cert-manager · cert-manager-prow · Jan 26, 2026 · Jan 24, 2026
diff --git a/deploy/crds/trust-manager.io_clusterbundles.yaml b/deploy/crds/trust-manager.io_clusterbundles.yaml
@@ -73,13 +73,14 @@ spec:
                   The version of the default CA package which is used for a Bundle is stored in the
                   defaultCAPackageVersion field of the Bundle's status field.
                 type: boolean
-              sources:
-                description: Sources is a set of references to data whose data will
-                  sync to the target.
+              sourceRefs:
+                description: |-
+                  SourceRefs is a list of references to resources whose data will be appended and synced into
+                  the bundle target resources.
                 items:
                   description: |-
-                    BundleSource is the set of sources whose data will be appended and synced to
-                    the BundleTarget in all Namespaces.
+                    BundleSourceRef is a reference to source resource(s) whose data will be appended and synced into
+                    the bundle target resources.
                   properties:
                     key:
                       description: |-

diff --git a/pkg/apis/trust/v1alpha1/conversion.go b/pkg/apis/trust/v1alpha1/conversion.go
@@ -61,17 +61,37 @@ func (src *Bundle) ConvertTo(dstRaw conversion.Hub) error {
 	}
 
 	// Remove empty sources, as some source fields are "promoted" to spec in ClusterBundle.
-	dst.Spec.Sources = slices.DeleteFunc(dst.Spec.Sources, func(bs trustv1alpha2.BundleSource) bool {
-		return bs == trustv1alpha2.BundleSource{}
+	dst.Spec.SourceRefs = slices.DeleteFunc(dst.Spec.SourceRefs, func(bs trustv1alpha2.BundleSourceRef) bool {
+		return bs == trustv1alpha2.BundleSourceRef{}
 	})
-	if len(dst.Spec.Sources) == 0 {
-		dst.Spec.Sources = nil
+	if len(dst.Spec.SourceRefs) == 0 {
+		dst.Spec.SourceRefs = nil
 	}
 
 	return nil
 }
 
-func Convert_v1alpha1_BundleSource_To_v1alpha2_BundleSource(in *BundleSource, out *trustv1alpha2.BundleSource, scope apimachineryconversion.Scope) error {
+func Convert_v1alpha1_BundleSpec_To_v1alpha2_BundleSpec(in *BundleSpec, out *trustv1alpha2.BundleSpec, scope apimachineryconversion.Scope) error {
+	if err := autoConvert_v1alpha1_BundleSpec_To_v1alpha2_BundleSpec(in, out, scope); err != nil {
+		return err
+	}
+
+	if in.Sources != nil {
+		in, out := &in.Sources, &out.SourceRefs
+		*out = make([]trustv1alpha2.BundleSourceRef, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha1_BundleSource_To_v1alpha2_BundleSourceRef(&(*in)[i], &(*out)[i], scope); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.SourceRefs = nil
+	}
+
+	return nil
+}
+
+func Convert_v1alpha1_BundleSource_To_v1alpha2_BundleSourceRef(in *BundleSource, out *trustv1alpha2.BundleSourceRef, scope apimachineryconversion.Scope) error {
 	var sourceObjectKeySelector *SourceObjectKeySelector
 	if in.ConfigMap != nil {
 		out.Kind = trustv1alpha2.ConfigMapKind
@@ -218,6 +238,18 @@ func Convert_v1alpha2_BundleSpec_To_v1alpha1_BundleSpec(in *trustv1alpha2.Bundle
 		return err
 	}
 
+	if in.SourceRefs != nil {
+		in, out := &in.SourceRefs, &out.Sources
+		*out = make([]BundleSource, len(*in))
+		for i := range *in {
+			if err := Convert_v1alpha2_BundleSourceRef_To_v1alpha1_BundleSource(&(*in)[i], &(*out)[i], scope); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Sources = nil
+	}
+
 	if in.InLineCAs != nil {
 		out.Sources = append(out.Sources, BundleSource{InLine: in.InLineCAs})
 	}
@@ -228,7 +260,7 @@ func Convert_v1alpha2_BundleSpec_To_v1alpha1_BundleSpec(in *trustv1alpha2.Bundle
 	return nil
 }
 
-func Convert_v1alpha2_BundleSource_To_v1alpha1_BundleSource(in *trustv1alpha2.BundleSource, out *BundleSource, _ apimachineryconversion.Scope) error {
+func Convert_v1alpha2_BundleSourceRef_To_v1alpha1_BundleSource(in *trustv1alpha2.BundleSourceRef, out *BundleSource, _ apimachineryconversion.Scope) error {
 	key := in.Key
 	includeAllKeys := false
 	if in.Key == "*" {

diff --git a/pkg/apis/trust/v1alpha1/conversion_test.go b/pkg/apis/trust/v1alpha1/conversion_test.go
@@ -92,7 +92,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []any {
 		spokeBundleSpecFuzzer,
 		spokeSourceObjectKeySelectorFuzzer,
 		spokeBundleTargetFuzzer,
-		hubBundleSourceFuzzer,
+		hubBundleSourceRefFuzzer,
 		hubBundleTargetFuzzer,
 	}
 }
@@ -157,7 +157,7 @@ func spokeBundleTargetFuzzer(obj *BundleTarget, c randfill.Continue) {
 	}
 }
 
-func hubBundleSourceFuzzer(obj *trustmanagerapi.BundleSource, c randfill.Continue) {
+func hubBundleSourceRefFuzzer(obj *trustmanagerapi.BundleSourceRef, c randfill.Continue) {
 	c.FillNoCustom(obj)
 
 	// We only allow known kinds, so must normalize the source kind

diff --git a/pkg/apis/trust/v1alpha1/zz_generated.conversion.go b/pkg/apis/trust/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go b/pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go
@@ -59,12 +59,13 @@ type ClusterBundleList struct {
 
 // BundleSpec defines the desired state of a Bundle.
 type BundleSpec struct {
-	// Sources is a set of references to data whose data will sync to the target.
+	// SourceRefs is a list of references to resources whose data will be appended and synced into
+	// the bundle target resources.
 	// +listType=atomic
 	// +optional
 	// +kubebuilder:validation:MinItems=0
 	// +kubebuilder:validation:MaxItems=100
-	Sources []BundleSource `json:"sources,omitempty"`
+	SourceRefs []BundleSourceRef `json:"sourceRefs,omitempty"`
 
 	// IncludeDefaultCAs, when true, requests the default CA bundle to be used as a source.
 	// Default CAs are available if trust-manager was installed via Helm
@@ -86,10 +87,10 @@ type BundleSpec struct {
 	Target BundleTarget `json:"target,omitzero"`
 }
 
-// BundleSource is the set of sources whose data will be appended and synced to
-// the BundleTarget in all Namespaces.
+// BundleSourceRef is a reference to source resource(s) whose data will be appended and synced into
+// the bundle target resources.
 // +structType=atomic
-type BundleSource struct {
+type BundleSourceRef struct {
 	SourceReference `json:",inline"`
 
 	// Key(s) of the entry in the object's `data` field to be used.

diff --git a/pkg/apis/trustmanager/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/trustmanager/v1alpha2/zz_generated.deepcopy.go
diff --git a/...ons/trustmanager/v1alpha2/bundlesource.go → .../trustmanager/v1alpha2/bundlesourceref.go b/...ons/trustmanager/v1alpha2/bundlesource.go → .../trustmanager/v1alpha2/bundlesourceref.go
diff --git a/pkg/applyconfigurations/trustmanager/v1alpha2/bundlespec.go b/pkg/applyconfigurations/trustmanager/v1alpha2/bundlespec.go
diff --git a/pkg/webhook/cluster_bundle.go b/pkg/webhook/cluster_bundle.go
@@ -70,8 +70,8 @@ func (webhook *ClusterBundle) validate(ctx context.Context, obj runtime.Object)
 		fldPath  = field.NewPath("spec")
 	)
 
-	for i, source := range bundle.Spec.Sources {
-		el = append(el, webhook.validateSource(source, fldPath.Child("sources").Index(i))...)
+	for i, sourceRef := range bundle.Spec.SourceRefs {
+		el = append(el, webhook.validateSourceRef(sourceRef, fldPath.Child("sourceRefs").Index(i))...)
 	}
 
 	el = append(el, webhook.validateTarget(bundle.Spec.Target, fldPath.Child("target"))...)
@@ -80,8 +80,8 @@ func (webhook *ClusterBundle) validate(ctx context.Context, obj runtime.Object)
 
 }
 
-func (webhook *ClusterBundle) validateSource(source trustmanagerapi.BundleSource, fldPath *field.Path) field.ErrorList {
-	return validation.ValidateLabelSelector(source.Selector, validation.LabelSelectorValidationOptions{}, fldPath.Child("selector"))
+func (webhook *ClusterBundle) validateSourceRef(sourceRef trustmanagerapi.BundleSourceRef, fldPath *field.Path) field.ErrorList {
+	return validation.ValidateLabelSelector(sourceRef.Selector, validation.LabelSelectorValidationOptions{}, fldPath.Child("selector"))
 }
 
 func (webhook *ClusterBundle) validateTarget(target trustmanagerapi.BundleTarget, fldPath *field.Path) field.ErrorList {