Add unhealthyPodEvictionPolicy to supported PDB options

[jcpunk]

Pull Request Motivation

unhealthyPodEvictionPolicy is a feature of the podDisruptionBudget, so it is nice to be able to set it via the chart.

Currently the chart ignores this value when set.

Fixes #7275

Kind

/kind feature

Release Note

Added support for unhealthyPodEvictionPolicy in PodDisruptionBudget

[cert-manager-prow]

Hi @jcpunk. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[erikgb]

@jcpunk Thanks for your PR. Have you seen #7537?

[jcpunk]

I did not. Weird, I'd swear I searched for PRs before writing this...

Whichever you prefer to merge is fine with me.

[cert-manager-bot]

Issues go stale after 6 months of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues remain open for an additional 3 months of inactivity and then close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[erikgb]

@jcpunk, as we didn't get any feedback from the author of #7537, I am hoping you can finish up this PR.

/ok-to-test

[jcpunk]

In theory I've addressed the review and made the requested changes.

[erikgb]

Please run 'make vendor-go generate-helm-docs'

[jcpunk]

I do not understand the test failures...

[erikgb]

I do not understand the test failures...

@jcpunk, the problem is the failing verify job. 😸 You need to ensure generated files are up-to-date. Did you try to run make vendor-go generate-helm-docs locally, as suggested by the failing verify job?

[jcpunk]

I did run that, but nothing in my local repo changed...

riehecky@leibniz:/tmp/foo/cert-manager$ make vendor-go generate-helm-docs
/tmp/foo/cert-manager/_bin/tools/helm-tool inject \
        --header-search '^<!-- AUTO-GENERATED -->' \
        --footer-search '^<!-- /AUTO-GENERATED -->' \
        -i deploy/charts/cert-manager/values.yaml \
        -o deploy/charts/cert-manager/README.template.md
riehecky@leibniz:/tmp/foo/cert-manager$ git status
On branch pdb-smarter
Your branch is up to date with 'origin/pdb-smarter'.

nothing to commit, working tree clean

I'll rebase off HEAD?

[erikgb]

I did run that, but nothing in my local repo changed...

riehecky@leibniz:/tmp/foo/cert-manager$ make vendor-go generate-helm-docs
/tmp/foo/cert-manager/_bin/tools/helm-tool inject \
        --header-search '^<!-- AUTO-GENERATED -->' \
        --footer-search '^<!-- /AUTO-GENERATED -->' \
        -i deploy/charts/cert-manager/values.yaml \
        -o deploy/charts/cert-manager/README.template.md
riehecky@leibniz:/tmp/foo/cert-manager$ git status
On branch pdb-smarter
Your branch is up to date with 'origin/pdb-smarter'.

nothing to commit, working tree clean

I'll rebase off HEAD?

I checked out your branch, and I agree it doesn't change anything. But when I rebased the branch on top of upstream/master, the Helm schema was modified after rerunning the command. Could you try that and force push the result? I am not sure if I have permission to force push to your branch. Sorry about this! 🤷

[jcpunk]

I'll rebase and send you an invite for full access to my repo. Once this is merged up I plan to delete my fork.

[jcpunk]

I flattened the commits out, not sure why I'm still getting a failure...

[erikgb]

I flattened the commits out, not sure why I'm still getting a failure...

Seems like you sorted it out, but I just pushed an additional commit replacing hasKey with with. I did not like the new linter exceptions added, but I also felt a bit guilty - as I asked you to remove the wrong parts. 😆

[erikgb]

/hold
/lgtm
/approve

Adding a hold in case you want to rebase the PR into a single commit.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jcpunk]

I've flattened it down and rebased off HEAD. In theory this is good to go...

[Copilot]

Pull request overview

This PR adds support for the unhealthyPodEvictionPolicy field in PodDisruptionBudget resources across all cert-manager components (controller, webhook, and cainjector). This field, which requires Kubernetes 1.31 or the PDBUnhealthyPodEvictionPolicy feature gate to be enabled, controls how unhealthy pods are handled during eviction scenarios.

Key Changes:

• Added unhealthyPodEvictionPolicy configuration option to all three PDB configurations
• Updated Helm templates to conditionally render the field when specified
• Enhanced schema validation and documentation for the new field

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
deploy/charts/cert-manager/values.yaml	Added unhealthyPodEvictionPolicy configuration comments and examples for controller, webhook, and cainjector PDBs; minor whitespace cleanup
deploy/charts/cert-manager/values.schema.json	Added JSON schema definitions for unhealthyPodEvictionPolicy field across all three PDB configurations
deploy/charts/cert-manager/values.linter.exceptions	Formatting update to maintain consistent file structure
deploy/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml	Added conditional template logic to include unhealthyPodEvictionPolicy in webhook PDB spec
deploy/charts/cert-manager/templates/poddisruptionbudget.yaml	Added conditional template logic to include unhealthyPodEvictionPolicy in controller PDB spec
deploy/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml	Added conditional template logic to include unhealthyPodEvictionPolicy in cainjector PDB spec
deploy/charts/cert-manager/README.template.md	Added documentation sections for the new unhealthyPodEvictionPolicy field in all three PDB configurations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jcpunk]

Spelling errors corrected.

[erikgb]

/retest

[erikgb]

Thanks @jcpunk! 🚀

/lgtm
/unhold

[erikgb]

/test pull-cert-manager-master-make-test

[wallrj-cyberark]

📢 The fix or feature is now available for testing in an alpha release

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.