cozystack
diff --git a/‎packages/system/cert-manager-crds/templates/_helpers.tpl‎
Lines changed: 59 additions & 5 deletions b/‎packages/system/cert-manager-crds/templates/_helpers.tpl‎
Lines changed: 59 additions & 5 deletions
diff --git a/‎packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_challenges.yaml‎
Lines changed: 31 additions & 9 deletions b/‎packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_challenges.yaml‎
Lines changed: 31 additions & 9 deletions
diff --git a/‎packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml‎
Lines changed: 4 additions & 0 deletions b/‎packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificaterequests.yaml‎
Lines changed: 4 additions & 0 deletions b/‎packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificaterequests.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificates.yaml‎
Lines changed: 4 additions & 3 deletions b/‎packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificates.yaml‎
Lines changed: 4 additions & 3 deletions
@@ -180,11 +180,65 @@ Any changes to this function should also be made in cert-manager, trust-manager,
 See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
 */}}
 {{- define "image" -}}
-{{- $defaultTag := index . 1 -}}
-{{- with index . 0 -}}
-{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
-{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
-{{- end }}
+{{- /*
+Calling convention:
+
+- (tuple <imageValues> <imageRegistry> <imageNamespace> <defaultReference>)
+
+We intentionally pass imageRegistry/imageNamespace as explicit arguments rather than reading
+from `.Values` inside this helper, because `helm-tool lint` does not reliably track `.Values.*`
+usage through tuple/variable indirection.
+*/ -}}
+
+{{- if ne (len .) 4 -}}
+    {{- fail (printf "ERROR: template \"image\" expects (tuple <imageValues> <imageRegistry> <imageNamespace> <defaultReference>), got %d arguments" (len .)) -}}
+{{- end -}}
+
+{{- $image := index . 0 -}}
+{{- $imageRegistry := index . 1 | default "" -}}
+{{- $imageNamespace := index . 2 | default "" -}}
+{{- $defaultReference := index . 3 -}}
+
+{{- $repository := "" -}}
+{{- if $image.repository -}}
+    {{- $repository = $image.repository -}}
+
+    {{- /*
+        Backwards compatibility: if image.registry is set, additionally prefix the repository with this registry.
+    */ -}}
+    {{- if $image.registry -}}
+        {{- $repository = printf "%s/%s" $image.registry $repository -}}
+    {{- end -}}
+{{- else -}}
+    {{- $name := required "ERROR: image.name must be set when image.repository is empty" $image.name -}}
+    {{- $repository = $name -}}
+
+    {{- if $imageNamespace -}}
+        {{- $repository = printf "%s/%s" $imageNamespace $repository -}}
+    {{- end -}}
+
+    {{- if $imageRegistry -}}
+        {{- $repository = printf "%s/%s" $imageRegistry $repository -}}
+    {{- end -}}
+
+    {{- /*
+        Backwards compatibility: if image.registry is set, additionally prefix the repository with this registry.
+    */ -}}
+    {{- if $image.registry -}}
+        {{- $repository = printf "%s/%s" $image.registry $repository -}}
+    {{- end -}}
+{{- end -}}
+
+{{- $repository -}}
+{{- if and $image.tag $image.digest -}}
+    {{- printf ":%s@%s" $image.tag $image.digest -}}
+{{- else if $image.tag -}}
+    {{- printf ":%s" $image.tag -}}
+{{- else if $image.digest -}}
+    {{- printf "@%s" $image.digest -}}
+{{- else -}}
+    {{- printf "%s" $defaultReference -}}
+{{- end -}}
 {{- end }}
 
 {{/*
 
@@ -283,6 +283,22 @@ spec:
                                 The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
                                 If set, ClientID and ClientSecret must also be set.
                               type: string
+                            zoneType:
+                              description: |-
+                                ZoneType determines which type of Azure DNS zone to use.
+
+                                Valid values are:
+                                  - AzurePublicZone  (default): Use a public Azure DNS zone.
+                                  - AzurePrivateZone: Use an Azure Private DNS zone.
+
+                                If not specified, AzurePublicZone is used.
+
+                                Support for Azure Private DNS zones is currently
+                                experimental and may change in future releases.
+                              enum:
+                                - AzurePublicZone
+                                - AzurePrivateZone
+                              type: string
                           required:
                             - resourceGroupName
                             - subscriptionID
@@ -406,7 +422,7 @@ spec:
                               description: |-
                                 The IP address or hostname of an authoritative DNS server supporting
                                 RFC2136 in the form host:port. If the host is an IPv6 address it must be
-                                enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+                                enclosed in square brackets (e.g [2001:db8::1]); port is optional.
                                 This field is required.
                               type: string
                             protocol:
@@ -456,17 +472,17 @@ spec:
                               description: |-
                                 The AccessKeyID is used for authentication.
                                 Cannot be set when SecretAccessKeyID is set.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
+                                If neither the Access Key nor Key ID are set, we fall back to using env
+                                vars, shared credentials file, or AWS Instance metadata,
                                 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                               type: string
                             accessKeyIDSecretRef:
                               description: |-
                                 The SecretAccessKey is used for authentication. If set, pull the AWS
                                 access key ID from a key within a Kubernetes Secret.
                                 Cannot be set when AccessKeyID is set.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
+                                If neither the Access Key nor Key ID are set, we fall back to using env
+                                vars, shared credentials file, or AWS Instance metadata,
                                 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                               properties:
                                 key:
@@ -555,8 +571,8 @@ spec:
                             secretAccessKeySecretRef:
                               description: |-
                                 The SecretAccessKey is used for authentication.
-                                If neither the Access Key nor Key ID are set, we fall-back to using env
-                                vars, shared credentials file or AWS Instance metadata,
+                                If neither the Access Key nor Key ID are set, we fall back to using env
+                                vars, shared credentials file, or AWS Instance metadata,
                                 see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                               properties:
                                 key:
@@ -1913,9 +1929,10 @@ spec:
                                           operator:
                                             description: |-
                                               Operator represents a key's relationship to the value.
-                                              Valid operators are Exists and Equal. Defaults to Equal.
+                                              Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
                                               Exists is equivalent to wildcard for value, so that a pod can
                                               tolerate all taints of a particular category.
+                                              Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
                                             type: string
                                           tolerationSeconds:
                                             description: |-
@@ -3124,9 +3141,10 @@ spec:
                                           operator:
                                             description: |-
                                               Operator represents a key's relationship to the value.
-                                              Valid operators are Exists and Equal. Defaults to Equal.
+                                              Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
                                               Exists is equivalent to wildcard for value, so that a pod can
                                               tolerate all taints of a particular category.
+                                              Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
                                             type: string
                                           tolerationSeconds:
                                             description: |-
@@ -3274,6 +3292,10 @@ spec:
             - metadata
             - spec
           type: object
+      selectableFields:
+        - jsonPath: .spec.issuerRef.group
+        - jsonPath: .spec.issuerRef.kind
+        - jsonPath: .spec.issuerRef.name
       served: true
       storage: true
       subresources:
 
@@ -267,6 +267,10 @@ spec:
             - metadata
             - spec
           type: object
+      selectableFields:
+        - jsonPath: .spec.issuerRef.group
+        - jsonPath: .spec.issuerRef.kind
+        - jsonPath: .spec.issuerRef.name
       served: true
       storage: true
       subresources:
 
@@ -312,6 +312,10 @@ spec:
                   type: string
               type: object
           type: object
+      selectableFields:
+        - jsonPath: .spec.issuerRef.group
+        - jsonPath: .spec.issuerRef.kind
+        - jsonPath: .spec.issuerRef.name
       served: true
       storage: true
       subresources:
 
@@ -451,9 +451,6 @@ spec:
                         will be generated whenever a re-issuance occurs.
                         Default is `Always`.
                         The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
-                        The new default can be disabled by setting the
-                        `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
-                        the controller component.
                       enum:
                         - Never
                         - Always
@@ -809,6 +806,10 @@ spec:
                   type: integer
               type: object
           type: object
+      selectableFields:
+        - jsonPath: .spec.issuerRef.group
+        - jsonPath: .spec.issuerRef.kind
+        - jsonPath: .spec.issuerRef.name
       served: true
       storage: true
       subresources: