diff --git a/devel/addon/ingressnginx/install.sh b/devel/addon/ingressnginx/install.sh
index 91c76b25d..c79a17c21 100755
--- a/devel/addon/ingressnginx/install.sh
+++ b/devel/addon/ingressnginx/install.sh
@@ -48,16 +48,21 @@ export PATH="${bindir}/hack/bin/:$PATH"
 # We need to install different versions of Ingress depending on which version of
 # Kubernetes we are running as the NGINX Ingress controller does not have a
 # release where they would support both v1 and v1beta1 versions of networking API.
-# If running the setup script locally against Kubernetes v1.22, make sure to pass K8S_VERSION
-# K8S_VERSION=1.22 ./devel/setup-e2e-deps.sh for this to work.
-# TODO: Remove this once we no longer need to test against Kubernetes below v1.19.
 
 # This allows running ./devel/setup-e2e-deps.sh locally against Kubernetes v1.22
 # without passing the K8S_VERSION env var.
 k8s_version=$(kubectl version -oyaml | yq e '.serverVersion | .major +"."+ .minor' -)
 if [[ $k8s_version =~ 1\.22 ]]; then
+  # Deploy a v1 NGINX-Ingress when on Kubernetes 1.22 (only v1+ NGINX-Ingress versions support networking.k8s.io/v1 API)
   IMAGE_TAG="v1.0.2"
   HELM_CHART="4.0.3"
+  # v1 NGINX-Ingress by default only watches Ingresses with Ingress class
+  # defined. When configuring solver block for ACME HTTTP01 challenge on an ACME
+  # issuer, cert-manager users can currently specify either an Ingress name or a
+  # class. We also e2e test these two ways of creating Ingresses with
+  # ingress-shim. For the ingress controller to watch our Ingresses that don't
+  # have a class, we pass a --watch-ingress-without-class flag
+  # https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L64-L67
   INGRESS_WITHOUT_CLASS="true"
 else
   IMAGE_TAG="v0.48.1"
diff --git a/hack/BUILD.bazel b/hack/BUILD.bazel
index 700896463..893dea44d 100644
--- a/hack/BUILD.bazel
+++ b/hack/BUILD.bazel
@@ -165,7 +165,7 @@ sh_binary(
         "@io_k8s_code_generator//cmd/lister-gen",
     ],
     deps = [
-        ":utils",
+        ":utils",  # This is added to ensure that if ./utils.sh changes Bazel knows to re-run this target
         "@bazel_tools//tools/bash/runfiles",
     ],
 )
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index ac3ce5de5..cefdb323c 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -27,9 +27,20 @@ else
   exit 0
 fi
 
-# This has been copied from https://github.com/bazelbuild/bazel/blob/master/tools/bash/runfiles/runfiles.bash
-# It exports rlocation function that can be used to access other bash scripts in this codebase.
-# set -e pipefail needs to happen after sourcing runfiles.bash, see https://github.com/bazelbuild/bazel/blob/master/tools/bash/runfiles/runfiles.bash#L21
+# Source runfiles.bash to to be able to use the rlocation function that is
+# defined in the above linked script. This function finds runtime location of
+# scripts thus allowing us to source other bash scripts when this script is run
+# by Bazel.
+# https://github.com/bazelbuild/bazel/blob/master/tools/bash/runfiles/runfiles.bash .
+
+# The runfiles.bash is added as a dep of the update-codegen target that is
+# used to run this script. Bazel places deps of sh_binary targets in runfiles
+# https://docs.bazel.build/versions/main/be/shell.html#sh_binary_args and the
+# following lines attempt to source this script from one of the known runfile
+# location for runfiles for this target.
+
+# set -e pipefail needs to happen after sourcing runfiles.bash, see
+# https://github.com/bazelbuild/bazel/blob/master/tools/bash/runfiles/runfiles.bash#L21
 
 # --- begin runfiles.bash initialization v2 ---
 # Copy-pasted from the Bazel Bash runfiles library v2.
diff --git a/test/integration/framework/apiserver.go b/test/integration/framework/apiserver.go
index b7f89cd72..aabacf931 100644
--- a/test/integration/framework/apiserver.go
+++ b/test/integration/framework/apiserver.go
@@ -28,7 +28,6 @@ import (
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextensionsinstall "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/install"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	jsonserializer "k8s.io/apimachinery/pkg/runtime/serializer/json"
@@ -57,7 +56,7 @@ func RunControlPlane(t *testing.T, ctx context.Context) (*rest.Config, StopFunc)
 	for _, crd := range crds {
 		t.Logf("Found CRD with name %q", crd.Name)
 	}
-	crds = patchCRDConversion(crds, webhookOpts.URL, webhookOpts.CAPEM)
+	patchCRDConversion(crds, webhookOpts.URL, webhookOpts.CAPEM)
 
 	if _, err := envtest.InstallCRDs(config, envtest.CRDInstallOptions{
 		CRDs: crds,
@@ -97,26 +96,21 @@ func init() {
 	apiextensionsinstall.Install(internalScheme)
 }
 
-func patchCRDConversion(crds []apiextensionsv1.CustomResourceDefinition, url string, caPEM []byte) []apiextensionsv1.CustomResourceDefinition {
-	out := []apiextensionsv1.CustomResourceDefinition{}
+func patchCRDConversion(crds []apiextensionsv1.CustomResourceDefinition, url string, caPEM []byte) {
 	for _, crd := range crds {
 		for i := range crd.Spec.Versions {
 			crd.Spec.Versions[i].Served = true
 		}
 		if crd.Spec.Conversion == nil {
-			out = append(out, crd)
 			continue
 		}
 		if crd.Spec.Conversion.Webhook == nil {
-			out = append(out, crd)
 			continue
 		}
 		if crd.Spec.Conversion.Webhook.ClientConfig == nil {
-			out = append(out, crd)
 			continue
 		}
 		if crd.Spec.Conversion.Webhook.ClientConfig.Service == nil {
-			out = append(out, crd)
 			continue
 		}
 		path := ""
@@ -127,9 +121,7 @@ func patchCRDConversion(crds []apiextensionsv1.CustomResourceDefinition, url str
 		crd.Spec.Conversion.Webhook.ClientConfig.URL = &url
 		crd.Spec.Conversion.Webhook.ClientConfig.CABundle = caPEM
 		crd.Spec.Conversion.Webhook.ClientConfig.Service = nil
-		out = append(out, crd)
 	}
-	return out
 }
 
 func readCustomResourcesAtPath(t *testing.T, path string) []apiextensionsv1.CustomResourceDefinition {
@@ -263,16 +255,3 @@ func getMutatingWebhookConfig(url string, caPEM []byte) client.Object {
 
 	return &webhook
 }
-
-// patchCRDServed ensures that even the API versions which are not served are
-// available in the integration tests.
-// This workaround allows the conversion tests and the ctl convert tests to run.
-// TODO: Remove this workaround in cert-manager 1.7 when all the legacy API
-// versions will finally be removed.
-func patchCRDServed(crds []*v1.CustomResourceDefinition) {
-	for _, crd := range crds {
-		for i := range crd.Spec.Versions {
-			crd.Spec.Versions[i].Served = true
-		}
-	}
-}
diff --git a/workspace.bzl b/workspace.bzl
index deafebde6..1046365c8 100644
--- a/workspace.bzl
+++ b/workspace.bzl
@@ -33,6 +33,8 @@ def _parse_bazel_version(bazel_version):
 # Check that a minimum version of bazel is being used.
 def check_min_bazel_version(bazel_version):
     if "bazel_version" in dir(native) and native.bazel_version:
+        # native is a built-in Bazel module https://docs.bazel.build/versions/main/skylark/lib/native.html#modules.native
+        # native.bazel_version is only available in WORKSPACE, so this def can only ever be used in WORKSPACE
         current_bazel_version = _parse_bazel_version(native.bazel_version)
         minimum_bazel_version = _parse_bazel_version(bazel_version)
         if minimum_bazel_version > current_bazel_version: