User-facing migration to ClusterBundle

[erikgb]

This PR introduces the new ClusterBundle CRD and enables the migration controller according to the accepted design.

The main controller is changed to reconcile ClusterBundle instead of Bundle.

I've tried to keep this PR as small as possible to make it easier to review. We will likely need to add additional tests for the new features in the ClusterBundle API (e.g., multiple keys) and consolidate the existing tests due to the more generic API. However, I suggest handling this in follow-up PRs. Let me know what you think!

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign thatsmrtalbot for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This pull request implements a migration from the deprecated trust.cert-manager.io/v1alpha1 Bundle API to the new trust-manager.io/v1alpha2 ClusterBundle API. The PR includes automatic migration via a controller that converts existing Bundle resources to ClusterBundle resources, maintains backward compatibility for JKS format through annotations, and adds appropriate deprecation warnings.

Changes:

• Introduces the new ClusterBundle API (trust-manager.io/v1alpha2) with updated resource structure
• Adds migration controller to automatically convert Bundle -> ClusterBundle
• Updates all internal code to work with ClusterBundle API
• Adds deprecation warnings and markers to the old Bundle API
• Restructures bundle sources and targets (inLineCAs, includeDefaultCAs, KeyValueTarget)
• Removes JKS support in favor of PKCS12 (with backward compatibility via annotations)

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/apis/trust/v1alpha1/types_bundle.go	Added deprecation warnings to Bundle and BundleList types
pkg/bundle/controller/bundle_controller.go	Added migration controller to convert Bundle to ClusterBundle
pkg/webhook/cluster_bundle.go	New webhook validator for ClusterBundle resources
test/gen/bundle.go	Updated test generator to create ClusterBundle objects
pkg/bundle/internal/source/source.go	Refactored to accept BundleSpec instead of sources array
pkg/bundle/internal/target/target.go	Updated hash calculation and binary data generation for new API structure
deploy/crds/*.yaml	Added ClusterBundle CRD and deprecated Bundle CRD
make/00_mod.mk	Removed CRD exclusion to make ClusterBundle user-facing

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 31 out of 31 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[erikgb]

/cc @SgtCoDFish

[SgtCoDFish]

Some fairly superficial comments, but I think worth raising. I want to try and sit down and test this properly but I haven't got bandwidth for that today I don't think!

[erikgb]

Thanks for the initial review, @SgtCoDFish. All your remarks should be addressed now.

I probably want to cut a new release before this is merged. So...

/hold