Skip to content

CM-1194: Bump cert-manager operand to 1.20.3#450

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
bharath-b-rh:cm-1194
Jul 1, 2026
Merged

CM-1194: Bump cert-manager operand to 1.20.3#450
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
bharath-b-rh:cm-1194

Conversation

@bharath-b-rh

@bharath-b-rh bharath-b-rh commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

The PR has following changes

  • Bumps the cert-manager operand to 1.20.3
  • And also bumps below packages to latest z-streams
    • github.com/openshift/api v0.0.0-20260513085653-694421e64aee
    • github.com/openshift/library-go v0.0.0-20260512161954-889c2cd3e381
    • sigs.k8s.io/controller-runtime v0.23.3

Summary by CodeRabbit

  • New Features
    • Updated bundled cert-manager components and operator metadata to v1.20.3, including refreshed webhook, cainjector, controller, and ACME solver images.
  • Bug Fixes
    • Adjusted ACME orders RBAC permissions to drop the create capability.
  • Tests
    • Updated test expectations for the new ACME solver image tag.
  • Chores
    • Updated build defaults and refreshed dependency/toolchain version pins.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 1, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 1, 2026

Copy link
Copy Markdown

@bharath-b-rh: This pull request references CM-1194 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

The PR has following changes

  • Bumps the cert-manager operand to 1.20.3
  • And also bumps below packages to latest z-streams
    • github.com/openshift/api v0.0.0-20260513085653-694421e64aee
    • github.com/openshift/library-go v0.0.0-20260512161954-889c2cd3e381
    • sigs.k8s.io/controller-runtime v0.23.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7b139a0c-0477-4581-bf72-ed3eeb48552a

📥 Commits

Reviewing files that changed from the base of the PR and between d7c8516 and 1c7fc1a.

⛔ Files ignored due to path filters (180)
  • go.sum is excluded by !**/*.sum
  • test/go.sum is excluded by !**/*.sum
  • tools/go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/openapi/openapi.json is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/hkdf/hkdf.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/html/token.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/client_conn_pool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/clientconn.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/server_wrap.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport_wrap.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/go118.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/idna.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/idna9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/pre_go118.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/punycode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/trie12.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/idna/trie13.0.0.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/zcpu_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/readv_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_openbsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/dll_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/analysis.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/atomictypes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/maps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/newexpr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/slicesbackward.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/unsafefuncs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroupgo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/structtag/structtag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/builder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/sanity.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/comment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/stringlit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/ureader.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/goplsexport/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/imports/source_modindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/directories.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/modindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/refactor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/coretype.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/refactor/satisfy/find.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (64)
  • Makefile
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
  • bundle/manifests/acme.cert-manager.io_challenges.yaml
  • bundle/manifests/acme.cert-manager.io_orders.yaml
  • bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
  • bundle/manifests/cert-manager.io_certificaterequests.yaml
  • bundle/manifests/cert-manager.io_certificates.yaml
  • bundle/manifests/cert-manager.io_clusterissuers.yaml
  • bundle/manifests/cert-manager.io_issuers.yaml
  • config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
  • config/crd/bases/certificates.cert-manager.io-crd.yaml
  • config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
  • config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
  • config/crd/bases/issuers.cert-manager.io-crd.yaml
  • config/crd/bases/orders.acme.cert-manager.io-crd.yaml
  • config/manager/manager.yaml
  • config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
  • go.mod
  • images/ci/certmanager.Dockerfile
  • pkg/controller/certmanager/deployment_overrides_test.go
  • pkg/operator/assets/bindata.go
  • test/go.mod
  • tools/go.mod
✅ Files skipped from review due to trivial changes (50)
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
  • bundle/manifests/cert-manager.io_certificaterequests.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
  • config/crd/bases/issuers.cert-manager.io-crd.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
  • config/crd/bases/orders.acme.cert-manager.io-crd.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
  • bundle/manifests/cert-manager.io_clusterissuers.yaml
  • bundle/manifests/cert-manager.io_issuers.yaml
  • bundle/manifests/acme.cert-manager.io_challenges.yaml
  • bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
  • bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
  • config/crd/bases/certificates.cert-manager.io-crd.yaml
  • config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
  • bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
  • bundle/manifests/acme.cert-manager.io_orders.yaml
  • pkg/controller/certmanager/deployment_overrides_test.go
  • config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
🚧 Files skipped from review as they are similar to previous changes (14)
  • bundle/manifests/cert-manager.io_certificates.yaml
  • config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
  • bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
  • go.mod
  • images/ci/certmanager.Dockerfile
  • Makefile
  • tools/go.mod
  • config/manager/manager.yaml
  • bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
  • test/go.mod
  • config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
  • pkg/operator/assets/bindata.go

Walkthrough

This PR updates cert-manager version references from v1.20.2 to v1.20.3 across build inputs, manifests, generated embedded assets, operator configuration, and tests. It also removes the create verb from the cert-manager-edit orders RBAC rule.

Changes

Cert-manager v1.20.3 bump

Layer / File(s) Summary
Build and dependency pins
Makefile, go.mod, test/go.mod, tools/go.mod, images/ci/certmanager.Dockerfile
CERT_MANAGER_VERSION and related dependency/version pins were updated to v1.20.3.
Manifest and operator config updates
bindata/cert-manager-deployment/*, bundle/manifests/*, config/crd/bases/*, config/manager/manager.yaml, config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
Version labels, image tags, CSV text, CRD metadata, and controller-manager operand image env values were updated to v1.20.3.
Embedded assets and RBAC change
pkg/operator/assets/bindata.go, pkg/controller/certmanager/deployment_overrides_test.go
Embedded manifest assets were regenerated for the version bump, and the orders RBAC rule no longer includes create; tests were updated for the new solver image tag.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related PRs

Suggested labels: lgtm

Suggested reviewers: TrilokGeer, PillaiManish

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: bumping the cert-manager operand to version 1.20.3.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The changed test file uses only static t.Run names; there are no Ginkgo It/Describe/Context/When titles or dynamic identifiers.
Test Structure And Quality ✅ Passed The only touched test file is standard table-driven unit tests, not Ginkgo; no cluster waits/timeouts or resource setup/cleanup patterns are present.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only changed test is a plain testing.T unit test and uses no MicroShift-unsupported APIs/features.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only changed test file is a standard testing.T unit test, and no SNO-unsafe assumptions appear in modified files.
Topology-Aware Scheduling Compatibility ✅ Passed PR only bumps cert-manager versions/images/deps; no node selectors, anti-affinity, topology spreads, or replica logic were introduced or changed.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only bumps versions/manifests and a test expectation; no changed process-level code writes to stdout, and suite logging uses GinkgoWriter.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only changed test file is a unit test and contains no Ginkgo DSL or network assumptions.
No-Weak-Crypto ✅ Passed Focused scans of changed code paths and a repo-wide non-vendor search found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret-compare issues.
Container-Privileges ✅ Passed Touched manifests only set allowPrivilegeEscalation=false/privileged=false; no hostPID/hostNetwork/hostIPC, SYS_ADMIN, or root runAsUser found.
No-Sensitive-Data-In-Logs ✅ Passed No log statements were added or changed; the PR is version/manifest bumps only. Focused scans found no sensitive data exposed in logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from TrilokGeer and mytreya-rh July 1, 2026 05:48
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
Signed-off-by: Bharath B <bhb@redhat.com>
@mytreya-rh

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh, mytreya-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [bharath-b-rh,mytreya-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@bharath-b-rh

Copy link
Copy Markdown
Contributor Author

/label docs-approved
/label px-approved
/label qe-approved

@openshift-ci openshift-ci Bot added docs-approved Signifies that Docs has signed off on this PR px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR labels Jul 1, 2026
@bharath-b-rh

Copy link
Copy Markdown
Contributor Author

/cherrypick release-1.20

@openshift-cherrypick-robot

Copy link
Copy Markdown

@bharath-b-rh: once the present PR merges, I will cherry-pick it on top of release-1.20 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit 95e882b into openshift:master Jul 1, 2026
11 of 12 checks passed
@openshift-cherrypick-robot

Copy link
Copy Markdown

@bharath-b-rh: cannot checkout release-1.20: error checking out "release-1.20": exit status 1 error: pathspec 'release-1.20' did not match any file(s) known to git

Details

In response to this:

/cherrypick release-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@bharath-b-rh bharath-b-rh deleted the cm-1194 branch July 1, 2026 08:29
@bharath-b-rh

Copy link
Copy Markdown
Contributor Author

/cherrypick cert-manager-1.20

@openshift-cherrypick-robot

Copy link
Copy Markdown

@bharath-b-rh: new pull request created: #451

Details

In response to this:

/cherrypick cert-manager-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. docs-approved Signifies that Docs has signed off on this PR jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants