PR Description

The CA injection patch has not worked for go/v4 and kustomize/v2 (release 3.5.0) due to the need to replace vars with replacements, as vars are no longer supported in the latest major versions of Kustomize.

However, since webhook --conversion was an incomplete feature until the upcoming Kubebuilder future release v4.4.0 (where PR #4254 is expected to be merged), users likely didn’t encounter this issue or addressed it manually by fixing the scaffold.

Note: This change only affects projects that require a conversion webhook.

To better understand the issue and context please see: #4285

Closes: #4285

To manually fix projects scaffolded with previous versions, users can:

1. Remove the CERTMANAGER Section from config/crd/kustomization.yaml:

   Delete the CERTMANAGER section to avoid unintended CA injection patches for CRDs. Ensure the following lines are removed or commented out:

   # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
   # patches here are for enabling the CA injection for each CRD
   #- path: patches/cainjection_in_firstmates.yaml
   # +kubebuilder:scaffold:crdkustomizecainjectionpatch

2. Add CA Injection Configuration in config/default/kustomization.yaml:

   In config/default/kustomization.yaml, add the following code under [CERTMANAGER] for CA injection:

   Important: Ensure that these scaffold markers are included:

   • +kubebuilder:scaffold:crdkustomizecainjectionns
   • +kubebuilder:scaffold:crdkustomizecainjectioname

   # - source: # Uncomment the following block if you have a ConversionWebhook (--conversion)
   #     kind: Certificate
   #     group: cert-manager.io
   #     version: v1
   #     name: serving-cert # This name should match the one in certificate.yaml
   #     fieldPath: .metadata.namespace # Namespace of the certificate CR
   #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
   # +kubebuilder:scaffold:crdkustomizecainjectionns
   # - source:
   #     kind: Certificate
   #     group: cert-manager.io
   #     version: v1
   #     name: serving-cert # This name should match the one in certificate.yaml
   #     fieldPath: .metadata.name
   #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD.
   # +kubebuilder:scaffold:crdkustomizecainjectioname

3. Ensure Only Conversion Webhook Patches in config/crd/patches:

   The config/crd/patches directory and the corresponding entries in config/crd/kustomization.yaml should only
   contain files for conversion webhooks. Previously, a bug (🐛 (kustomize/v2, go/v4): Fix incorrect generation of manifests under config/crd/patches. Previously, the /convert service patch was being generated for all webhooks instead of only for those with --conversion enabled. #4280) caused the patch file to be generated for any webhook,
   but only patches for webhooks created with the --conversion option should be included.

For further guidance, you can refer to examples in the testdata/ directory in the Kubebuilder repository.

Alternatively: You can use the 'alpha generate' command to re-generate the project from scratch using the latest
release available. Afterward, you can re-add only your code implementation on top to ensure your project includes all
the latest bug fixes and enhancements.