Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API

[erikgb]

Somehow related to #850, naked booleans are discouraged in Kubernetes APIs because they make the API constrained and hard to extend without breaking changes. Ref. Kube API conventions:

Think twice about bool fields. Many ideas start as boolean but eventually trend towards a small set of mutually exclusive options. Plan for future expansions by describing the policy options explicitly as a string type alias (e.g. TerminationMessagePolicy).

In this PR, I suggest eliminating the only remaining naked boolean in the new ClusterBundle API: includeDefaultCAs, into something I feel is better aligned with the API conventions.

Note that this is a breaking change, but ClusterBundle is not yet user-facing, ref. #702.

[Copilot]

Pull request overview

This pull request refactors the ClusterBundle API to eliminate the use of a naked boolean field (includeDefaultCAs) and replace it with a structured enum-based field (defaultCAs) that follows Kubernetes API conventions. This change provides better extensibility for future enhancements without requiring breaking API changes.

Changes:

• Replaced IncludeDefaultCAs *bool with DefaultCAs *DefaultCAsSource struct containing a Provider string field with enum validation
• Updated conversion logic between v1alpha1 (Bundle) and v1alpha2 (ClusterBundle) to handle the new structured field
• Added fuzzer for the new DefaultCAsSource type to support roundtrip conversion testing

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/apis/trustmanager/v1alpha2/types_cluster_bundle.go	Introduces new DefaultCAsSource struct and replaces boolean field with structured enum-based field
pkg/apis/trustmanager/v1alpha2/zz_generated.deepcopy.go	Auto-generated deepcopy methods for the new DefaultCAsSource type
pkg/apis/trust/v1alpha1/conversion.go	Updates conversion logic to map between boolean (v1alpha1) and enum (v1alpha2) representations
pkg/apis/trust/v1alpha1/conversion_test.go	Adds fuzzer for the new type to support conversion testing
pkg/apis/trust/v1alpha1/zz_generated.conversion.go	Auto-generated conversion warning comments updated to reference new field name
pkg/applyconfigurations/trustmanager/v1alpha2/defaultcassource.go	Auto-generated apply configuration for the new DefaultCAsSource type
pkg/applyconfigurations/trustmanager/v1alpha2/bundlespec.go	Updates apply configuration to use new structured field instead of boolean
deploy/crds/trust-manager.io_clusterbundles.yaml	Updates CRD schema with new structured field and enum validation
test/integration/clusterbundle/migration_test.go	Updates test to use new structured API field

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[erikgb]

/cc @SgtCoDFish

[erikgb]

/test pull-trust-manager-integration

[SgtCoDFish]

/lgtm
/approve

I like this; I can see how we could provide other default CA bundles down the road, and this keeps most of the simplicity of the bool while enabling that!

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [SgtCoDFish]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment