Merge pull request #7872 from erikgb/openapi-gen

Add openapi-gen to client packages

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/digitalocean/godo v1.159.0
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-logr/logr v1.4.3
+	github.com/go-openapi/jsonreference v0.21.0
 	github.com/google/gnostic-models v0.7.0
 	github.com/google/go-cmp v0.7.0
 	github.com/hashicorp/vault/api v1.20.0
@@ -96,7 +97,6 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.3 // indirect

hack/k8s-codegen.sh

@@ -50,7 +50,7 @@ deepcopy_inputs=(
   pkg/acme/webhook/apis/acme/v1alpha1 \
 )
 
-# Used for generating apply configurations.
+# Used for generating apply configurations and client openapi specs.
 # Separate to client_inputs because we need apply configurations for metav1,
 # and client-gen has no way to exclude a input package just using markers in code.
 api_inputs=(
@@ -116,6 +116,28 @@ gen-openapi-acme() {
     "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
 }
 
+gen-openapi-client() {
+  clean internal/generated/openapi 'zz_generated.openapi.go'
+  echo "+++ Generating client openapi..." >&2
+  prefixed_inputs=( "${api_inputs[@]/#/$module_name/}" )
+  "$openapigen" \
+    --go-header-file "hack/boilerplate-go.txt" \
+    --report-filename "hack/openapi_reports/client.txt" \
+    --output-dir ./internal/generated/openapi/ \
+    --output-pkg "github.com/cert-manager/cert-manager/internal/generated/openapi" \
+		--output-file zz_generated.openapi.go \
+		"k8s.io/api/core/v1" \
+    "k8s.io/apimachinery/pkg/version" \
+    "k8s.io/apimachinery/pkg/runtime" \
+    "k8s.io/apimachinery/pkg/apis/meta/v1" \
+    "k8s.io/apimachinery/pkg/api/resource" \
+    "k8s.io/apimachinery/pkg/util/intstr" \
+    "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" \
+    "k8s.io/component-base/logs/api/v1" \
+    "sigs.k8s.io/gateway-api/apis/v1" \
+    "${prefixed_inputs[@]}"
+}
+
 gen-deepcopy() {
   clean pkg/apis 'zz_generated.deepcopy.go'
   clean pkg/acme/webhook/apis 'zz_generated.deepcopy.go'
@@ -130,11 +152,18 @@ gen-deepcopy() {
 }
 
 gen-applyconfigurations() {
+  # This is a temporary hack to generate the schema YAMLs
+  # required to generate fake clientsets that actually works.
+  # Upstream issue: https://github.com/kubernetes/kubernetes/issues/126850
+  GOPROXY=off go install \
+    "${module_name}/internal/generated/openapi/cmd/models-schema"
+
   clean "${client_subpackage}"/applyconfigurations '*.go'
   echo "+++ Generating applyconfigurations..." >&2
   prefixed_inputs=( "${api_inputs[@]/#/$module_name/}" )
  "$applyconfigurationgen" \
     --go-header-file hack/boilerplate-go.txt \
+    --openapi-schema <($(go env GOPATH)/bin/models-schema) \
     --output-dir "${client_subpackage}"/applyconfigurations \
     --output-pkg "${client_package}"/applyconfigurations \
     "${prefixed_inputs[@]}"
@@ -224,6 +253,7 @@ gen-conversions() {
 }
 
 gen-openapi-acme
+gen-openapi-client
 gen-deepcopy
 gen-applyconfigurations
 gen-clientsets

hack/openapi_reports/client.txt

@@ -0,0 +1,147 @@
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEAuthorization,Challenges
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01GatewayHTTPRoute,ParentRefs
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressPodSecurityContext,SupplementalGroups
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressPodSecurityContext,Sysctls
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressPodSpec,ImagePullSecrets
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressPodSpec,Tolerations
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuer,Solvers
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,CertificateDNSNameSelector,DNSNames
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,CertificateDNSNameSelector,DNSZones
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,OrderSpec,DNSNames
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,OrderSpec,IPAddresses
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,OrderStatus,Authorizations
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ServiceAccountRef,TokenAudiences
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CAIssuer,CRLDistributionPoints
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CAIssuer,IssuingCertificateURLs
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CAIssuer,OCSPServers
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateRequestSpec,Usages
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,AdditionalOutputFormats
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,DNSNames
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,EmailAddresses
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,IPAddresses
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,OtherNames
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,URIs
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,Usages
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,NameConstraintItem,DNSDomains
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,NameConstraintItem,EmailAddresses
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,NameConstraintItem,IPRanges
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,NameConstraintItem,URIDomains
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,SelfSignedIssuer,CRLDistributionPoints
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,ServiceAccountRef,TokenAudiences
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,Countries
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,Localities
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,OrganizationalUnits
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,Organizations
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,PostalCodes
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,Provinces
+API rule violation: list_type_missing,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,X509Subject,StreetAddresses
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,AllowedRoutes,Kinds
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,CommonRouteSpec,ParentRefs
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,FrontendTLSValidation,CACertificateRefs
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCBackendRef,Filters
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCRouteRule,BackendRefs
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCRouteRule,Filters
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCRouteRule,Matches
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCRouteSpec,Hostnames
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GRPCRouteSpec,Rules
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GatewaySpec,Addresses
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GatewayStatus,Addresses
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,GatewayTLSConfig,CertificateRefs
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPBackendRef,Filters
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteRetry,Codes
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteRule,BackendRefs
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteRule,Filters
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteRule,Matches
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteSpec,Hostnames
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,HTTPRouteSpec,Rules
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,ListenerStatus,SupportedKinds
+API rule violation: list_type_missing,sigs.k8s.io/gateway-api/apis/v1,RouteStatus,Parents
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolver,DNS01
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolver,HTTP01
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverDNS01,DigitalOcean
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverDNS01,RFC2136
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressPodTemplate,ACMEChallengeSolverHTTP01IngressPodObjectMeta
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEChallengeSolverHTTP01IngressTemplate,ACMEChallengeSolverHTTP01IngressObjectMeta
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEExternalAccountBinding,Key
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuer,PrivateKey
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderAcmeDNS,AccountSecret
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderAkamai,AccessToken
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderAkamai,ClientSecret
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderAkamai,ClientToken
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderAzureDNS,ClientSecret
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderCloudDNS,ServiceAccount
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderCloudflare,APIKey
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderCloudflare,APIToken
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderDigitalOcean,Token
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderRFC2136,TSIGSecret
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderRoute53,SecretAccessKey
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ACMEIssuerDNS01ProviderRoute53,SecretAccessKeyID
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ServiceAccountRef,TokenAudiences
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateKeystores,PKCS12
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,CertificateSpec,URIs
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,OtherName,UTF8Value
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,ServiceAccountRef,TokenAudiences
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,VaultClientCertificateAuth,Path
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,VaultKubernetesAuth,Path
+API rule violation: names_match,k8s.io/api/core/v1,AzureDiskVolumeSource,DataDiskURI
+API rule violation: names_match,k8s.io/api/core/v1,ContainerStatus,LastTerminationState
+API rule violation: names_match,k8s.io/api/core/v1,DaemonEndpoint,Port
+API rule violation: names_match,k8s.io/api/core/v1,Event,ReportingController
+API rule violation: names_match,k8s.io/api/core/v1,FCVolumeSource,WWIDs
+API rule violation: names_match,k8s.io/api/core/v1,GlusterfsPersistentVolumeSource,EndpointsName
+API rule violation: names_match,k8s.io/api/core/v1,GlusterfsVolumeSource,EndpointsName
+API rule violation: names_match,k8s.io/api/core/v1,ISCSIPersistentVolumeSource,DiscoveryCHAPAuth
+API rule violation: names_match,k8s.io/api/core/v1,ISCSIPersistentVolumeSource,SessionCHAPAuth
+API rule violation: names_match,k8s.io/api/core/v1,ISCSIVolumeSource,DiscoveryCHAPAuth
+API rule violation: names_match,k8s.io/api/core/v1,ISCSIVolumeSource,SessionCHAPAuth
+API rule violation: names_match,k8s.io/api/core/v1,NodeSpec,DoNotUseExternalID
+API rule violation: names_match,k8s.io/api/core/v1,PersistentVolumeSource,CephFS
+API rule violation: names_match,k8s.io/api/core/v1,PersistentVolumeSource,StorageOS
+API rule violation: names_match,k8s.io/api/core/v1,PodSpec,DeprecatedServiceAccount
+API rule violation: names_match,k8s.io/api/core/v1,RBDPersistentVolumeSource,CephMonitors
+API rule violation: names_match,k8s.io/api/core/v1,RBDPersistentVolumeSource,RBDImage
+API rule violation: names_match,k8s.io/api/core/v1,RBDPersistentVolumeSource,RBDPool
+API rule violation: names_match,k8s.io/api/core/v1,RBDPersistentVolumeSource,RadosUser
+API rule violation: names_match,k8s.io/api/core/v1,RBDVolumeSource,CephMonitors
+API rule violation: names_match,k8s.io/api/core/v1,RBDVolumeSource,RBDImage
+API rule violation: names_match,k8s.io/api/core/v1,RBDVolumeSource,RBDPool
+API rule violation: names_match,k8s.io/api/core/v1,RBDVolumeSource,RadosUser
+API rule violation: names_match,k8s.io/api/core/v1,VolumeSource,CephFS
+API rule violation: names_match,k8s.io/api/core/v1,VolumeSource,StorageOS
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XIntOrString
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListMapKeys
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XMapType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XPreserveUnknownFields
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XValidations
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,JSONSchemas
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Allows
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Property
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Schema
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
+API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
+API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,IntVal
+API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,StrVal
+API rule violation: names_match,k8s.io/apimachinery/pkg/util/intstr,IntOrString,Type
+API rule violation: streaming_list_type_json_tags,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,ChallengeList,ListMeta
+API rule violation: streaming_list_type_json_tags,github.com/cert-manager/cert-manager/pkg/apis/acme/v1,OrderList,ListMeta
+API rule violation: streaming_list_type_json_tags,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,ClusterIssuerList,ListMeta
+API rule violation: streaming_list_type_json_tags,github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1,IssuerList,ListMeta

internal/generated/openapi/cmd/models-schema/doc.go

@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main

internal/generated/openapi/cmd/models-schema/main.go

@@ -0,0 +1,92 @@
+/*
+Copyright 2025 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"k8s.io/kube-openapi/pkg/common"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+
+	"github.com/cert-manager/cert-manager/internal/generated/openapi"
+)
+
+// Outputs openAPI schema JSON containing the schema definitions in zz_generated.openapi.go.
+func main() {
+	err := output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed: %v", err)
+		os.Exit(1)
+	}
+}
+
+func output() error {
+	refFunc := func(name string) spec.Ref {
+		return spec.MustCreateRef(fmt.Sprintf("#/definitions/%s", friendlyName(name)))
+	}
+	defs := openapi.GetOpenAPIDefinitions(refFunc)
+	schemaDefs := make(map[string]spec.Schema, len(defs))
+	for k, v := range defs {
+		// Replace top-level schema with v2 if a v2 schema is embedded
+		// so that the output of this program is always in OpenAPI v2.
+		// This is done by looking up an extension that marks the embedded v2
+		// schema, and, if the v2 schema is found, make it the resulting schema for
+		// the type.
+		if schema, ok := v.Schema.Extensions[common.ExtensionV2Schema]; ok {
+			if v2Schema, isOpenAPISchema := schema.(spec.Schema); isOpenAPISchema {
+				schemaDefs[friendlyName(k)] = v2Schema
+				continue
+			}
+		}
+
+		schemaDefs[friendlyName(k)] = v.Schema
+	}
+	data, err := json.Marshal(&spec.Swagger{
+		SwaggerProps: spec.SwaggerProps{
+			Definitions: schemaDefs,
+			Info: &spec.Info{
+				InfoProps: spec.InfoProps{
+					Title:   "cert-manager",
+					Version: "unversioned",
+				},
+			},
+			Swagger: "2.0",
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("error serializing api definitions: %w", err)
+	}
+	os.Stdout.Write(data)
+	return nil
+}
+
+// From k8s.io/apiserver/pkg/endpoints/openapi/openapi.go
+func friendlyName(name string) string {
+	nameParts := strings.Split(name, "/")
+	// Reverse first part. e.g., io.k8s... instead of k8s.io...
+	if len(nameParts) > 0 && strings.Contains(nameParts[0], ".") {
+		parts := strings.Split(nameParts[0], ".")
+		for i, j := 0, len(parts)-1; i < j; i, j = i+1, j-1 {
+			parts[i], parts[j] = parts[j], parts[i]
+		}
+		nameParts[0] = strings.Join(parts, ".")
+	}
+	return strings.Join(nameParts, ".")
+}

internal/generated/openapi/doc.go

@@ -0,0 +1,17 @@
+/*
+Copyright 2025 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi

internal/generated/openapi/openapi_test.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2025 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openapi
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/go-openapi/jsonreference"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"k8s.io/kube-openapi/pkg/common"
+	"k8s.io/kube-openapi/pkg/handler"
+	"k8s.io/kube-openapi/pkg/validation/spec"
+)
+
+func TestOpenAPIRoundtrip(t *testing.T) {
+	dummyRef := func(name string) spec.Ref { return spec.MustCreateRef("#/definitions/dummy") }
+	for name, value := range GetOpenAPIDefinitions(dummyRef) {
+		t.Run(name, func(t *testing.T) {
+			// TODO(kubernetes/gengo#193): We currently round-trip ints to floats.
+			value.Schema = *handler.PruneDefaultsSchema(&value.Schema)
+			data, err := json.Marshal(value.Schema)
+			if err != nil {
+				t.Error(err)
+				return
+			}
+
+			roundTripped := spec.Schema{}
+			if err := json.Unmarshal(data, &roundTripped); err != nil {
+				t.Error(err)
+				return
+			}
+
+			// Remove the embedded v2 schema if it presents.
+			// The v2 schema either become the schema (when serving v2) or get pruned (v3)
+			// and it is never round-tripped.
+			delete(roundTripped.Extensions, common.ExtensionV2Schema)
+			delete(value.Schema.Extensions, common.ExtensionV2Schema)
+
+			opts := []cmp.Option{
+				cmpopts.EquateEmpty(),
+				// jsonreference.Ref contains unexported fields. Compare
+				// by string representation provides a consistent
+				cmp.Comparer(func(x, y jsonreference.Ref) bool {
+					return x.String() == y.String()
+				}),
+			}
+			if !cmp.Equal(value.Schema, roundTripped, opts...) {
+				t.Errorf("unexpected diff (a=expected,b=roundtripped):\n%s", cmp.Diff(value.Schema, roundTripped, opts...))
+				return
+			}
+		})
+	}
+}

pkg/apis/acme/v1/doc.go

@@ -16,5 +16,6 @@ limitations under the License.
 
 // Package v1 is the v1 version of the API.
 // +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
 // +groupName=acme.cert-manager.io
 package v1

pkg/apis/acme/v1/types_challenge.go

@@ -23,7 +23,6 @@ import (
 )
 
 // +genclient
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"

pkg/apis/acme/v1/types_issuer.go

@@ -347,6 +347,8 @@ type ACMEChallengeSolverHTTP01IngressPodSpec struct {
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
 	// If specified, the pod's imagePullSecrets
+	// +patchMergeKey=name
+	// +patchStrategy=merge
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty" patchMergeKey:"name" patchStrategy:"merge"`
 

pkg/apis/acme/v1/types_order.go

@@ -23,7 +23,6 @@ import (
 )
 
 // +genclient
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"

pkg/apis/certmanager/v1/doc.go

@@ -16,6 +16,7 @@ limitations under the License.
 
 // Package v1 is the v1 version of the API.
 // +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
 // +groupName=cert-manager.io
 // +groupGoName=Certmanager
 package v1

pkg/apis/certmanager/v1/types_certificate.go

@@ -25,7 +25,6 @@ import (
 // NOTE: Be mindful of adding OpenAPI validation - see https://github.com/cert-manager/cert-manager/issues/3644
 
 // +genclient
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=`.status.conditions[?(@.type == "Ready")].status`

pkg/apis/certmanager/v1/types_certificaterequest.go

@@ -43,7 +43,6 @@ const (
 )
 
 // +genclient
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="Approved",type="string",JSONPath=`.status.conditions[?(@.type == "Approved")].status`
@@ -65,7 +64,6 @@ const (
 //
 // A CertificateRequest is a one-shot resource, meaning it represents a single
 // point in time request for a certificate and cannot be re-used.
-// +k8s:openapi-gen=true
 type CertificateRequest struct {
 	metav1.TypeMeta `json:",inline"`
 	// Standard object's metadata.

pkg/apis/certmanager/v1/types_issuer.go

@@ -25,7 +25,6 @@ import (
 
 // +genclient
 // +genclient:nonNamespaced
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=`.status.conditions[?(@.type == "Ready")].status`
@@ -62,7 +61,6 @@ type ClusterIssuerList struct {
 }
 
 // +genclient
-// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:storageversion
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=`.status.conditions[?(@.type == "Ready")].status`

pkg/apis/meta/v1/doc.go

@@ -16,5 +16,6 @@ limitations under the License.
 
 // Package v1 contains meta types for cert-manager APIs
 // +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
 // +gencrdrefdocs:force
 package v1

pkg/client/applyconfigurations/acme/v1/challenge.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -44,6 +47,42 @@ func Challenge(name, namespace string) *ChallengeApplyConfiguration {
 	return b
 }
 
+// ExtractChallenge extracts the applied configuration owned by fieldManager from
+// challenge. If no managedFields are found in challenge for fieldManager, a
+// ChallengeApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// challenge must be a unmodified Challenge API object that was retrieved from the Kubernetes API.
+// ExtractChallenge provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractChallenge(challenge *acmev1.Challenge, fieldManager string) (*ChallengeApplyConfiguration, error) {
+	return extractChallenge(challenge, fieldManager, "")
+}
+
+// ExtractChallengeStatus is the same as ExtractChallenge except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractChallengeStatus(challenge *acmev1.Challenge, fieldManager string) (*ChallengeApplyConfiguration, error) {
+	return extractChallenge(challenge, fieldManager, "status")
+}
+
+func extractChallenge(challenge *acmev1.Challenge, fieldManager string, subresource string) (*ChallengeApplyConfiguration, error) {
+	b := &ChallengeApplyConfiguration{}
+	err := managedfields.ExtractInto(challenge, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Challenge"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(challenge.Name)
+	b.WithNamespace(challenge.Namespace)
+
+	b.WithKind("Challenge")
+	b.WithAPIVersion("acme.cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.

pkg/client/applyconfigurations/acme/v1/order.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	acmev1 "github.com/cert-manager/cert-manager/pkg/apis/acme/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -44,6 +47,42 @@ func Order(name, namespace string) *OrderApplyConfiguration {
 	return b
 }
 
+// ExtractOrder extracts the applied configuration owned by fieldManager from
+// order. If no managedFields are found in order for fieldManager, a
+// OrderApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// order must be a unmodified Order API object that was retrieved from the Kubernetes API.
+// ExtractOrder provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractOrder(order *acmev1.Order, fieldManager string) (*OrderApplyConfiguration, error) {
+	return extractOrder(order, fieldManager, "")
+}
+
+// ExtractOrderStatus is the same as ExtractOrder except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractOrderStatus(order *acmev1.Order, fieldManager string) (*OrderApplyConfiguration, error) {
+	return extractOrder(order, fieldManager, "status")
+}
+
+func extractOrder(order *acmev1.Order, fieldManager string, subresource string) (*OrderApplyConfiguration, error) {
+	b := &OrderApplyConfiguration{}
+	err := managedfields.ExtractInto(order, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.acme.v1.Order"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(order.Name)
+	b.WithNamespace(order.Namespace)
+
+	b.WithKind("Order")
+	b.WithAPIVersion("acme.cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.

pkg/client/applyconfigurations/certmanager/v1/certificate.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -44,6 +47,42 @@ func Certificate(name, namespace string) *CertificateApplyConfiguration {
 	return b
 }
 
+// ExtractCertificate extracts the applied configuration owned by fieldManager from
+// certificate. If no managedFields are found in certificate for fieldManager, a
+// CertificateApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// certificate must be a unmodified Certificate API object that was retrieved from the Kubernetes API.
+// ExtractCertificate provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractCertificate(certificate *certmanagerv1.Certificate, fieldManager string) (*CertificateApplyConfiguration, error) {
+	return extractCertificate(certificate, fieldManager, "")
+}
+
+// ExtractCertificateStatus is the same as ExtractCertificate except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractCertificateStatus(certificate *certmanagerv1.Certificate, fieldManager string) (*CertificateApplyConfiguration, error) {
+	return extractCertificate(certificate, fieldManager, "status")
+}
+
+func extractCertificate(certificate *certmanagerv1.Certificate, fieldManager string, subresource string) (*CertificateApplyConfiguration, error) {
+	b := &CertificateApplyConfiguration{}
+	err := managedfields.ExtractInto(certificate, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Certificate"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(certificate.Name)
+	b.WithNamespace(certificate.Namespace)
+
+	b.WithKind("Certificate")
+	b.WithAPIVersion("cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.

pkg/client/applyconfigurations/certmanager/v1/certificaterequest.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -44,6 +47,42 @@ func CertificateRequest(name, namespace string) *CertificateRequestApplyConfigur
 	return b
 }
 
+// ExtractCertificateRequest extracts the applied configuration owned by fieldManager from
+// certificateRequest. If no managedFields are found in certificateRequest for fieldManager, a
+// CertificateRequestApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// certificateRequest must be a unmodified CertificateRequest API object that was retrieved from the Kubernetes API.
+// ExtractCertificateRequest provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractCertificateRequest(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string) (*CertificateRequestApplyConfiguration, error) {
+	return extractCertificateRequest(certificateRequest, fieldManager, "")
+}
+
+// ExtractCertificateRequestStatus is the same as ExtractCertificateRequest except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractCertificateRequestStatus(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string) (*CertificateRequestApplyConfiguration, error) {
+	return extractCertificateRequest(certificateRequest, fieldManager, "status")
+}
+
+func extractCertificateRequest(certificateRequest *certmanagerv1.CertificateRequest, fieldManager string, subresource string) (*CertificateRequestApplyConfiguration, error) {
+	b := &CertificateRequestApplyConfiguration{}
+	err := managedfields.ExtractInto(certificateRequest, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.CertificateRequest"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(certificateRequest.Name)
+	b.WithNamespace(certificateRequest.Namespace)
+
+	b.WithKind("CertificateRequest")
+	b.WithAPIVersion("cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.

pkg/client/applyconfigurations/certmanager/v1/clusterissuer.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -43,6 +46,41 @@ func ClusterIssuer(name string) *ClusterIssuerApplyConfiguration {
 	return b
 }
 
+// ExtractClusterIssuer extracts the applied configuration owned by fieldManager from
+// clusterIssuer. If no managedFields are found in clusterIssuer for fieldManager, a
+// ClusterIssuerApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// clusterIssuer must be a unmodified ClusterIssuer API object that was retrieved from the Kubernetes API.
+// ExtractClusterIssuer provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractClusterIssuer(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string) (*ClusterIssuerApplyConfiguration, error) {
+	return extractClusterIssuer(clusterIssuer, fieldManager, "")
+}
+
+// ExtractClusterIssuerStatus is the same as ExtractClusterIssuer except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractClusterIssuerStatus(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string) (*ClusterIssuerApplyConfiguration, error) {
+	return extractClusterIssuer(clusterIssuer, fieldManager, "status")
+}
+
+func extractClusterIssuer(clusterIssuer *certmanagerv1.ClusterIssuer, fieldManager string, subresource string) (*ClusterIssuerApplyConfiguration, error) {
+	b := &ClusterIssuerApplyConfiguration{}
+	err := managedfields.ExtractInto(clusterIssuer, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.ClusterIssuer"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(clusterIssuer.Name)
+
+	b.WithKind("ClusterIssuer")
+	b.WithAPIVersion("cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.

pkg/client/applyconfigurations/certmanager/v1/issuer.go

@@ -19,8 +19,11 @@ limitations under the License.
 package v1
 
 import (
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	internal "github.com/cert-manager/cert-manager/pkg/client/applyconfigurations/internal"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	metav1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
 
@@ -44,6 +47,42 @@ func Issuer(name, namespace string) *IssuerApplyConfiguration {
 	return b
 }
 
+// ExtractIssuer extracts the applied configuration owned by fieldManager from
+// issuer. If no managedFields are found in issuer for fieldManager, a
+// IssuerApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// issuer must be a unmodified Issuer API object that was retrieved from the Kubernetes API.
+// ExtractIssuer provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractIssuer(issuer *certmanagerv1.Issuer, fieldManager string) (*IssuerApplyConfiguration, error) {
+	return extractIssuer(issuer, fieldManager, "")
+}
+
+// ExtractIssuerStatus is the same as ExtractIssuer except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractIssuerStatus(issuer *certmanagerv1.Issuer, fieldManager string) (*IssuerApplyConfiguration, error) {
+	return extractIssuer(issuer, fieldManager, "status")
+}
+
+func extractIssuer(issuer *certmanagerv1.Issuer, fieldManager string, subresource string) (*IssuerApplyConfiguration, error) {
+	b := &IssuerApplyConfiguration{}
+	err := managedfields.ExtractInto(issuer, internal.Parser().Type("com.github.cert-manager.cert-manager.pkg.apis.certmanager.v1.Issuer"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(issuer.Name)
+	b.WithNamespace(issuer.Namespace)
+
+	b.WithKind("Issuer")
+	b.WithAPIVersion("cert-manager.io/v1")
+	return b, nil
+}
+
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.