Skip to content

OCPBUGS-66414: Fix cert-manager rebase to use per-platform images instead of multi-platform manifest lists #6028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 5 commits into from
Jan 20, 2026
Merged

OCPBUGS-66414: Fix cert-manager rebase to use per-platform images instead of multi-platform manifest lists #6028

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
22e520a
Fix cert-manager rebase to use per-platform container references inst…
ggiguash Jan 18, 2026
414b94f
Update cert-manager assets
ggiguash Jan 18, 2026
8e3f5d3
Update cert-manager RPM to use per-platform manager manifest files
ggiguash Jan 18, 2026
4265fbe
Fix verify assets errors
ggiguash Jan 18, 2026
b0927f4
Per-platform manager.yaml file in not required
ggiguash Jan 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion assets/optional/cert-manager/crd/bases/certificaterequests.cert-manager.io-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.16.4
app.kubernetes.io/version: v1.18.4
name: certificaterequests.cert-manager.io
spec:
group: cert-manager.io
Expand Down
60 changes: 44 additions & 16 deletions assets/optional/cert-manager/crd/bases/certificates.cert-manager.io-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.16.4
app.kubernetes.io/version: v1.18.4
name: certificates.cert-manager.io
spec:
group: cert-manager.io
Expand Down Expand Up @@ -78,10 +78,6 @@ spec:
description: |-
Defines extra output formats of the private key and signed certificate chain
to be written to this Certificate's target Secret.

This is a Beta Feature enabled by default. It can be disabled with the
`--feature-gates=AdditionalCertificateOutputFormats=false` option set on both
the controller and webhook components.
items:
description: |-
CertificateAdditionalOutputFormat defines an additional output format of a
Expand Down Expand Up @@ -191,17 +187,25 @@ spec:
Create enables JKS keystore creation for the Certificate.
If true, a file named `keystore.jks` will be created in the target
Secret resource, encrypted using the password stored in
`passwordSecretRef`.
`passwordSecretRef` or `password`.
The keystore file will be updated immediately.
If the issuer provided a CA certificate, a file named `truststore.jks`
will also be created in the target Secret resource, encrypted using the
password stored in `passwordSecretRef`
containing the issuing Certificate Authority
type: boolean
password:
description: |-
Password provides a literal password used to encrypt the JKS keystore.
Mutually exclusive with passwordSecretRef.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: string
passwordSecretRef:
description: |-
PasswordSecretRef is a reference to a key in a Secret resource
PasswordSecretRef is a reference to a non-empty key in a Secret resource
containing the password used to encrypt the JKS keystore.
Mutually exclusive with password.
One of password or passwordSecretRef must provide a password with a non-zero length.
properties:
key:
description: |-
Expand All @@ -219,7 +223,6 @@ spec:
type: object
required:
- create
- passwordSecretRef
type: object
pkcs12:
description: |-
Expand All @@ -231,17 +234,25 @@ spec:
Create enables PKCS12 keystore creation for the Certificate.
If true, a file named `keystore.p12` will be created in the target
Secret resource, encrypted using the password stored in
`passwordSecretRef`.
`passwordSecretRef` or in `password`.
The keystore file will be updated immediately.
If the issuer provided a CA certificate, a file named `truststore.p12` will
also be created in the target Secret resource, encrypted using the
password stored in `passwordSecretRef` containing the issuing Certificate
Authority
type: boolean
password:
description: |-
Password provides a literal password used to encrypt the PKCS#12 keystore.
Mutually exclusive with passwordSecretRef.
One of password or passwordSecretRef must provide a password with a non-zero length.
type: string
passwordSecretRef:
description: |-
PasswordSecretRef is a reference to a key in a Secret resource
containing the password used to encrypt the PKCS12 keystore.
PasswordSecretRef is a reference to a non-empty key in a Secret resource
containing the password used to encrypt the PKCS#12 keystore.
Mutually exclusive with password.
One of password or passwordSecretRef must provide a password with a non-zero length.
properties:
key:
description: |-
Expand All @@ -266,7 +277,7 @@ spec:
`LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
`LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
`Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
(eg. because of company policy). Please note that the security of the algorithm is not that important
(e.g., because of company policy). Please note that the security of the algorithm is not that important
in reality, because the unencrypted certificate and private key are also stored in the Secret.
enum:
- LegacyRC2
Expand All @@ -275,7 +286,6 @@ spec:
type: string
required:
- create
- passwordSecretRef
type: object
type: object
literalSubject:
Expand Down Expand Up @@ -423,7 +433,11 @@ spec:
to await user intervention.
If set to `Always`, a private key matching the specified requirements
will be generated whenever a re-issuance occurs.
Default is `Never` for backward compatibility.
Default is `Always`.
The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
The new default can be disabled by setting the
`--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
the controller component.
enum:
- Never
- Always
Expand Down Expand Up @@ -484,8 +498,7 @@ spec:
revisions exceeds this number.

If set, revisionHistoryLimit must be a value of `1` or greater.
If unset (`nil`), revisions will not be garbage collected.
Default value is `nil`.
Default value is `1`.
format: int32
type: integer
secretName:
Expand Down Expand Up @@ -514,6 +527,21 @@ spec:
description: Labels is a key value map to be copied to the target Kubernetes Secret.
type: object
type: object
signatureAlgorithm:
description: |-
Signature algorithm to use.
Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
Allowed values for Ed25519 keys: PureEd25519.
enum:
- SHA256WithRSA
- SHA384WithRSA
- SHA512WithRSA
- ECDSAWithSHA256
- ECDSAWithSHA384
- ECDSAWithSHA512
- PureEd25519
type: string
subject:
description: |-
Requested set of X509 certificate subject attributes.
Expand Down
19 changes: 11 additions & 8 deletions assets/optional/cert-manager/crd/bases/challenges.acme.cert-manager.io-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.16.4
app.kubernetes.io/version: v1.18.4
name: challenges.acme.cert-manager.io
spec:
group: acme.cert-manager.io
Expand Down Expand Up @@ -68,9 +68,9 @@ spec:
type: string
dnsName:
description: |-
dnsName is the identifier that this challenge is for, e.g. example.com.
dnsName is the identifier that this challenge is for, e.g., example.com.
If the requested DNSName is a 'wildcard', this field MUST be set to the
non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
type: string
issuerRef:
description: |-
Expand Down Expand Up @@ -257,13 +257,16 @@ spec:
If set, ClientID, ClientSecret and TenantID must not be set.
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
description: client ID of the managed identity, cannot be used at the same time as resourceID
type: string
resourceID:
description: |-
resource ID of the managed identity, can not be used at the same time as clientID
resource ID of the managed identity, cannot be used at the same time as clientID
Cannot be used for Azure Managed Service Identity
type: string
tenantID:
description: tenant ID of the managed identity, cannot be used at the same time as resourceID
type: string
type: object
resourceGroupName:
description: resource group the DNS zone is located in
Expand Down Expand Up @@ -572,7 +575,7 @@ spec:
when challenges are processed.
This can contain arbitrary JSON data.
Secret values should not be specified in this stanza.
If secret values are needed (e.g. credentials for a DNS service), you
If secret values are needed (e.g., credentials for a DNS service), you
should use a SecretKeySelector to reference a Secret resource.
For details on the schema of this field, consult the webhook provider
implementation's documentation.
Expand All @@ -588,7 +591,7 @@ spec:
description: |-
The name of the solver to use, as defined in the webhook provider
implementation.
This will typically be the name of the provider, e.g. 'cloudflare'.
This will typically be the name of the provider, e.g., 'cloudflare'.
type: string
required:
- groupName
Expand All @@ -600,7 +603,7 @@ spec:
Configures cert-manager to attempt to complete authorizations by
performing the HTTP01 challenge flow.
It is not possible to obtain certificates for wildcard domain names
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
(e.g., `*.example.com`) using the HTTP01 challenge mechanism.
properties:
gatewayHTTPRoute:
description: |-
Expand Down
31 changes: 23 additions & 8 deletions assets/optional/cert-manager/crd/bases/clusterissuers.cert-manager.io-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
app: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/version: v1.16.4
app.kubernetes.io/version: v1.18.4
name: clusterissuers.cert-manager.io
spec:
group: cert-manager.io
Expand All @@ -18,6 +18,8 @@ spec:
kind: ClusterIssuer
listKind: ClusterIssuerList
plural: clusterissuers
shortNames:
- ciss
singular: clusterissuer
scope: Cluster
versions:
Expand Down Expand Up @@ -156,7 +158,7 @@ spec:
PreferredChain is the chain to use if the ACME server outputs multiple.
PreferredChain is no guarantee that this one gets delivered by the ACME
endpoint.
For example, for Let's Encrypt's DST crosssign you would use:
For example, for Let's Encrypt's DST cross-sign you would use:
"DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
This value picks the first certificate bundle in the combined set of
ACME default and alternative chains that has a root-most certificate with
Expand Down Expand Up @@ -185,6 +187,11 @@ spec:
required:
- name
type: object
profile:
description: |-
Profile allows requesting a certificate profile from the ACME server.
Supported profiles are listed by the server's ACME directory URL.
type: string
server:
description: |-
Server is the URL used to access the ACME server's 'directory' endpoint.
Expand Down Expand Up @@ -367,13 +374,16 @@ spec:
If set, ClientID, ClientSecret and TenantID must not be set.
properties:
clientID:
description: client ID of the managed identity, can not be used at the same time as resourceID
description: client ID of the managed identity, cannot be used at the same time as resourceID
type: string
resourceID:
description: |-
resource ID of the managed identity, can not be used at the same time as clientID
resource ID of the managed identity, cannot be used at the same time as clientID
Cannot be used for Azure Managed Service Identity
type: string
tenantID:
description: tenant ID of the managed identity, cannot be used at the same time as resourceID
type: string
type: object
resourceGroupName:
description: resource group the DNS zone is located in
Expand Down Expand Up @@ -682,7 +692,7 @@ spec:
when challenges are processed.
This can contain arbitrary JSON data.
Secret values should not be specified in this stanza.
If secret values are needed (e.g. credentials for a DNS service), you
If secret values are needed (e.g., credentials for a DNS service), you
should use a SecretKeySelector to reference a Secret resource.
For details on the schema of this field, consult the webhook provider
implementation's documentation.
Expand All @@ -698,7 +708,7 @@ spec:
description: |-
The name of the solver to use, as defined in the webhook provider
implementation.
This will typically be the name of the provider, e.g. 'cloudflare'.
This will typically be the name of the provider, e.g., 'cloudflare'.
type: string
required:
- groupName
Expand All @@ -710,7 +720,7 @@ spec:
Configures cert-manager to attempt to complete authorizations by
performing the HTTP01 challenge flow.
It is not possible to obtain certificates for wildcard domain names
(e.g. `*.example.com`) using the HTTP01 challenge mechanism.
(e.g., `*.example.com`) using the HTTP01 challenge mechanism.
properties:
gatewayHTTPRoute:
description: |-
Expand Down Expand Up @@ -3524,6 +3534,11 @@ spec:
server:
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
type: string
serverName:
description: |-
ServerName is used to verify the hostname on the returned certificates
by the Vault server.
type: string
required:
- auth
- path
Expand Down Expand Up @@ -3559,7 +3574,7 @@ spec:
url:
description: |-
URL is the base URL for Venafi Cloud.
Defaults to "https://api.venafi.cloud/v1".
Defaults to "https://api.venafi.cloud/".
type: string
required:
- apiTokenSecretRef
Expand Down
Loading