Release cert-manager v1.13.3

[wallrj]

Release Candidate:

• operator cert-manager (1.13.3-rc1) k8s-operatorhub/community-operators#3617
• operator cert-manager (1.13.3-rc1) redhat-openshift-ecosystem/community-operators-prod#3722

Testing

Installed on OpenShift v4.14 

There was one test failure which I think is caused by RBAC preventing the Vault issuer creating a ServiceAccountToken.
I haven't got time to dig into it further so I plan to release anyway.

$ make crc-e2e   OPENSHIFT_VERSION=4.13   E2E_TEST=../cert-manager/_bin/test/e2e.test
...
  [FAILED] in [It] - github.com/cert-manager/cert-manager/e2e-tests/suite/issuers/vault/issuer.go:370 @ 12/13/23 17:53:55.184
  STEP: Cleaning up AppRole @ 12/13/23 17:53:55.185
  STEP: Cleaning up Kubernetes @ 12/13/23 17:53:55.247
  STEP: Cleaning up Vault @ 12/13/23 17:53:55.257
  STEP: Deleting test namespace @ 12/13/23 17:53:55.27
  << Timeline

  [FAILED] Unexpected error:
      <*errors.errorString | 0xc00141d0d0>:
      context deadline exceeded: Last Status: 'False' Reason: 'VaultError', Message: 'Failed to initialize Vault client: while requesting a Vault token using the Kubernetes auth: while requesting a token for the service account e2e-tests-create-vault-issuer-vtj47/vault-serviceaccount: serviceaccounts "vault-serviceaccount" is forbidden: User "system:serviceaccount:openshift-operators:cert-manager" cannot create resource "serviceaccounts/token" in API group "" in the namespace "e2e-tests-create-vault-issuer-vtj47"'
      {
          s: "context deadline exceeded: Last Status: 'False' Reason: 'VaultError', Message: 'Failed to initialize Vault client: while requesting a Vault token using the Kubernetes auth: while requesting a token for the service account e2e-tests-create-vault-issuer-vtj47/vault-serviceaccount: serviceaccounts \"vault-serviceaccount\" is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"serviceaccounts/token\" in API group \"\" in the namespace \"e2e-tests-create-vault-issuer-vtj47\"'",
      }
  occurred
  In [It] at: github.com/cert-manager/cert-manager/e2e-tests/suite/issuers/vault/issuer.go:370 @ 12/13/23 17:53:55.184
------------------------------
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•••••SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•••••SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•••••SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSproxy logs:


Summarizing 1 Failure:
  [FAIL] [cert-manager] Vault Issuer [It] should be ready with a valid serviceAccountRef
  github.com/cert-manager/cert-manager/e2e-tests/suite/issuers/vault/issuer.go:370

Ran 25 of 778 Specs in 196.819 seconds
FAIL! -- 24 Passed | 1 Failed | 0 Pending | 753 Skipped
--- FAIL: TestE2E (197.15s)
FAIL
Connection to 34.38.136.123 closed.
make: *** [Makefile:270: crc-e2e] Error 1

Tested the operatorhubio catalog too:

$ kubectl create -f https://operatorhub.io/install/candidate/cert-manager.yaml
subscription.operators.coreos.com/my-cert-manager created

$ kubectl get csv -n operators
NAME                       DISPLAY        VERSION      REPLACES               PHASE
cert-manager.v1.13.3-rc1   cert-manager   1.13.3-rc1   cert-manager.v1.13.1   Succeeded

$ kubectl get crd -l  app.kubernetes.io/instance=cert-manager
NAME                                  CREATED AT
certificaterequests.cert-manager.io   2023-12-14T11:42:36Z
certificates.cert-manager.io          2023-12-14T11:42:38Z
challenges.acme.cert-manager.io       2023-12-14T11:42:38Z
clusterissuers.cert-manager.io        2023-12-14T11:42:38Z
issuers.cert-manager.io               2023-12-14T11:42:38Z
orders.acme.cert-manager.io           2023-12-14T11:42:38Z

$ ctl version -o yaml
clientVersion:
  compiler: gc
  gitCommit: ""
  gitTreeState: ""
  gitVersion: canary
  goVersion: go1.21.3
  platform: linux/amd64
serverVersion:
  detected: v1.13.3
  sources:
    crdLabelVersion: v1.13.3

# ~/projects/cert-manager/cert-manager
$ ./_bin/test/e2e.test --repo-root=/dev/null --ginkgo.focus="CA\ Issuer" --ginkgo.skip="Gateway"
...
Ran 23 of 778 Specs in 70.738 seconds
SUCCESS! -- 23 Passed | 0 Failed | 0 Pending | 755 Skipped
PASS

Release

• operator cert-manager (1.13.3) k8s-operatorhub/community-operators#3622
• operator cert-manager (1.13.3) redhat-openshift-ecosystem/community-operators-prod#3730

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from wallrj. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment