fix(cert-manager): bump chart to v1.20.2

[myasnikovdaniil]

What this PR does

Bumps the vendored cert-manager chart from v1.19.3 to v1.20.2. Pure upstream bump
via make update — no cozystack-side template changes.

Why

Commit 2b6e20cc migrated
the platform's ACME HTTP-01 setup to the modern ingressClassName API on both
the ClusterIssuer's solver and the per-tenant override annotation
acme.cert-manager.io/http01-ingress-ingressclassname. The override annotation,
however, was only added to upstream cert-manager in v1.20.0
(cert-manager#8244) — v1.19.x silently ignores it. Result: cert-manager always
falls back to the ClusterIssuer's solver class (tenant-root), so HTTP-01 solver
Ingresses for non-tenant-root tenants land on the wrong controller and Let's
Encrypt validation fails for tenant-scoped Ingresses (grafana, harbor, alerta,
etc. inside child tenants).

Targeting v1.20.2 (not .0):

• cert-manager#8655 (in v1.20.1) — restores clusterissuers/issuers/finalizers
  RBAC dropped in v1.20.0.
• cert-manager#8665 (in v1.20.2) — webhook helm-template fix.

Verified live on dev10

Stage	Challenge.spec.solver.http01.ingress.ingressClassName
Pre-bump (v1.19.3)	"tenant-root" (bug)
Post-bump (v1.20.2)	"<tenant>" (fixed)

Full propagation chain confirmed end-to-end: source Ingress annotation -> ingress-shim
sets http01-override-ingress-ingressclassname on the Certificate -> acmeorders sets
spec.solver.http01.ingress.ingressClassName on the Challenge -> http01 solver creates
the solver Ingress on the tenant's class.

Upgrade considerations

• Container UID/GID change: 1000/0 -> 65532/65532 across controller, webhook,
  cainjector. PSP / SecurityContext rules pinning UID 1000 will need updating.
• Helm chart image structure refactored from image.repository to
  imageRegistry + imageNamespace + image.name. Cozystack's wrapper
  values.yaml is empty, so rendered image references are unchanged
  (quay.io/jetstack/cert-manager-{controller,webhook,cainjector,acmesolver}:v1.20.2).
• NetworkPolicy templates restructured: legacy networkpolicy-egress.yaml
  removed; per-component networkpolicy-cainjector.yaml and
  networkpolicy-cert-manager.yaml added. All gated on
  *.networkPolicy.enabled: false (default). No behavioral change.
• CRDs: selectableFields added (Kubernetes >=1.30) and Azure DNS01 zoneType
  enum. Both pure additions.
• RBAC: gains clusterissuers/issuers/finalizers and
  gateway.networking.k8s.io.listenersets[/finalizers].
• DefaultPrivateKeyRotationPolicyAlways feature gate moves Beta -> GA, can no
  longer be disabled. Already default since v1.18; no behavior change.

Release note

fix(cert-manager): bump to v1.20.2 - fixes HTTP-01 solver IngressClass
propagation for tenant-scoped Ingresses (the
`acme.cert-manager.io/http01-ingress-ingressclassname` annotation was a no-op
in prior cert-manager versions). Default container UID/GID changes from
1000/0 to 65532/65532 - review your PSP/SecurityContext rules.

Summary by CodeRabbit

Release Notes

• New Features

  • Added network policy support for controller, webhook, and CA injector
  • Added Azure DNS zone type selection (public/private)
  • Added webhook client verification configuration options
  • Extended pod disruption budget configuration with unhealthy pod eviction policy

• Updates

  • Upgraded cert-manager to v1.20.2
  • Enhanced global image registry and namespace configuration
  • Expanded issuer reference field selectors
  • Added support for extra containers in controller pod
  • Updated issuer terminology and configuration

• Documentation

  • Updated Helm chart documentation with new configuration options
  • Updated post-installation guidance

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a necessary upstream update of the cert-manager Helm chart to v1.20.2. The primary driver for this change is to enable proper support for the 'ingressClassName' API, which was not correctly handled in the previous version, causing validation failures for tenant-scoped Ingresses. The update also includes various CRD enhancements and structural adjustments to image handling and network policies.

Highlights

• Cert-Manager Version Bump: Upgraded the vendored cert-manager chart from v1.19.3 to v1.20.2 to resolve HTTP-01 solver IngressClass propagation issues for tenant-scoped Ingresses.
• Security Context Changes: Container UID/GID defaults have shifted from 1000/0 to 65532/65532, requiring potential updates to existing PSP or SecurityContext rules.
• CRD and Template Updates: Updated CRD definitions to include new features like Azure DNS zone types and selectable fields, alongside refactored image template helpers.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: **/charts/** (20)
  • packages/system/cert-manager/charts/cert-manager/Chart.yaml
  • packages/system/cert-manager/charts/cert-manager/README.md
  • packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt
  • packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl
  • packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-cainjector.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-cert-manager.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/podmonitor.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
  • packages/system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml
  • packages/system/cert-manager/charts/cert-manager/values.schema.json
  • packages/system/cert-manager/charts/cert-manager/values.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	Gemini (@gemini-code-assist)	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on Gemini (@gemini-code-assist) comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR upgrades cert-manager from v1.19.3 to v1.20.2, refactoring the Helm image helper template to use explicit registry/namespace parameters, updating multiple CRD schemas with new Azure DNS zone types and issuer reference field selectors, adding network policies and pod disruption budget enhancements, and expanding webhook client verification options.

Changes

Cert-Manager v1.19.3 → v1.20.2 Upgrade

Layer / File(s)	Summary
Helper Template Signature & Logic packages/system/cert-manager-crds/templates/_helpers.tpl, packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl	The image helper was rewritten to require exactly 4-element tuple (imageValues, imageRegistry, imageNamespace, defaultReference) with validation. Image repository assembly now uses explicit imageRegistry/imageNamespace prefixes alongside imageValues.registry (backwards compatibility). Tag/digest formatting changed to emit :tag@digest when both exist, otherwise :tag, @digest, or fallback to defaultReference.
CRD Schema Enhancements packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_challenges.yaml, crd-acme.cert-manager.io_orders.yaml, crd-cert-manager.io_certificaterequests.yaml, crd-cert-manager.io_certificates.yaml, crd-cert-manager.io_clusterissuers.yaml, crd-cert-manager.io_issuers.yaml	Added spec.selectableFields for .spec.issuerRef.group/kind/name to all relevant CRDs. Added Azure DNS zoneType field with AzurePublicZone/AzurePrivateZone enum. Expanded toleration operator support to include Lt and Gt. Updated Venafi descriptions to reflect CyberArk Certificate Manager branding.
Chart Version & Metadata packages/system/cert-manager/charts/cert-manager/Chart.yaml	Chart version and appVersion bumped from v1.19.3 to v1.20.2.
Deployment & Pod Template Updates packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml, webhook-deployment.yaml, cainjector-deployment.yaml, startupapicheck-job.yaml	All component deployments updated to use the new 4-argument image helper with global imageRegistry/imageNamespace and chart app version. Controller deployment gains extraContainers support. Webhook deployment adds conditional client verification arguments (--enable-client-verification, --client-ca-path, --client-subject-names).
Pod Disruption Budget & Network Policy Templates packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml, cainjector-poddisruptionbudget.yaml, webhook-poddisruptionbudget.yaml, networkpolicy-cert-manager.yaml, networkpolicy-cainjector.yaml, networkpolicy-webhooks.yaml	Added conditional unhealthyPodEvictionPolicy field to all PodDisruptionBudgets. Created new network policy templates for controller, cainjector, and webhook with configurable ingress/egress rules. Removed deprecated webhook egress-only policy template.
RBAC & Monitoring Updates packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml, podmonitor.yaml, servicemonitor.yaml	Added finalizer update permissions for clusterissuers/issuers to orders controller role. Expanded ingress-shim role to include listenersets and listenersets/finalizers. Changed PodMonitor/ServiceMonitor jobLabel from chart fullname to fixed app.kubernetes.io/name label.
Configuration & Schema packages/system/cert-manager/charts/cert-manager/values.schema.json, values.yaml	Added global imageRegistry/imageNamespace configuration. Refactored all component image definitions to use per-component name/repository/tag/digest overrides. Added extraContainers, networkPolicy, and pemSizeLimitsConfig to controller config. Added unhealthyPodEvictionPolicy schema for controller/cainjector/webhook PDBs. Added webhook client verification fields. Updated feature gates from v1.18.1 to v1.20.0 defaults. Marked per-component image.registry as deprecated.
Documentation & Notes packages/system/cert-manager/charts/cert-manager/README.md, NOTES.txt	Updated all image configuration documentation to reflect global registry/namespace precedence and per-component deprecations. Added webhook client verification, network policy, and pod disruption budget documentation. Added Gateway API setup guidance. Replaced private key rotation deprecation note with per-component image registry deprecation warning.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Update cert-manager #595: Modifies the cert-manager Helm chart image helper template signature and implementation logic in _helpers.tpl, directly related to the helper template refactoring in this PR.

Suggested labels

enhancement, size:XXL, lgtm

Suggested reviewers

• klinch0
• lllamnyp

Poem

🐰 From version one-nineteen, now twenty it springs,
With helpers that now handle registry things,
Network walls and zones for Azure so deep,
CyberArk's name now the vaults safely keep,
A chart full of features, both polished and new!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping the cert-manager chart version from v1.19.3 to v1.20.2, which is the primary purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cert-manager-1.20

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Trivy (0.69.3)

Failed to read Trivy output file: ENOENT: no such file or directory, open '/inmem/1278/nsjail-46a56d98-ca5a-401c-b355-e908f55e6f7b/merged/.trivy-output.json'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the cert-manager-crds package, refactoring the image helper template to support explicit registry and namespace arguments and updating CRD definitions with new fields such as zoneType for Azure DNS and selectableFields for issuer references. It also includes rebranding updates from Venafi to CyberArk Certificate Manager and various grammatical fixes. Review feedback identifies a potential logic issue in the image helper regarding registry precedence that should be addressed, and suggests clarifying the default values in the TokenAudiences description within the source definitions for the generated CRDs.

[gemini-code-assist]

The logic for constructing the image repository string in the image helper appears to have a potential bug or at least an unclear precedence for the image.registry field when image.repository is empty. Specifically, the if $image.registry block on lines 227-229 will prepend image.registry (from the $image object) after $imageNamespace and $imageRegistry (from the arguments) have already been prepended. This could lead to an incorrect image path like image.registry/imageRegistry/imageNamespace/image.name instead of a more logical imageRegistry/imageNamespace/image.name or image.registry/image.name.

Given that this file is part of a vendored upstream Helm chart, this issue should be reported to the upstream cert-manager project for correction in their source definitions.

References

1. Never suggest editing files inside any charts/ directory under packages/. Those are upstream Helm charts vendored via make update (which runs helm pull). Any direct edit is overwritten on the next update and provides zero value. If you find an issue that appears to live in vendored chart code, for true upstream bugs, point to the upstream repository and suggest an upstream issue/PR. Similarly, never propose edits to generated files like zz_generated.*.go or pkg/generated/.

[myasnikovdaniil]

This file is vendored from upstream jetstack/cert-manager — packages/system/cert-manager/Makefile's update target runs helm pull jetstack/cert-manager and then cp charts/cert-manager/templates/_helpers.tpl ../cert-manager-crds/templates/. Any edit here is overwritten on the next bump. The header comment in the file itself states: "This function is standardized across all charts in the cert-manager GH organization. Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ..." and links to cert-manager/cert-manager#6329.

Also worth noting: the precedence isn't a bug, it's a documented backwards-compatibility shim. The two adjacent comment blocks (lines 206-208 and 224-226) explicitly call this out: when image.registry is set on the values object alongside the new imageRegistry/imageNamespace arguments, both prefixes are applied so existing user values keep working. Cozystack's values.yaml doesn't set image.registry for any cert-manager component, so this branch never fires for us.

If you believe this is genuinely wrong, please raise it upstream at https://github.com/cert-manager/cert-manager.

[gemini-code-assist]

The description for TokenAudiences on lines 3517-3518 is improved, but could still be more precise. While it states "The default audiences are always included in the token," it doesn't explicitly mention what those default audiences are, which was clearer in the previous version's description. Consider rephrasing to combine the clarity of the old description with the conciseness of the new one, or explicitly state the default audiences.

Since this is a generated file, please consider updating the source definition that generates this CRD.

References

1. Never propose edits to generated files like zz_generated.*.go or pkg/generated/. CRD YAMLs are also generated, so changes should be made in the relevant package schema or source definition rather than hand-editing generated types.

[myasnikovdaniil]

The CRD YAMLs in this directory are generated upstream by cert-manager from its Go API types and vendored into cozystack via make update in packages/system/cert-manager/Makefile (which moves charts/cert-manager/templates/crd-*.yaml here). The bot's own note acknowledges this: "Since this is a generated file, please consider updating the source definition that generates this CRD."

The wording change is upstream's call. Description text for TokenAudiences lives at https://github.com/cert-manager/cert-manager/blob/v1.20.2/internal/apis/certmanager/types_issuer.go and would need to be changed there. Not actionable in this PR.

[gemini-code-assist]

The description for TokenAudiences on lines 3516-3517 is improved, but could still be more precise. While it states "The default audiences are always included in the token," it doesn't explicitly mention what those default audiences are, which was clearer in the previous version's description. Consider rephrasing to combine the clarity of the old description with the conciseness of the new one, or explicitly state the default audiences.

Since this is a generated file, please consider updating the source definition that generates this CRD.

References

1. Never propose edits to generated files like zz_generated.*.go or pkg/generated/. CRD YAMLs are also generated, so changes should be made in the relevant package schema or source definition rather than hand-editing generated types.

[myasnikovdaniil]

Same situation as the identical comment on crd-cert-manager.io_clusterissuers.yaml: this CRD is generated upstream by cert-manager and vendored verbatim via make update. Description wording for TokenAudiences would need to change in cert-manager's Go source. Not actionable here.

[coderabbitai]

🧹 Nitpick comments (1)

packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml (1)

270-273: selectableFields requires Kubernetes ≥ 1.31 to take effect.

cert-manager v1.20.0 explicitly added selectable fields to CRDs for .spec.issuerRef.{group, kind, name} — so the entries here are correct and expected.

However, the CustomResourceFieldSelectors feature gate backing this field was alpha and disabled by default in Kubernetes v1.30, then enabled by default since Kubernetes v1.31, and reached GA in v1.32. On clusters running Kubernetes < 1.31 the field is silently dropped on admission (no CRD apply error, just no field-selector functionality). Confirm that the Cozystack management-cluster version meets this requirement to get the intended filtering capability for these CRDs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml`
around lines 270 - 273, The CRD uses selectableFields entries (jsonPath:
.spec.issuerRef.group, .spec.issuerRef.kind, .spec.issuerRef.name) which only
take effect on Kubernetes >= 1.31; update the deployment to either (A)
detect/require Kubernetes >= 1.31 and document this prerequisite in the
chart/README and release notes, or (B) make the CRD generation conditional so
that selectableFields is omitted for clusters < 1.31 (e.g., templating/helm
conditional around the selectableFields block or a build flag), ensuring the
selectors are only applied when the cluster supports
CustomResourceFieldSelectors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml`:
- Around line 270-273: The CRD uses selectableFields entries (jsonPath:
.spec.issuerRef.group, .spec.issuerRef.kind, .spec.issuerRef.name) which only
take effect on Kubernetes >= 1.31; update the deployment to either (A)
detect/require Kubernetes >= 1.31 and document this prerequisite in the
chart/README and release notes, or (B) make the CRD generation conditional so
that selectableFields is omitted for clusters < 1.31 (e.g., templating/helm
conditional around the selectableFields block or a build flag), ensuring the
selectors are only applied when the cluster supports
CustomResourceFieldSelectors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1165ecd9-e3a5-4e5f-a79d-d7d13d71e3c5

📥 Commits

Reviewing files that changed from the base of the PR and between 5786afe and b6badee.

📒 Files selected for processing (27)

• packages/system/cert-manager-crds/templates/_helpers.tpl
• packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_challenges.yaml
• packages/system/cert-manager-crds/templates/crd-acme.cert-manager.io_orders.yaml
• packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificaterequests.yaml
• packages/system/cert-manager-crds/templates/crd-cert-manager.io_certificates.yaml
• packages/system/cert-manager-crds/templates/crd-cert-manager.io_clusterissuers.yaml
• packages/system/cert-manager-crds/templates/crd-cert-manager.io_issuers.yaml
• packages/system/cert-manager/charts/cert-manager/Chart.yaml
• packages/system/cert-manager/charts/cert-manager/README.md
• packages/system/cert-manager/charts/cert-manager/templates/NOTES.txt
• packages/system/cert-manager/charts/cert-manager/templates/_helpers.tpl
• packages/system/cert-manager/charts/cert-manager/templates/cainjector-deployment.yaml
• packages/system/cert-manager/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml
• packages/system/cert-manager/charts/cert-manager/templates/deployment.yaml
• packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-cainjector.yaml
• packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-cert-manager.yaml
• packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml
• packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-webhooks.yaml
• packages/system/cert-manager/charts/cert-manager/templates/poddisruptionbudget.yaml
• packages/system/cert-manager/charts/cert-manager/templates/podmonitor.yaml
• packages/system/cert-manager/charts/cert-manager/templates/rbac.yaml
• packages/system/cert-manager/charts/cert-manager/templates/servicemonitor.yaml
• packages/system/cert-manager/charts/cert-manager/templates/startupapicheck-job.yaml
• packages/system/cert-manager/charts/cert-manager/templates/webhook-deployment.yaml
• packages/system/cert-manager/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml
• packages/system/cert-manager/charts/cert-manager/values.schema.json
• packages/system/cert-manager/charts/cert-manager/values.yaml

💤 Files with no reviewable changes (1)

• packages/system/cert-manager/charts/cert-manager/templates/networkpolicy-egress.yaml

[myasnikovdaniil]

Re: CodeRabbit's nitpick on selectableFields requiring Kubernetes >= 1.31 — confirmed not a concern for Cozystack. The management cluster runs Talos with a modern Kubernetes (>= 1.30, currently aligned with the v1.30-v1.35 tenant matrix per #2073). On K8s 1.30 the field is silently ignored (no admission error), so deployments stay green; from 1.31 onward the field selectors take effect. No action needed.

Also: the CRD YAML is vendored upstream from cert-manager, so the file itself can't be conditionally templated without diverging from make update — and there's no behavior to gate, just an inert field on older clusters.

[Aleksei Sviridkin (lexfrei)]

LGTM — clean upstream vendor bump (v1.19.3 → v1.20.2) that closes a real bug. All 27 vendored files match upstream byte-for-byte; cozystack's empty wrapper values.yaml renders identically.

Business context

Tenant-scoped Ingresses inside non-tenant-root tenants couldn't complete Let's Encrypt validation: cozystack templates have been emitting acme.cert-manager.io/http01-ingress-ingressclassname since 2b6e20c, but cert-manager v1.19.x silently ignored it (annotation only landed upstream in v1.20.0 via cert-manager#8244). Solver Ingresses fell back to the cluster's root IngressClass instead of the tenant's, breaking ACME for any tenant ingress not on tenant-root.

What I verified

• Mechanical bump: make update is the actual mechanism. cert-manager-crds _helpers.tpl is byte-identical to cert-manager _helpers.tpl (the Makefile copies it), and CRD YAMLs match helm pull jetstack/cert-manager v1.20.2 --untar output. No local edits leaked.
• Right patch level: targeting v1.20.2 (not .0) picks up cert-manager#8655 (clusterissuers/issuers/finalizers RBAC restored after v1.20.0 dropped it) and cert-manager#8665 (webhook helm-template fix). Good due diligence.
• Renders cleanly: helm template of both cozy-cert-manager and cozy-cert-manager-crds succeeds. With the empty wrapper values.yaml, all four image references render identically (quay.io/jetstack/cert-manager-{controller,webhook,cainjector,acmesolver}:v1.20.2). Legacy image.repository overrides still work via the new helper's backwards-compat shim.
• Dormant new RBAC: the new gateway.networking.k8s.io.listenersets[/finalizers] rules don't engage anything in cozystack — controller ListenerSet support is alpha and gated off by default, and cozystack's bundled gateway-api-crds (v1.2.0 experimental) predates ListenerSet (added in Gateway API v1.3 alpha). Forward-compatible plumbing.
• UID/GID 1000→65532 is safe here: wrapper values don't pin runAsUser/runAsGroup, no PSP/SCC anywhere in the platform pins UID 1000, and the chart default podSecurityPolicy.enabled: false keeps the upstream PSP templates dead. Talos clusters on k8s ≥ 1.30 have PSPs removed regardless.
• New CRD fields are pure additions: selectableFields and Azure DNS01 zoneType enum land cleanly. Across cozystack's supported k8s range (1.30–1.35), selectableFields is alpha-stripped on 1.30 (no error, just no-op) and beta-default-on from 1.31.
• CI green including the full ~1h E2E matrix.

Non-blocking follow-ups (not for this PR)

• The UID/GID change is the only operationally-relevant note for downstream operators. Worth surfacing in the next cozystack release notes verbatim from the PR body's "Upgrade considerations".
• packages/system/cert-manager-issuers/values.yaml carries a stale cert-manager.installCRDs: true block with no effect (the Chart.yaml has no cert-manager subchart dependency). Cleanup PR worth filing separately.

[Andrei Kvapil (kvaps)]

LGTM. Verified this is a clean upstream bump:

• All 27 changed files are confined to packages/system/cert-manager/charts/cert-manager/ (vendored chart) and packages/system/cert-manager-crds/templates/ (vendored CRDs). No changes to Cozystack-side wrapper values, templates, Makefile, or Chart.yaml — make update did exactly what it should.
• The breaking changes flagged in the description (UID/GID 1000/0 → 65532/65532, image structure refactor, networkpolicy template restructure, RBAC additions, DefaultPrivateKeyRotationPolicyAlways GA) are correctly documented. Cozystack's wrapper values.yaml is empty so the image-structure refactor produces zero rendered diff.
• The ingressClassName propagation fix is the right reason to land this — cert-manager#8244 (v1.20.0) is what makes the per-tenant acme.cert-manager.io/http01-ingress-ingressclassname annotation actually take effect; dev10 verification confirms the chain end-to-end.
• Targeting v1.20.2 (skipping v1.20.0/.1) picks up the post-release RBAC restoration (#8655) and webhook helm-template fix (#8665) — right call.

Ship it.