Robot Upgrade: cert-manager chart upgrade from v1.16.4 to v1.19.4

[weizhoublue]

I am robot, upgrade: project cert-manager chart upgrade from v1.16.4 to v1.19.4

[gemini-code-assist]

Summary of Changes

Hello @weizhoublue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant upgrade of the cert-manager Helm chart to version v1.19.4. The update streamlines CRD management by integrating it directly into the Helm installation, introduces new global configuration parameters for pod scheduling and security, and refines Prometheus monitoring settings. These changes aim to improve the deployment experience, enhance operational flexibility, and ensure compatibility with modern Kubernetes environments, including IPv6 support.

Highlights

• Cert-Manager Chart Upgrade: The cert-manager Helm chart has been upgraded from version v1.16.4 to v1.19.4, reflecting the latest features and bug fixes from the upstream project.
• CRD Management Enhancements: Installation and uninstallation instructions for Custom Resource Definitions (CRDs) have been updated. CRDs are now managed directly through the Helm chart installation using --set crds.enabled=true, simplifying the deployment process.
• New Global Configuration Options: New global configuration options, nodeSelector and hostUsers, have been introduced. nodeSelector allows for global pod scheduling control, while hostUsers provides experimental support for running pods in user namespaces without host access.
• Updated Prometheus Monitoring Configuration: The Prometheus ServiceMonitor configuration has been refined with conditional rendering for prometheusInstance, interval, and scrapeTimeout, and the targetPort type has been updated to support both string and integer values.
• IPv6 Support for Network Policies: Network policies for the webhook now include IPv6 CIDR (::/0) in both ingress and egress rules, enhancing compatibility for IPv6-enabled clusters.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/cert-manager/cert-manager/Chart.yaml
  • Updated appVersion and version to v1.19.4.
• charts/cert-manager/cert-manager/charts/cert-manager/Chart.yaml
  • Updated appVersion and version to v1.19.4.
• charts/cert-manager/cert-manager/charts/cert-manager/README.md
  • Updated the project description for cert-manager.
  • Revised installation instructions to integrate CRD deployment with Helm via --set crds.enabled=true.
  • Updated uninstallation instructions to reflect the new CRD deletion method.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/NOTES.txt
  • Added a warning about the new default private key rotation policy for Certificate resources.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/_helpers.tpl
  • Added a new helper template cert-manager.crd-labels for consistent CRD labeling.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
  • Added conditional imagePullSecrets for service accounts that are not created by the chart.
  • Integrated global.hostUsers configuration into the cainjector deployment.
  • Implemented logic to merge global and component-specific nodeSelector configurations.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/cainjector-service.yaml
  • Wrapped the cainjector service definition with an if .Values.cainjector.enabled condition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-acme.cert-manager.io_orders.yaml
  • Added a new CustomResourceDefinition for orders.acme.cert-manager.io.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificaterequests.yaml
  • Added a new CustomResourceDefinition for certificaterequests.cert-manager.io.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/crd-cert-manager.io_certificates.yaml
  • Added a new CustomResourceDefinition for certificates.cert-manager.io.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/deployment.yaml
  • Added conditional imagePullSecrets for service accounts that are not created by the chart.
  • Integrated global.hostUsers configuration into the controller deployment.
  • Implemented logic to merge global and component-specific nodeSelector configurations.
  • Ensured a newline character at the end of the file.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/rbac.yaml
  • Updated the Role and RoleBinding names for token requests to use cert-manager.fullname.
  • Standardized the API group for httproutes to gateway.networking.k8s.io.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/serviceaccount.yaml
  • Updated templating for service account annotations to allow dynamic keys and values.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/servicemonitor.yaml
  • Added conditional rendering for prometheusInstance, interval, and scrapeTimeout fields in the ServiceMonitor definition.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml
  • Integrated global.hostUsers configuration into the startup API check job.
  • Implemented logic to merge global and component-specific nodeSelector configurations.
• charts/cert-manager/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
  • Added conditional imagePullSecrets for service accounts that are not created by the chart.
  • Integrated global.hostUsers configuration into the webhook deployment.
  • Corrected conditional logic for webhook.url.host parameter.
  • Updated health check probe ports to use the named port healthcheck.
  • Implemented logic to merge global and component-specific nodeSelector configurations.
• charts/cert-manager/cert-manager/charts/cert-manager/values.schema.json
  • Updated descriptions for podDisruptionBudget.minAvailable and maxUnavailable to use 'e.g.,' for consistency.
  • Added schema definitions for new global parameters global.nodeSelector and global.hostUsers.
  • Updated the description for helm-values.config to include new feature gates like enableGatewayAPI, NameConstraints, OtherNames, UseDomainQualifiedFinalizer, DefaultPrivateKeyRotationPolicyAlways, and ACMEHTTP01IngressPathTypeExact.
  • Updated the description for helm-values.nameOverride for clarity.
  • Changed the type of prometheus.servicemonitor.targetPort to allow both string and integer values, and updated its default value.
• charts/cert-manager/cert-manager/charts/cert-manager/values.yaml
  • Added comments and property documentation for global.nodeSelector and global.hostUsers.
  • Updated descriptions for podDisruptionBudget parameters.
  • Updated the description for nameOverride.
  • Enhanced the example for serviceAccount.annotations to demonstrate templating.
  • Updated the config.featureGates section with new and updated feature flags and their default values.
  • Updated the description for approveSignerNames.
  • Corrected 'can not' to 'cannot' in Prometheus monitoring descriptions.
  • Changed prometheus.servicemonitor.targetPort default value to http-metrics and updated its type.
  • Added IPv6 CIDR (::/0) to webhook network policy ingress and egress rules.
• charts/cert-manager/cert-manager/values.yaml
  • Added comments and property documentation for global.nodeSelector and global.hostUsers.
  • Updated descriptions for podDisruptionBudget parameters.
  • Updated the tag for cert-manager, webhook, and cainjector images to v1.19.4.
  • Updated the description for nameOverride.
  • Enhanced the example for serviceAccount.annotations to demonstrate templating.
  • Updated the config.featureGates section with new and updated feature flags and their default values.
  • Updated the description for approveSignerNames.
  • Corrected 'can not' to 'cannot' in Prometheus monitoring descriptions.
  • Changed prometheus.servicemonitor.targetPort default value to http-metrics and updated its type.
  • Added IPv6 CIDR (::/0) to webhook network policy ingress and egress rules.
• charts/cert-manager/config
  • Updated the VERSION environment variable to v1.19.4.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the cert-manager Helm chart from v1.16.4 to v1.19.4. The changes are comprehensive, including version bumps, documentation updates to reflect new installation procedures and features, and template enhancements for better configuration flexibility. Overall, the upgrade appears to be well-executed. My review includes one suggestion to improve maintainability by aligning the parent chart's configuration with the recommended practice of using crds.enabled instead of the deprecated installCRDs parameter, as noted in the updated documentation.

[gemini-code-assist]

The updated installation instructions correctly recommend using --set crds.enabled=true. However, the parent chart's configuration in charts/cert-manager/cert-manager/values.yaml still uses the deprecated installCRDs: true parameter. To maintain consistency and adhere to the new best practice, the parent chart should also be updated to use crds.enabled: true and set installCRDs: false.