 into openshift:master Jan 6, 2026
15 checks passed

	The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.18.3), which automates certificate management.
	The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.19.2](https://github.com/cert-manager/cert-manager/tree/v1.19.2), which automates certificate management.

CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

CM-825: release chore: Upstream bump for v1.19.2 and rebase for v1.19.0 release #358

Uh oh!

Conversation

PillaiManish commented Dec 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Dec 8, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Dec 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

openshift-ci-robot commented Dec 9, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lunarwhite left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

PillaiManish commented Dec 16, 2025

Uh oh!

openshift-ci-robot commented Dec 16, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

bharath-b-rh left a comment

Choose a reason for hiding this comment

Uh oh!

bharath-b-rh Dec 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

bharath-b-rh Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

lunarwhite Jan 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

lunarwhite left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

lunarwhite Dec 23, 2025

Choose a reason for hiding this comment

Uh oh!

PillaiManish Jan 5, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

lunarwhite commented Jan 5, 2026

PillaiManish commented Dec 8, 2025 •

edited

Loading

openshift-ci-robot commented Dec 8, 2025 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Dec 8, 2025 •

edited

Loading

openshift-ci-robot commented Dec 9, 2025 •

edited by openshift-ci bot

Loading

lunarwhite left a comment •

edited

Loading

openshift-ci-robot commented Dec 16, 2025 •

edited by openshift-ci bot

Loading

bharath-b-rh Dec 17, 2025 •

edited

Loading

lunarwhite left a comment •

edited

Loading

openshift-ci-robot commented Jan 5, 2026 •

edited by openshift-ci bot

Loading