CM-778: Bumps cert-manager, istio-csr and consolidates yq tool dependency

[bharath-b-rh]

The PR has following changes

• Bumps cert-manager from 1.19.2 to 1.19.4
• Bumps istio-csr from 1.15.0 to 1.16.0
• Centralize yq usage on ./bin/yq and remove hack/lib/yq.sh
• Remove inline yq download/bootstrap from verify-crds.sh and verify-crds-version-upgrade.sh.
• Cleans up temp files generated by the operand manifest pull helper scripts

[openshift-ci-robot]

@bharath-b-rh: This pull request references CM-778 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "4.22." or "openshift-4.22.", but it targets "cert-manager-1.19" instead.

Details

In response to this:

The PR has following changes

• Bumps cert-manager from 1.19.2 to 1.19.4
• Bumps istio-csr from 1.15.0 to 1.16.0
• Centralize yq usage on ./bin/yq and remove hack/lib/yq.sh
• Remove inline yq download/bootstrap from verify-crds.sh and verify-crds-version-upgrade.sh.
• Cleans up temp files generated by the operand manifest pull helper scripts

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Bumped cert-manager from v1.19.2 → v1.19.4 and istio-csr from v0.15.0 → v0.16.0 across manifests, embedded assets, go.mod, Dockerfile, and tests. Added in-repo yq tooling support (Makefile/BIN_DIR), removed hack/lib/yq.sh, and updated scripts to use ./bin/yq with cleanup traps.

Changes

Cohort / File(s)	Summary
Build system & tooling Makefile, vendor/.../targets/openshift/yq.mk	Added YQ_VERSION := v4.52.4, YQ = $(BIN_DIR)/yq, include for yq target, $(YQ): ensure-yq rule; update-manifests now depends on $(YQ).
Makefile-invoked scripts hack/update-*.sh, hack/update-istio-csr-manifests.sh, hack/update-trust-manager-manifests.sh, hack/verify-crds*.sh, hack/update-cert-manager-manifests.sh	Removed sourcing of hack/lib/yq.sh, switched yq calls to ./bin/yq using yq e expressions, adjusted init sourcing to use ${BASH_SOURCE[0]}, and added EXIT-trap cleanup() functions to remove temporary output.
Removed helper hack/lib/yq.sh	Deleted script that previously downloaded/installed a pinned yq into ./_output/tools/bin/.
cert-manager manifests & embedded assets bindata/cert-manager-deployment/..., bundle/manifests/*, pkg/operator/assets/bindata.go, config/crd/bases/*, config/manifests/bases/*, config/manager/manager.yaml	Updated app.kubernetes.io/version labels from v1.19.2 → v1.19.4, updated container image tags and operand env vars to v1.19.4, and regenerated embedded YAML assets and CSV relatedImages accordingly.
istio-csr manifests & config bindata/istio-csr/*, config/manager/manager.yaml, pkg/operator/assets/bindata.go	Bumped istio-csr app.kubernetes.io/version labels and image tags from v0.15.0 → v0.16.0; updated ISTIOCSR operand env var.
CRD metadata labels bundle/manifests/*_*.yaml, config/crd/bases/*	Updated CRD metadata label app.kubernetes.io/version from v1.19.2 → v1.19.4.
Operator CSV & manager config bundle/manifests/cert-manager-operator.clusterserviceversion.yaml, config/manager/manager.yaml	Updated CSV description, env vars, relatedImages, and OPERAND_IMAGE_VERSION / ISTIOCSR_OPERAND_IMAGE_VERSION to new versions.
Go modules go.mod, test/go.mod	Updated github.com/cert-manager/cert-manager require and replace entries from v1.19.2 → v1.19.4.
Docker build images/ci/operand.Dockerfile	Updated build ARG RELEASE_BRANCH from v1.19.2 → v1.19.4.
Tests pkg/controller/deployment/deployment_overrides_test.go	Updated expected --acme-http01-solver-image test string from v1.19.2 → v1.19.4.
Generated assets pkg/operator/assets/bindata.go	Regenerated embedded asset byte slices to reflect updated cert-manager and istio-csr labels and image tags.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

hack/update-cert-manager-manifests.sh (1)

49-50: Harden temp-file cleanup for failure paths.

Current cleanup is success-path only and can be brittle with set -e if any file is already absent. Consider trap + rm -f.

Proposed hardening patch

 set -e
+
+cleanup() {
+    rm -f _output/manifest.yaml _output/manifest_as_array.json _output/targets_as_map.json
+}
+trap cleanup EXIT
@@
-# cleanup temp files
-rm _output/manifest.yaml _output/manifest_as_array.json _output/targets_as_map.json
+# cleanup handled by trap

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/update-cert-manager-manifests.sh` around lines 49 - 50, Replace the
brittle direct rm call with a robust cleanup function and trap: create a
cleanup() function that does rm -f on _output/manifest.yaml
_output/manifest_as_array.json _output/targets_as_map.json and register it with
trap cleanup EXIT (and optionally ERR) so cleanup always runs even on failures;
update the existing direct rm invocation to call that cleanup() or remove it to
avoid set -e causing script termination when files are missing.

hack/update-trust-manager-manifests.sh (1)

50-50: Consider using ${MANIFESTS_PATH} for consistency.

The cleanup command hardcodes _output/manifests while the rest of the script uses ${MANIFESTS_PATH}. This inconsistency could cause issues if the variable is changed later.

♻️ Suggested fix

-rm -rf _output/manifests
+rm -rf ${MANIFESTS_PATH}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/update-trust-manager-manifests.sh` at line 50, Replace the hardcoded
cleanup target with the MANIFESTS_PATH variable: change the command that
currently uses "rm -rf _output/manifests" to remove "${MANIFESTS_PATH}" instead
so it is consistent with the rest of the script and respects any future changes
to MANIFESTS_PATH (ensure the variable is defined before use).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/verify-crds-version-upgrade.sh`:
- Around line 60-61: The script uses the old yq v3 syntax (`./bin/yq r $f
apiVersion`) which is incompatible with yq v4; update the two invocations that
set v1CRDName and that read apiVersion to use yq v4's eval form (e.g. use yq e
'.apiVersion' and yq e '.metadata.name' on the file variable $f), ensuring you
pass the filename as an argument (e.g. yq e '<path>' "$f") and preserve
raw/string output behavior so the apiVersion comparison and v1CRDName assignment
continue to work.
- Around line 46-47: The script uses yq v3 syntax (`./bin/yq r $f apiVersion`
and `./bin/yq r $f metadata.name`) which fails with the repo's yq v4; update the
invocations to use yq v4 eval syntax by replacing the `yq r` calls with
`./bin/yq e '.apiVersion' $f` and `./bin/yq e '.metadata.name' $f` respectively
(these affect the lines that set v1beta1CRDName and similar checks); apply the
same replacements in the sibling script that contains the same yq usage (the one
referenced as verify-crds.sh) so all `yq r $f ...` occurrences become `yq e
'<path>' $f`.

In `@hack/verify-crds.sh`:
- Around line 6-7: Replace deprecated yq v3 invocations using "yq r" with yq v4
syntax "yq e" and the corresponding expression form: change the checks that call
"./bin/yq r $f apiVersion" to use yq e with the expression for apiVersion, and
change "./bin/yq r $f
spec.validation.openAPIV3Schema.properties.metadata.description" to use yq e
with the dotted-path expression for that field; do the same replacements for the
analogous occurrences in the verify-crds-version-upgrade.sh script (the checks
that read apiVersion and
spec.validation.openAPIV3Schema.properties.metadata.description) so the commands
work with yq v4.52.4.

---

Nitpick comments:
In `@hack/update-cert-manager-manifests.sh`:
- Around line 49-50: Replace the brittle direct rm call with a robust cleanup
function and trap: create a cleanup() function that does rm -f on
_output/manifest.yaml _output/manifest_as_array.json _output/targets_as_map.json
and register it with trap cleanup EXIT (and optionally ERR) so cleanup always
runs even on failures; update the existing direct rm invocation to call that
cleanup() or remove it to avoid set -e causing script termination when files are
missing.

In `@hack/update-trust-manager-manifests.sh`:
- Line 50: Replace the hardcoded cleanup target with the MANIFESTS_PATH
variable: change the command that currently uses "rm -rf _output/manifests" to
remove "${MANIFESTS_PATH}" instead so it is consistent with the rest of the
script and respects any future changes to MANIFESTS_PATH (ensure the variable is
defined before use).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c37868b1-2e18-4271-b9ab-df658f81b364

📥 Commits

Reviewing files that changed from the base of the PR and between 8eb5d9e and f786c8a.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• test/go.sum is excluded by !**/*.sum
• vendor/github.com/cert-manager/cert-manager/LICENSES is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (80)

• Makefile
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-cr.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-crb.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-deployment.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-rb.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-leaderelection-role.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-sa.yaml
• bindata/cert-manager-deployment/cainjector/cert-manager-cainjector-svc.yaml
• bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-cr.yaml
• bindata/cert-manager-deployment/cert-manager/cert-manager-controller-approve-cert-manager-io-crb.yaml
• bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-cr.yaml
• bindata/cert-manager-deployment/cert-manager/cert-manager-controller-certificatesigningrequests-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-cluster-view-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-certificates-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-challenges-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-clusterissuers-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-ingress-shim-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-issuers-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-orders-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-controller-orders-crb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
• bindata/cert-manager-deployment/controller/cert-manager-edit-cr.yaml
• bindata/cert-manager-deployment/controller/cert-manager-leaderelection-rb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-leaderelection-role.yaml
• bindata/cert-manager-deployment/controller/cert-manager-sa.yaml
• bindata/cert-manager-deployment/controller/cert-manager-svc.yaml
• bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-rb.yaml
• bindata/cert-manager-deployment/controller/cert-manager-tokenrequest-role.yaml
• bindata/cert-manager-deployment/controller/cert-manager-view-cr.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-deployment.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-rb.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-dynamic-serving-role.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-mutatingwebhookconfiguration.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-sa.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-cr.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-subjectaccessreviews-crb.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-svc.yaml
• bindata/cert-manager-deployment/webhook/cert-manager-webhook-validatingwebhookconfiguration.yaml
• bindata/istio-csr/cert-manager-istio-csr-clusterrole.yaml
• bindata/istio-csr/cert-manager-istio-csr-clusterrolebinding.yaml
• bindata/istio-csr/cert-manager-istio-csr-deployment.yaml
• bindata/istio-csr/cert-manager-istio-csr-leases-role.yaml
• bindata/istio-csr/cert-manager-istio-csr-leases-rolebinding.yaml
• bindata/istio-csr/cert-manager-istio-csr-metrics-service.yaml
• bindata/istio-csr/cert-manager-istio-csr-role.yaml
• bindata/istio-csr/cert-manager-istio-csr-rolebinding.yaml
• bindata/istio-csr/cert-manager-istio-csr-service.yaml
• bindata/istio-csr/cert-manager-istio-csr-serviceaccount.yaml
• bindata/istio-csr/istiod-certificate.yaml
• bundle/manifests/acme.cert-manager.io_challenges.yaml
• bundle/manifests/acme.cert-manager.io_orders.yaml
• bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
• bundle/manifests/cert-manager.io_certificaterequests.yaml
• bundle/manifests/cert-manager.io_certificates.yaml
• bundle/manifests/cert-manager.io_clusterissuers.yaml
• bundle/manifests/cert-manager.io_issuers.yaml
• config/crd/bases/certificaterequests.cert-manager.io-crd.yaml
• config/crd/bases/certificates.cert-manager.io-crd.yaml
• config/crd/bases/challenges.acme.cert-manager.io-crd.yaml
• config/crd/bases/clusterissuers.cert-manager.io-crd.yaml
• config/crd/bases/issuers.cert-manager.io-crd.yaml
• config/crd/bases/orders.acme.cert-manager.io-crd.yaml
• config/manager/manager.yaml
• config/manifests/bases/cert-manager-operator.clusterserviceversion.yaml
• go.mod
• hack/lib/yq.sh
• hack/update-cert-manager-manifests.sh
• hack/update-istio-csr-manifests.sh
• hack/update-trust-manager-manifests.sh
• hack/verify-crds-version-upgrade.sh
• hack/verify-crds.sh
• images/ci/operand.Dockerfile
• pkg/controller/deployment/deployment_overrides_test.go
• pkg/operator/assets/bindata.go
• test/go.mod

💤 Files with no reviewable changes (1)

• hack/lib/yq.sh

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

hack/verify-crds.sh (1)

8-8: ⚠️ Potential issue | 🟠 Major

Use yq v4 path expressions with leading . for these field reads.

At Line 8 and Line 13, yq e is called with 'spec....' instead of '.spec....'. With yq v4, this can mis-evaluate or error and invalidate the checks.

Suggested fix

-        if [[ $(./bin/yq e 'spec.validation.openAPIV3Schema.properties.metadata.description' $f) != "null" ]]; then
+        if [[ "$(./bin/yq e '.spec.validation.openAPIV3Schema.properties.metadata.description' "$f")" != "null" ]]; then
@@
-        if [[ $(./bin/yq e 'spec.preserveUnknownFields' $f) != "false" ]]; then
+        if [[ "$(./bin/yq e '.spec.preserveUnknownFields' "$f")" != "false" ]]; then

#!/bin/bash
# Verify no yq eval expressions remain that start with bare 'spec.' in this script.
rg -nP "\./bin/yq\s+e\s+'spec\." hack/verify-crds.sh

Expected result: no matches.

Also applies to: 13-13

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/verify-crds.sh` at line 8, Change the yq v4 path expressions to use a
leading dot so they evaluate correctly: update the invocations that call
./bin/yq e 'spec.validation.openAPIV3Schema.properties.metadata.description' and
./bin/yq e 'spec.validation.openAPIV3Schema.properties.status.description' to
use './bin/yq e
\'.spec.validation.openAPIV3Schema.properties.metadata.description\'' and
'./bin/yq e \'.spec.validation.openAPIV3Schema.properties.status.description\''
respectively (i.e., prefix the path with a dot in both yq expressions).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/update-istio-csr-manifests.sh`:
- Around line 6-9: The cleanup function uses rm without -f which errors if
_output/istio-csr-manifest.yaml doesn't exist; update the cleanup() function to
call rm -f _output/istio-csr-manifest.yaml so the removal is idempotent and
matches the behavior in hack/update-cert-manager-manifests.sh; ensure you only
change the rm invocation in cleanup() (refer to the cleanup function and the
filename _output/istio-csr-manifest.yaml).

In `@hack/verify-crds.sh`:
- Around line 4-8: The script uses unsafe command substitution and unquoted
filename variables plus incorrect yq v4 paths: change the for-loop to a safe
find-read loop (use while IFS= read -r -d '' f ... or similar) and ensure every
use of the filename variable ($f) is quoted (e.g., "$f"); additionally update yq
expressions to include the leading dot (use
'.spec.validation.openAPIV3Schema.properties.metadata.description' and
'.spec.preserveUnknownFields') where used (references: variable f,
v1beta1CRDName and the yq invocations in the loop).

---

Duplicate comments:
In `@hack/verify-crds.sh`:
- Line 8: Change the yq v4 path expressions to use a leading dot so they
evaluate correctly: update the invocations that call ./bin/yq e
'spec.validation.openAPIV3Schema.properties.metadata.description' and ./bin/yq e
'spec.validation.openAPIV3Schema.properties.status.description' to use './bin/yq
e \'.spec.validation.openAPIV3Schema.properties.metadata.description\'' and
'./bin/yq e \'.spec.validation.openAPIV3Schema.properties.status.description\''
respectively (i.e., prefix the path with a dot in both yq expressions).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 439e4930-40d1-4dbc-a252-84dcab61122d

📥 Commits

Reviewing files that changed from the base of the PR and between f786c8a and f4b079d.

📒 Files selected for processing (6)

• hack/lib/yq.sh
• hack/update-cert-manager-manifests.sh
• hack/update-istio-csr-manifests.sh
• hack/update-trust-manager-manifests.sh
• hack/verify-crds-version-upgrade.sh
• hack/verify-crds.sh

💤 Files with no reviewable changes (1)

• hack/lib/yq.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• hack/verify-crds-version-upgrade.sh
• hack/update-cert-manager-manifests.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/verify-crds.sh`:
- Around line 6-16: The script checks for apiVersion "apiextensions.k8s.io/v1"
but then reads v1beta1 schema paths and sets an unused v1beta1CRDName variable,
so the schema validations are ineffective; either change the apiVersion test to
"apiextensions.k8s.io/v1beta1" if you intend to validate v1beta1 CRDs, or
(recommended for v1) keep the v1 test and update the yq paths to iterate
.spec.versions[] and inspect each version's .schema.openAPIV3Schema for
metadata.description and other rules, and remove or rename the misleading
v1beta1CRDName variable; also ensure the .spec.preserveUnknownFields check
remains at the spec level for v1.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 97384bd6-a618-4c47-8cb2-a9071455ccd0

📥 Commits

Reviewing files that changed from the base of the PR and between f4b079d and 35dcf70.

📒 Files selected for processing (6)

• hack/lib/yq.sh
• hack/update-cert-manager-manifests.sh
• hack/update-istio-csr-manifests.sh
• hack/update-trust-manager-manifests.sh
• hack/verify-crds-version-upgrade.sh
• hack/verify-crds.sh

💤 Files with no reviewable changes (1)

• hack/lib/yq.sh

✅ Files skipped from review due to trivial changes (1)

• hack/update-istio-csr-manifests.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• hack/update-cert-manager-manifests.sh
• hack/verify-crds-version-upgrade.sh

[bharath-b-rh]

/test e2e-operator-tech-preview

[openshift-ci]

@bharath-b-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.