Robot Upgrade: cert-manager chart upgrade from v1.16.4 to v1.19.3

[weizhoublue]

I am robot, upgrade: project cert-manager chart upgrade from v1.16.4 to v1.19.3

[gemini-code-assist]

Summary of Changes

Hello @weizhoublue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request automates the upgrade of the cert-manager Helm chart to version v1.19.3. The update encompasses critical version bumps across chart metadata and dependencies, introduces new Custom Resource Definitions to align with the latest cert-manager API, and modernizes the chart's documentation and configuration options. It also includes template improvements for deployment flexibility and updates to network policies and feature gates, ensuring the chart leverages the most recent features and best practices of cert-manager.

Highlights

• Cert-Manager Version Upgrade: The cert-manager Helm chart has been upgraded from version v1.16.4 to v1.19.3, affecting both the main chart and its sub-chart dependencies.
• New Custom Resource Definitions (CRDs): Three new CRD files have been added for Order, CertificateRequest, and Certificate resources, reflecting updated API schemas and capabilities in the new cert-manager version.
• Updated Installation and Configuration Documentation: The README.md file has been significantly revised to reflect the new version's installation process, including integrated CRD installation via Helm, and updated uninstallation steps. New global configuration options like nodeSelector and hostUsers have also been documented.
• Helm Template Enhancements: Various Helm templates (cainjector-deployment.yaml, deployment.yaml, webhook-deployment.yaml, startupapicheck-job.yaml) have been updated to support new global configuration parameters like hostUsers and improved nodeSelector merging logic. Service account annotation handling now supports templating, and Prometheus ServiceMonitor configurations have been refined.
• Feature Gate and Network Policy Updates: The values.yaml and values.schema.json files reflect updated feature gates for cert-manager v1.18.1 and later, including enableGatewayAPI, NameConstraints, and DefaultPrivateKeyRotationPolicyAlways. Network policies for the webhook now include IPv6 ::/0 for ingress and egress rules.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/cert-manager/cert-manager/Chart.yaml
  • Updated appVersion and version to v1.19.3.
  • Updated dependencies.cert-manager.version to v1.19.3.
• charts/cert-manager/cert-manager/charts/cert-manager/Chart.yaml
  • Updated appVersion and version to v1.19.3.
• charts/cert-manager/cert-manager/charts/cert-manager/README.md
  • Revised cert-manager functionality description.
  • Updated installation instructions to include --set crds.enabled=true and remove manual CRD application.
  • Updated uninstallation instructions to explicitly list CRDs for deletion.
  • Added documentation for global.nodeSelector and global.hostUsers parameters.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/NOTES.txt
  • Added a warning about the new default private key rotation policy (Always) in cert-manager >= v1.18.0.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/_helpers.tpl
  • Added new helper template cert-manager.crd-labels for consistent CRD resource labeling.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
  • Added conditional imagePullSecrets for cainjector if serviceAccount.create is false.
  • Introduced hostUsers configuration for the cainjector pod.
  • Improved nodeSelector merging logic.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/cainjector-service.yaml
  • Wrapped the service definition with an if .Values.cainjector.enabled condition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_orders.yaml
  • Added new file defining the orders.acme.cert-manager.io CustomResourceDefinition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificaterequests.yaml
  • Added new file defining the certificaterequests.cert-manager.io CustomResourceDefinition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificates.yaml
  • Added new file defining the certificates.cert-manager.io CustomResourceDefinition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/deployment.yaml
  • Added conditional imagePullSecrets for the controller if serviceAccount.create is false.
  • Introduced hostUsers configuration for the controller pod.
  • Improved nodeSelector merging logic.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/rbac.yaml
  • Updated Role and RoleBinding names for token requests to use cert-manager.fullname.
  • Standardized apiGroups for gateway.networking.k8s.io resources.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/serviceaccount.yaml
  • Modified annotation handling to allow templating for keys and values.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/servicemonitor.yaml
  • Added conditional rendering for prometheus label, interval, and scrapeTimeout.
  • Changed targetPort default from 9402 (number) to http-metrics (string).
• charts/cert-manager/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml
  • Introduced hostUsers configuration for the startupapicheck job.
  • Improved nodeSelector merging logic.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
  • Added conditional imagePullSecrets for the webhook if serviceAccount.create is false.
  • Introduced hostUsers configuration for the webhook pod.
  • Changed liveness and readiness probe ports to healthcheck.
  • Improved nodeSelector merging logic.
• charts/cert-manager/cert-manager/charts/cert-manager/values.schema.json
  • Updated descriptions for various parameters for clarity and consistency.
  • Added schema definitions for global.hostUsers and global.nodeSelector.
  • Updated config description to reflect new feature gates.
  • Changed prometheus.servicemonitor.targetPort type to allow string or integer.
  • Added IPv6 ::/0 to network policy ingress/egress descriptions.
• charts/cert-manager/cert-manager/charts/cert-manager/values.yaml
  • Added global.nodeSelector and global.hostUsers configuration options.
  • Updated descriptions for podDisruptionBudget parameters.
  • Enhanced serviceAccount.annotations documentation with templating example.
  • Updated config section with new feature gates and their default values.
  • Changed prometheus.servicemonitor.targetPort default value to http-metrics.
  • Added IPv6 ::/0 to webhook network policy ingress and egress rules.
• charts/cert-manager/cert-manager/values.yaml
  • Added cert-manager.global.nodeSelector and cert-manager.global.hostUsers configuration options.
  • Updated cert-manager.image.tag, cert-manager.webhook.image.tag, cert-manager.cainjector.image.tag, and cert-manager.startupapicheck.image.tag to v1.19.3.
  • Updated descriptions for various parameters.
  • Enhanced cert-manager.serviceAccount.annotations documentation with templating example.
  • Updated cert-manager.config section with new feature gates and their default values.
  • Changed cert-manager.prometheus.servicemonitor.targetPort default value to http-metrics.
  • Added IPv6 ::/0 to webhook network policy ingress and egress rules.
• charts/cert-manager/config
  • Updated VERSION environment variable to v1.19.3.

Activity

• The pull request was initiated by a robot (weizhoublue) to perform an automated upgrade of the cert-manager chart.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the cert-manager Helm chart from version v1.16.4 to v1.19.3. While the upgrade correctly updates version numbers, refreshes documentation, and adopts modern Helm practices like bundling CRDs, a medium-severity vulnerability was identified in the ServiceAccount template. Specifically, a custom loop using the tpl function for annotations can lead to YAML injection or manifest corruption due to improper quoting of evaluated values. Additionally, there are minor opportunities for improvement related to code style, such as removing trailing whitespace and improving markdown formatting, which are detailed in the specific comments.

[gemini-code-assist]

The implementation of ServiceAccount annotations rendering is prone to YAML injection and manifest corruption. By quoting the value before passing it to tpl and then outputting the result without further quoting, the template may produce invalid YAML if the evaluated value contains special characters like colons, newlines, or unescaped quotes.

For example, if a value evaluates to foo: bar, the resulting YAML will be key: foo: bar, which is invalid. If it contains a newline, it could inject new fields into the manifest.

Recommended fix: Evaluate the template expressions first, then quote the result.

    {{- range $k, $v := . }}
      {{- tpl $k $ }}: {{ tpl $v $ | quote }}
    {{- end }}

[gemini-code-assist]

The formatting for this new documentation section has excessive newlines, which can affect readability. It's better to use single blank lines to separate paragraphs.

Suggested change

	Global node selector
	The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
	If a component-specific nodeSelector is also set, it will be merged and take precedence.
	Global node selector
	The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
	If a component-specific nodeSelector is also set, it will be merged and take precedence.

[gemini-code-assist]

The formatting for this new documentation section has excessive newlines, which can affect readability. It's better to use single blank lines to separate paragraphs and lists.

Suggested change

	Set all pods to run in a user namespace without host access. Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
	Requirements:
	- Kubernetes ≥ 1.33, or
	- Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
	Set to false to run pods in a user namespace without host access.
	See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
	Set all pods to run in a user namespace without host access. Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
	Requirements:
	- Kubernetes ≥ 1.33, or
	- Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
	Set to false to run pods in a user namespace without host access.
	See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.

[gemini-code-assist]

This line has trailing whitespace that should be removed to maintain code style consistency.

      hostUsers: {{ .Values.global.hostUsers }}

[gemini-code-assist]

This line has trailing whitespace that should be removed to maintain code style consistency.

      hostUsers: {{ .Values.global.hostUsers }}

[gemini-code-assist]

This line has trailing whitespace that should be removed to maintain code style consistency.

      hostUsers: {{ .Values.global.hostUsers }}

[gemini-code-assist]

This line has trailing whitespace that should be removed to maintain code style consistency.

      hostUsers: {{ .Values.global.hostUsers }}

[gemini-code-assist]

This line has trailing whitespace that should be removed to maintain code style consistency.

  nodeSelector: {}