REVERT: API defaults for issuer reference kind and group

[erikgb]

Pull Request Motivation

With the release of 0.19.0 we got reports of unexpected certificate renewals on upgrade, ref. #8158. This is probably happening because the comparison logic is not taking the issuer reference kind and group (since forever) runtime defaults into account. We have an open PR to fix this, #8160, but it is required to upgrade to a version containing this fix BEFORE upgrading to a version that includes API defaults for these fields.

This has been discussed among the maintainers multiple times, and we agree that the best thing to do right now is to revert the new API defaults introduced in 0.19.0. And eventually return to this matter in a future release.

📖 Slack discussion: https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1760423137409219

Reverts #7414 and #7907 (partially; functional revert; not an exact revert of the commits, as things have changed since they were merged)
Fixes #8158
Closes #8157 (as this PR goes further in reverting the problematic change)

Kind

/kind bug

Release Note

Revert API defaults for issuer reference kind and group introduced in 0.19.0

CyberArk tracker: VC-46119

[Copilot]

Pull Request Overview

This PR reverts the API defaults for issuer reference kind and group fields that were introduced in cert-manager v0.19.0 to address unexpected certificate renewals during upgrades. The change removes runtime default values while maintaining the defaulting behavior through manual logic.

• Removes API-level default values for IssuerReference.Kind and IssuerReference.Group fields
• Moves defaulting logic from generated code to manual implementation
• Updates CRD schemas to use descriptive text instead of default field values

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/apis/meta/v1/types.go	Removes API default annotations and adds descriptive comments
internal/apis/certmanager/v1/zz_generated.defaults.go	Removes generated defaulting functions
internal/apis/certmanager/v1/defaults.go	Adds manual defaulting functions for Certificate types
internal/apis/acme/v1/zz_generated.defaults.go	Removes generated defaulting functions for ACME types
internal/apis/acme/v1/defaults.go	Adds manual defaulting functions for ACME types
pkg/client/applyconfigurations/internal/internal.go	Removes default values from schema YAML
deploy/crds/*.yaml	Updates CRD descriptions to mention defaults without enforcing them
deploy/charts/cert-manager/templates/crd-*.yaml	Updates Helm chart CRD descriptions

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[erikgb]

/test pull-cert-manager-master-e2e-v1-34

[erikgb]

/test pull-cert-manager-master-e2e-v1-34

[Copilot]

Pull Request Overview

Copilot reviewed 19 out of 20 changed files in this pull request and generated no new comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[maelvls]

Hey. This PR doesn't add or change any test, is that expected? I would have expected some test to be changed to adapt to the reverted behavior

[erikgb]

Hey. This PR doesn't add or change any test, is that expected? I would have expected some test to be changed to adapt to the reverted behavior

Why should the test change? The issuer reference group and kind defaults have always been the same, so the API defaults are just another way of doing the same, which improves the use of cert-manager together with approver-policy. We could have tested the API defaults' behavior in the original PRs, but we didn't, as it's a simple and standard mechanism in the Kubernetes OpenAPI schema.

[wallrj-cyberark]

Thanks @erikgb

We've discussed this in slack and on the whole we think this is the right way forward.
We are unsure about how many people have been affected by this issue.
We are unsure about whether it is safe to turn off API defaults after they have been enabled. We will also merge #8160 and include that in the 1.19.1 release so that the change in API defaults should have no impact on how cert-manager identifies Certificates that require re-issuing.

This partially reverts the original PR which introduced the API defaults.
The defaulting functions )(which were originally auto generated by defaulter-gen will no longer be auto generated. We have moved them to defaults.go because they have been used in later PRs, to improve the gen package, so we can't just delete them without reverting those other changes too.

I notice that the changes to the fuzzer tests have not been reverted, I'm not sure why.

I noticed that the API documentation for issuerRef now mentions the default values, but it does not explain that the defaults are "runtime defaults"....perhaps it doesn't matter to the end user. Perhaps it's better that they should at least know what the defaults are.

I noticed that the deprecation of ObjectRef and it's replacement with IssuerRef, have not been reverted. Presumably because those changes have been built upon and used in later PRs which would be too difficult to revert.

Let's merge this and get the release out with some comprehensive upgrade notes so that users can make their own informed judgement about the patch.

📖 Slack discussion: https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1760423137409219

[wallrj]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj-cyberark]

/cherry-pick release-1.19

[cert-manager-bot]

@wallrj-cyberark: once the present PR merges, I will cherry-pick it on top of release-1.19 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-1.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cert-manager-bot]

@wallrj-cyberark: new pull request created: #8178

Details

In response to this:

/cherry-pick release-1.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.