disables feature gate ACMEHTTP01IngressPathTypeExact

PillaiManish · PillaiManish · commit ad3efec7a08f · 2025-08-19T18:23:06.000+05:30
diff --git a/bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml b/bindata/cert-manager-deployment/controller/cert-manager-deployment.yaml
@@ -36,6 +36,7 @@ spec:
             - --leader-election-namespace=kube-system
             - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.2
             - --max-concurrent-challenges=60
+            - --feature-gates=ACMEHTTP01IngressPathTypeExact=false
           command:
             - /app/cmd/controller/controller
           env:
diff --git a/jsonnet/main.jsonnet b/jsonnet/main.jsonnet
@@ -47,7 +47,19 @@ local processManifests(manifest) =
                 if std.startsWith(arg, dsdnArgKey) == false
               ] + [
                 if std.length(dsdnArgVal) > 0 then (dsdnArgKey + dsdnArgVal)
-              ]),
+              ] + (
+                // Temporary workaround: Disable ACMEHTTP01IngressPathTypeExact feature gate
+                // for OpenShift compatibility. This should be removed when OpenShift's
+                // ingress-to-route controller supports Exact path type (RFE-4169).
+                //
+                // Background: cert-manager 1.18 changed ACME HTTP01 challenge ingress path type
+                // from ImplementationSpecific to Exact, but OpenShift's ingress-to-route controller
+                // doesn't support Exact path type, causing 503 errors during HTTP01 challenges.
+                if container.name == 'cert-manager-controller' then
+                  ['--feature-gates=ACMEHTTP01IngressPathTypeExact=false']
+                else
+                  []
+              )),
             }
             for container in super.containers
           ],
diff --git a/pkg/controller/deployment/deployment_overrides_test.go b/pkg/controller/deployment/deployment_overrides_test.go
@@ -35,6 +35,7 @@ func TestUnsupportedConfigOverrides(t *testing.T) {
 			"--leader-election-namespace=kube-system",
 			"--acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.2",
 			"--max-concurrent-challenges=60",
+			"--feature-gates=ACMEHTTP01IngressPathTypeExact=false",
 		},
 		"cert-manager-cainjector": {
 			"--v=2",
@@ -122,6 +123,7 @@ func TestUnsupportedConfigOverrides(t *testing.T) {
 			wantArgs: []string{
 				"--acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.2",
 				"--cluster-resource-namespace=$(POD_NAMESPACE)",
+				"--feature-gates=ACMEHTTP01IngressPathTypeExact=false",
 				"--featureX=enable",
 				"--leader-election-namespace=kube-system",
 				"--max-concurrent-challenges=60",
@@ -173,6 +175,7 @@ func TestUnsupportedConfigOverrides(t *testing.T) {
 			wantArgs: []string{
 				"--acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.18.2",
 				"--cluster-resource-namespace=$(POD_NAMESPACE)",
+				"--feature-gates=ACMEHTTP01IngressPathTypeExact=false",
 				"--featureY=disable",
 				"--leader-election-namespace=kube-system",
 				"--max-concurrent-challenges=60",
diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go
