helm: add cert-manager wrapper chart

[danish9039]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

Adds an experimental Helm wrapper chart for cert-manager under experimental/helm/charts/cert-manager.

The chart wraps the upstream Jetstack cert-manager Helm chart at v1.19.4, keeps the cert-manager workloads in the cert-manager namespace, and adds the Kubeflow-specific resources from the current Kustomize overlay:

• Namespace/cert-manager with the restricted Pod Security label
• optional ClusterIssuer/kubeflow-self-signing-issuer
• optional cert-manager NetworkPolicies

The default install renders the cert-manager base only. Kubeflow-specific extras are enabled through the Kubeflow CI values file after cert-manager CRDs are available, because ClusterIssuer cannot be created before the cert-manager CRDs are registered.

This PR also extends the Helm/Kustomize comparison tooling with cert-manager base and kubeflow scenarios. The cert-manager comparison renders Helm with release namespace kubeflow-system, while the cert-manager workloads remain in cert-manager, matching the platform-first install model.

📦 Dependencies

Depends on #3468 for the foundation chart install sequence described in the cert-manager chart README:

• kubeflow-namespaces
• kubeflow-platform

The cert-manager render comparison itself is independent and compares against the existing common/cert-manager Kustomize paths.

🐛 Related Issues

Part of the GSoC Project 5 Helm chart work.

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

Validation

Ran locally:

helm lint experimental/helm/charts/cert-manager
./tests/helm_kustomize_compare.sh cert-manager base
./tests/helm_kustomize_compare.sh cert-manager kubeflow
./tests/helm_kustomize_compare_all.sh
git diff --check

Also ran a platform-order kind smoke test:

helm install kubeflow-namespaces /home/danish/opensource/gsoc/repos/manifests-platform-foundation-charts/experimental/helm/charts/kubeflow-namespaces
helm install kubeflow-platform /home/danish/opensource/gsoc/repos/manifests-platform-foundation-charts/experimental/helm/charts/kubeflow-platform --namespace kubeflow-system
helm install cert-manager experimental/helm/charts/cert-manager --namespace kubeflow-system --wait --timeout 5m
helm upgrade cert-manager experimental/helm/charts/cert-manager --namespace kubeflow-system --values experimental/helm/charts/cert-manager/ci/values-kubeflow.yaml --wait --timeout 5m

Observed:

• kubeflow-platform and cert-manager Helm releases stored in kubeflow-system
• cert-manager workloads running in cert-manager
• cert-manager Deployments ready
• cert-manager CRDs present
• ClusterIssuer/kubeflow-self-signing-issuer ready
• cert-manager NetworkPolicies present

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

• CNCF Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
• Community meetings: https://www.kubeflow.org/docs/about/community/

Thanks again for helping to improve Kubeflow.

[Copilot]

Pull request overview

Adds an experimental Helm wrapper chart for cert-manager and wires it into the Helm/Kustomize comparison tooling.

Changes:

• Introduces the cert-manager wrapper chart, values, templates, lock file, and README.
• Adds Kubeflow-specific optional resources for the ClusterIssuer and NetworkPolicies.
• Extends comparison scripts to cover cert-manager base and Kubeflow scenarios.

Reviewed changes

Copilot reviewed 11 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.gitignore	Ignores generated Helm dependency archives.
experimental/helm/charts/cert-manager/.helmignore	Defines files excluded from chart packaging.
experimental/helm/charts/cert-manager/Chart.lock	Locks the Jetstack cert-manager chart dependency.
experimental/helm/charts/cert-manager/Chart.yaml	Defines the wrapper chart metadata and dependency.
experimental/helm/charts/cert-manager/README.md	Documents install and parity validation flow.
experimental/helm/charts/cert-manager/ci/values-base.yaml	Adds base comparison values.
experimental/helm/charts/cert-manager/ci/values-kubeflow.yaml	Adds Kubeflow comparison values.
experimental/helm/charts/cert-manager/templates/kubeflow-resources.yaml	Adds optional Kubeflow ClusterIssuer and NetworkPolicies.
experimental/helm/charts/cert-manager/templates/namespace.yaml	Adds the cert-manager namespace template.
experimental/helm/charts/cert-manager/values.yaml	Adds default wrapper chart values.
tests/helm_kustomize_compare.py	Allows cert-manager in manifest comparison.
tests/helm_kustomize_compare.sh	Adds cert-manager scenarios and rendering logic.
tests/helm_kustomize_compare_all.sh	Includes cert-manager in all-scenario comparison runs.

[danish9039]

Fixed in the README: kubeflow-platform and cert-manager now use --namespace kubeflow-system.

[danish9039]

Fixed by preserving the Kubeflow cert-manager overlay labels on the overlay-owned resources during comparison.

[juliusvonkohout]

Please first update kustomize to the latest available version in a separate PR.