[cert-manager] upgrade to v1.20.2

[yankay]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Bumps cert-manager from v1.15.3 to v1.20.2. The current default is 5 minor versions behind upstream, and cert-manager is used for TLS certificate management with frequent security-relevant updates.

Changes:

• Bump cert_manager_version from 1.15.3 to 1.20.2 in roles/kubespray_defaults/defaults/main/download.yml.
• Regenerate cert-manager.crds.yml.j2 from upstream v1.20.2 CRDs (schema updates for all 6 CRDs).
• Port upstream deployment manifest changes into cert-manager.yml.j2 while preserving kubespray customizations (namespace, proxy env, affinity/tolerations/nodeSelector, DNS config, leader-election namespace, trusted-internal-CA, extra args, image overrides). Structural changes applied:
  • New Role/RoleBinding cert-manager-tokenrequest for bound ServiceAccount token creation.
  • New cert-manager-cainjector metrics Service on port 9402.
  • Expose http-metrics port on cainjector and webhook Deployments.
  • Add Prometheus scrape annotations (prometheus.io/path, /scrape, /port) on cainjector and webhook pods.
  • New RBAC rule for clusterissuers/finalizers and issuers/finalizers.
  • Add listenersets/listenersets/finalizers to Gateway API RBAC.
  • Use named ports (http-metrics, healthcheck) in probes and services.
  • Drop redundant apiGroup: "" from ServiceAccount subjects.
  • Upstream typo fix: CertificatSigningeRequests -> CertificateSigningRequests.
• Refresh generated files via propagate-ansible-variables (README).

Release notes: https://github.com/cert-manager/cert-manager/releases/tag/v1.20.2
Diff: cert-manager/cert-manager@v1.15.3...v1.20.2

Which issue(s) this PR fixes:

Fixes #13180

Special notes for your reviewer:

• cert_manager_enabled remains false by default; existing users must opt in.
• Manifests were regenerated as follows to keep review sane:
  • CRDs: wholesale replaced from upstream v1.20.2 with the kubespray Apache license header and app.kubernetes.io/version: "{{ cert_manager_version }}" label substitution.
  • Main manifest: 3-way merge of kubespray v1.15.3 template against upstream v1.15.3 (base) and v1.20.2 (theirs), with kubespray-specific normalizations (namespace, image refs, leader-election) pre-applied to both upstream sides so the merge touches only genuine structural deltas.
• Rendered both templates with representative defaults and verified: 45 valid YAML docs in main (matches upstream's 43 non-CRD docs + 2 kubespray-specific controller/webhook ConfigMaps that were already present pre-PR) and 6 CRDs.
• cc discussion about the long-term maintenance of cert-manager in kubespray in Bump: cert-manager to v1.20.2 #13180 — for now we keep it shipped and up to date.

Does this PR introduce a user-facing change?:

Upgrade cert-manager to v1.20.2.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yankay]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Upgrades the bundled cert-manager addon to v1.20.2, updating Kubespray defaults, rendered manifests, and the supported-components documentation to track upstream security and feature updates.

Changes:

• Bump cert_manager_version default to 1.20.2.
• Update cert-manager manifest template with upstream RBAC and observability-related adjustments (Gateway API RBAC, tokenrequest RBAC, metrics ports/annotations, named probe ports).
• Refresh README “Supported Components” entry for cert-manager.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
roles/kubespray_defaults/defaults/main/download.yml	Updates default cert-manager version used for image tags.
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2	Ports upstream manifest/RBAC changes needed for cert-manager v1.20.x.
README.md	Updates documented cert-manager version in the supported components list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

subjects list item is not indented under subjects: (the - kind: ServiceAccount line starts at column 0). This renders the YAML invalid and will prevent applying the manifest. Indent the list item (and its fields) under subjects:.

Suggested change

	- kind: ServiceAccount
	name: cert-manager-webhook
	namespace: {{ cert_manager_namespace }}
	- kind: ServiceAccount
	name: cert-manager-webhook
	namespace: {{ cert_manager_namespace }}

[yankay]

Thanks for the flag, @copilot — this is a false positive. YAML block sequences are allowed to start at the same indentation column as the parent mapping key ("compact" style), and that's how the entire kubespray cert-manager.yml.j2 (and upstream cert-manager's Helm-rendered chart) has always written subjects: lists.

Evidence:

• pull-kubespray-yamllint passed on this exact commit.
• Rendered the template and round-tripped through yaml.safe_load_all / kubectl apply --dry-run=client -f - without errors.
• The suggested "fix" is textually identical to the original; GitHub's suggestion UI just displayed it as if indented.

No change needed.

[Copilot]

subjects list item is not indented under subjects: in this RoleBinding. As written, the YAML is invalid and kubectl apply will fail. Indent the - kind: ServiceAccount entry (and its fields) beneath subjects:.

Suggested change

	- kind: ServiceAccount
	name: cert-manager-webhook
	namespace: {{ cert_manager_namespace }}
	- kind: ServiceAccount
	name: cert-manager-webhook
	namespace: {{ cert_manager_namespace }}

[yankay]

Same as #discussion_r3114846387 — false positive. The block sequence at column 0 under subjects: is valid YAML (compact style) and matches the existing convention throughout this file. pull-kubespray-yamllint is green. No change needed.

[yankay]

Closing this PR as WIP — marking for later revisit. Manifests need more careful verification (live e2e deploy + upgrade from v1.15.3) before merge.

[yankay]

Reopening — on a second look the changes are clean. Keeping [WIP] in the title for now so CI can validate and we can gather additional eyeballs, but the manifest regeneration approach and structural diff have been reviewed carefully.

[yankay]

Kicking CI — re-opening to trigger a new GitLab pipeline with the ci-full label in effect so ubuntu24-flannel-ha-once (the only PR testcase that exercises cert-manager) actually runs.

[yankay]

Reopened. With ci-full label now present, the new pipeline should expand pr_full matrix and include ubuntu24-flannel-ha-once.

[yankay]

Dropping [WIP]. CI summary (pipeline 2467022125 with ci-full):

• 69 checks green, including the only full-deploy testcase that exercises cert-manager:
  • pr_full: [ubuntu24-flannel-ha-once] — SUCCESS (cert_manager_enabled: true + ingress_nginx_enabled: true, all three cert-manager{,-cainjector,-webhook} Pods reach Ready).
  • All other pr_full / pr_extended / pr / molecule / terraform_validate / vagrant-validate / pre-commit / yamllint — green.
• 1 unrelated FAILURE: pr_full: [debian11-custom-cni]. This PR does not touch tests/files/custom_cni/ or roles/network_plugin/custom_cni/. The failure is in the custom-CNI path applying tests/files/custom_cni/cilium.yaml:

  the namespace from the provided object "cilium-secrets" does not match the namespace "kube-system".
  You must pass '--namespace=cilium-secrets' to perform this operation.
  

  The fixture was last updated by the Cilium 1.19.3 bump on master and is a pre-existing issue unaffected by this change.
• Stale kubespray-ci/pipeline status is pointing at the previously-cancelled pipeline (pre-ci-full). Ignore; the current pipeline 2467022125 is what matters.

Ready for review. /hold cancel

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.