--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: helm.sh/resource-policy: keep operatorframework.io/installed-alongside-8719e53bd35795a3: cert-manager-operator/cert-manager-operator.v1.19.0 creationTimestamp: "2026-04-22T18:51:11Z" generation: 1 labels: app.kubernetes.io/instance: cert-manager-trust-manager app.kubernetes.io/managed-by: cert-manager-operator app.kubernetes.io/name: cert-manager-trust-manager app.kubernetes.io/part-of: cert-manager-operator app.kubernetes.io/version: v0.20.3 olm.managed: "true" operators.coreos.com/openshift-cert-manager-operator.cert-manager-operator: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:helm.sh/resource-policy: {} f:operatorframework.io/installed-alongside-8719e53bd35795a3: {} f:labels: .: {} f:app.kubernetes.io/instance: {} f:app.kubernetes.io/managed-by: {} f:app.kubernetes.io/name: {} f:app.kubernetes.io/part-of: {} f:app.kubernetes.io/version: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-04-22T18:51:11Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-04-22T18:51:11Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/openshift-cert-manager-operator.cert-manager-operator: {} manager: olm operation: Update time: "2026-04-22T18:51:25Z" name: bundles.trust.cert-manager.io resourceVersion: "13041" uid: 27b773c2-caad-4c1a-b7b9-2023f9cef463 spec: conversion: strategy: None group: trust.cert-manager.io names: kind: Bundle listKind: BundleList plural: bundles singular: bundle scope: Cluster versions: - additionalPrinterColumns: - description: Bundle ConfigMap Target Key jsonPath: .spec.target.configMap.key name: ConfigMap Target type: string - description: Bundle Secret Target Key jsonPath: .spec.target.secret.key name: Secret Target type: string - description: Bundle has been synced jsonPath: .status.conditions[?(@.type == "Synced")].status name: Synced type: string - description: Reason Bundle has Synced status jsonPath: .status.conditions[?(@.type == "Synced")].reason name: Reason type: string - description: Timestamp Bundle was created jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Desired state of the Bundle resource. properties: sources: description: Sources is a set of references to data whose data will sync to the target. items: description: |- BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all Namespaces. properties: configMap: description: |- ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a list of ConfigMap's `data` key(s) using label selector, in the trust Namespace. properties: includeAllKeys: description: |- IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default. This field must not be true when `Key` is set. type: boolean key: description: Key of the entry in the object's `data` field to be used. minLength: 1 type: string name: description: |- Name is the name of the source object in the trust Namespace. This field must be left empty when `selector` is set minLength: 1 type: string selector: description: |- Selector is the label selector to use to fetch a list of objects. Must not be set when `Name` is set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic inLine: description: InLine is a simple string to append as the source data. type: string secret: description: |- Secret is a reference (by name) to a Secret's `data` key(s), or to a list of Secret's `data` key(s) using label selector, in the trust Namespace. properties: includeAllKeys: description: |- IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default. This field must not be true when `Key` is set. type: boolean key: description: Key of the entry in the object's `data` field to be used. minLength: 1 type: string name: description: |- Name is the name of the source object in the trust Namespace. This field must be left empty when `selector` is set minLength: 1 type: string selector: description: |- Selector is the label selector to use to fetch a list of objects. Must not be set when `Name` is set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic useDefaultCAs: description: |- UseDefaultCAs, when true, requests the default CA bundle to be used as a source. Default CAs are available if trust-manager was installed via Helm or was otherwise set up to include a package-injecting init container by using the "--default-package-location" flag when starting the trust-manager controller. If default CAs were not configured at start-up, any request to use the default CAs will fail. The version of the default CA package which is used for a Bundle is stored in the defaultCAPackageVersion field of the Bundle's status field. type: boolean type: object x-kubernetes-map-type: atomic maxItems: 100 minItems: 1 type: array x-kubernetes-list-type: atomic target: description: Target is the target location in all namespaces to sync source data to. properties: additionalFormats: description: AdditionalFormats specifies any additional formats to write to the target properties: jks: description: |- JKS requests a JKS-formatted binary trust bundle to be written to the target. The bundle has "changeit" as the default password. For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords Format is deprecated: Writing JKS is subject for removal. Please migrate to PKCS12. PKCS#12 trust stores created by trust-manager are compatible with Java. properties: key: description: Key is the key of the entry in the object's `data` field to be used. minLength: 1 type: string password: default: changeit description: Password for JKS trust store maxLength: 128 minLength: 1 type: string required: - key type: object x-kubernetes-map-type: atomic pkcs12: description: |- PKCS12 requests a PKCS12-formatted binary trust bundle to be written to the target. The bundle is by default created without a password. For more information refer to this link https://cert-manager.io/docs/faq/#keystore-passwords properties: key: description: Key is the key of the entry in the object's `data` field to be used. minLength: 1 type: string password: default: "" description: Password for PKCS12 trust store maxLength: 128 type: string profile: description: |- Profile specifies the certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 trust store. If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (e.g. because of company policy). Default value is `LegacyRC2` for backward compatibility. enum: - LegacyRC2 - LegacyDES - Modern2023 type: string required: - key type: object x-kubernetes-map-type: atomic type: object configMap: description: |- ConfigMap is the target ConfigMap in Namespaces that all Bundle source data will be synced to. properties: key: description: Key is the key of the entry in the object's `data` field to be used. minLength: 1 type: string metadata: description: Metadata is an optional set of labels and annotations to be copied to the target. properties: annotations: additionalProperties: type: string description: Annotations is a key value map to be copied to the target. type: object labels: additionalProperties: type: string description: Labels is a key value map to be copied to the target. type: object type: object required: - key type: object namespaceSelector: description: |- NamespaceSelector will, if set, only sync the target resource in Namespaces which match the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic secret: description: |- Secret is the target Secret that all Bundle source data will be synced to. Using Secrets as targets is only supported if enabled at trust-manager startup. By default, trust-manager has no permissions for writing to secrets and can only read secrets in the trust namespace. properties: key: description: Key is the key of the entry in the object's `data` field to be used. minLength: 1 type: string metadata: description: Metadata is an optional set of labels and annotations to be copied to the target. properties: annotations: additionalProperties: type: string description: Annotations is a key value map to be copied to the target. type: object labels: additionalProperties: type: string description: Labels is a key value map to be copied to the target. type: object type: object required: - key type: object type: object required: - sources type: object status: description: Status of the Bundle. This is set and managed automatically. properties: conditions: description: |- List of status conditions to indicate the status of the Bundle. Known condition types are `Bundle`. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map defaultCAVersion: description: |- DefaultCAPackageVersion, if set and non-empty, indicates the version information which was retrieved when the set of default CAs was requested in the bundle source. This should only be set if useDefaultCAs was set to "true" on a source, and will be the same for the same version of a bundle with identical certificates. type: string type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: Bundle listKind: BundleList plural: bundles singular: bundle conditions: - lastTransitionTime: "2026-04-22T18:51:11Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-04-22T18:51:11Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1