Bump Cert Manager to 1.9.1

tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -41,7 +41,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -41,7 +41,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/irsa/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -55,7 +55,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content

@@ -48,7 +48,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0

tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-certmanager.io-k8s-1.16_content

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificaterequests.cert-manager.io
 spec:
   conversion:
@@ -152,7 +152,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -279,7 +279,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: certificates.cert-manager.io
 spec:
   conversion:
@@ -511,6 +511,17 @@ spec:
                     - passwordSecretRef
                     type: object
                 type: object
+              literalSubject:
+                description: LiteralSubject is an LDAP formatted string that represents
+                  the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6).
+                  Use this *instead* of the Subject field if you need to ensure the
+                  correct ordering of the RDN sequence, such as when issuing certs
+                  for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203,
+                  https://github.com/cert-manager/cert-manager/issues/4424. This field
+                  is alpha level and is only supported by cert-manager installations
+                  where LiteralCertificateSubject feature gate is enabled on both
+                  cert-manager controller and webhook.
+                type: string
               privateKey:
                 description: Options to control private keys used for the Certificate.
                 properties:
@@ -658,7 +669,7 @@ spec:
                   if not specified.
                 items:
                   description: 'KeyUsage specifies valid usage contexts for keys.
-                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+                    See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12
                     Valid KeyUsage values are as follows: "signing", "digital signature",
                     "content commitment", "key encipherment", "key agreement", "data
                     encipherment", "cert sign", "crl sign", "encipher only", "decipher
@@ -816,7 +827,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: challenges.acme.cert-manager.io
 spec:
   conversion:
@@ -1233,9 +1244,29 @@ spec:
                         properties:
                           accessKeyID:
                             description: 'The AccessKeyID is used for authentication.
-                              If not set we fall-back to using env vars, shared credentials
-                              file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              Cannot be set when SecretAccessKeyID is set. If neither
+                              the Access Key nor Key ID are set, we fall-back to using
+                              env vars, shared credentials file or AWS Instance metadata,
+                              see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                             type: string
+                          accessKeyIDSecretRef:
+                            description: 'The SecretAccessKey is used for authentication.
+                              If neither the Access Key nor Key ID are set, we fall-back
+                              to using env vars, shared credentials file or AWS Instance
+                              metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: 'Name of the resource being referred
+                                  to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                type: string
+                            required:
+                            - name
+                            type: object
                           hostedZoneID:
                             description: If set, the provider will manage only this
                               zone in Route53 and will not do an lookup using the
@@ -1868,10 +1899,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -1949,7 +1977,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2084,9 +2112,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2157,7 +2182,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2295,10 +2320,7 @@ spec:
                                                         namespaces list means "this
                                                         pod's namespace". An empty
                                                         selector ({}) matches all
-                                                        namespaces. This field is
-                                                        beta-level and is only honored
-                                                        when PodAffinityNamespaceSelector
-                                                        feature is enabled.
+                                                        namespaces.
                                                       properties:
                                                         matchExpressions:
                                                           description: matchExpressions
@@ -2376,7 +2398,7 @@ spec:
                                                         ones selected by namespaceSelector.
                                                         null or empty namespaces list
                                                         and null namespaceSelector
-                                                        means "this pod's namespace"
+                                                        means "this pod's namespace".
                                                       items:
                                                         type: string
                                                       type: array
@@ -2511,9 +2533,6 @@ spec:
                                                     or empty namespaces list means
                                                     "this pod's namespace". An empty
                                                     selector ({}) matches all namespaces.
-                                                    This field is beta-level and is
-                                                    only honored when PodAffinityNamespaceSelector
-                                                    feature is enabled.
                                                   properties:
                                                     matchExpressions:
                                                       description: matchExpressions
@@ -2584,7 +2603,7 @@ spec:
                                                     field and the ones selected by
                                                     namespaceSelector. null or empty
                                                     namespaces list and null namespaceSelector
-                                                    means "this pod's namespace"
+                                                    means "this pod's namespace".
                                                   items:
                                                     type: string
                                                   type: array
@@ -2802,7 +2821,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: clusterissuers.cert-manager.io
 spec:
   conversion:
@@ -4045,11 +4064,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4144,7 +4159,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4299,10 +4314,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4384,7 +4396,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -4546,11 +4558,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -4645,7 +4653,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -4800,10 +4808,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -4885,7 +4890,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -5359,8 +5364,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -5368,7 +5371,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: issuers.cert-manager.io
 spec:
   conversion:
@@ -5884,10 +5887,33 @@ spec:
                               properties:
                                 accessKeyID:
                                   description: 'The AccessKeyID is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata see:
-                                    https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    Cannot be set when SecretAccessKeyID is set. If
+                                    neither the Access Key nor Key ID are set, we
+                                    fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   type: string
+                                accessKeyIDSecretRef:
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If set, pull the AWS access key ID from a key
+                                    within a Kubernetes Secret. Cannot be set when
+                                    AccessKeyID is set. If neither the Access Key
+                                    nor Key ID are set, we fall-back to using env
+                                    vars, shared credentials file or AWS Instance
+                                    metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret
+                                        resource's `data` field to be used. Some instances
+                                        of this field may be defaulted, in others
+                                        it may be required.
+                                      type: string
+                                    name:
+                                      description: 'Name of the resource being referred
+                                        to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                      type: string
+                                  required:
+                                  - name
+                                  type: object
                                 hostedZoneID:
                                   description: If set, the provider will manage only
                                     this zone in Route53 and will not do an lookup
@@ -5905,9 +5931,10 @@ spec:
                                     shared credentials file or AWS Instance metadata
                                   type: string
                                 secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication.
-                                    If not set we fall-back to using env vars, shared
-                                    credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                  description: 'The SecretAccessKey is used for authentication.
+                                    If neither the Access Key nor Key ID are set,
+                                    we fall-back to using env vars, shared credentials
+                                    file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                   properties:
                                     key:
                                       description: The key of the entry in the Secret
@@ -6610,11 +6637,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -6709,7 +6732,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -6864,10 +6887,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -6949,7 +6969,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7111,11 +7131,7 @@ spec:
                                                               list means "this pod's
                                                               namespace". An empty
                                                               selector ({}) matches
-                                                              all namespaces. This
-                                                              field is beta-level
-                                                              and is only honored
-                                                              when PodAffinityNamespaceSelector
-                                                              feature is enabled.
+                                                              all namespaces.
                                                             properties:
                                                               matchExpressions:
                                                                 description: matchExpressions
@@ -7210,7 +7226,7 @@ spec:
                                                               selected by namespaceSelector.
                                                               null or empty namespaces
                                                               list and null namespaceSelector
-                                                              means "this pod's namespace"
+                                                              means "this pod's namespace".
                                                             items:
                                                               type: string
                                                             type: array
@@ -7365,10 +7381,7 @@ spec:
                                                           null or empty namespaces
                                                           list means "this pod's namespace".
                                                           An empty selector ({}) matches
-                                                          all namespaces. This field
-                                                          is beta-level and is only
-                                                          honored when PodAffinityNamespaceSelector
-                                                          feature is enabled.
+                                                          all namespaces.
                                                         properties:
                                                           matchExpressions:
                                                             description: matchExpressions
@@ -7450,7 +7463,7 @@ spec:
                                                           the ones selected by namespaceSelector.
                                                           null or empty namespaces
                                                           list and null namespaceSelector
-                                                          means "this pod's namespace"
+                                                          means "this pod's namespace".
                                                         items:
                                                           type: string
                                                         type: array
@@ -7924,8 +7937,6 @@ spec:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    cert-manager.io/inject-ca-from-secret: kube-system/cert-manager-webhook-ca
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: certmanager.io
@@ -7933,7 +7944,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: orders.acme.cert-manager.io
 spec:
   conversion:
@@ -8194,7 +8205,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 
@@ -8212,7 +8223,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 
@@ -8230,7 +8241,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 
@@ -8264,7 +8275,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 rules:
 - apiGroups:
@@ -8334,7 +8345,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 rules:
 - apiGroups:
@@ -8385,7 +8396,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 rules:
 - apiGroups:
@@ -8436,7 +8447,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 rules:
 - apiGroups:
@@ -8510,7 +8521,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 rules:
 - apiGroups:
@@ -8581,7 +8592,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 rules:
 - apiGroups:
@@ -8691,7 +8702,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 rules:
 - apiGroups:
@@ -8765,7 +8776,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
@@ -8804,7 +8815,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cert-manager-edit
@@ -8852,7 +8863,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 rules:
 - apiGroups:
@@ -8878,7 +8889,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 rules:
 - apiGroups:
@@ -8926,7 +8937,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 rules:
 - apiGroups:
@@ -8949,7 +8960,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8973,7 +8984,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-issuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8997,7 +9008,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-clusterissuers
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9021,7 +9032,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificates
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9045,7 +9056,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-orders
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9069,7 +9080,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-challenges
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9093,7 +9104,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-ingress-shim
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9117,7 +9128,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9141,7 +9152,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-controller-certificatesigningrequests
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9165,7 +9176,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -9190,7 +9201,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 rules:
@@ -9225,7 +9236,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 rules:
@@ -9259,7 +9270,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 rules:
@@ -9294,7 +9305,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector:leaderelection
   namespace: kube-system
 roleRef:
@@ -9319,7 +9330,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager:leaderelection
   namespace: kube-system
 roleRef:
@@ -9345,7 +9356,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook:dynamic-serving
   namespace: kube-system
 roleRef:
@@ -9371,7 +9382,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9399,7 +9410,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9427,7 +9438,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cainjector
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-cainjector
   namespace: kube-system
 spec:
@@ -9445,7 +9456,7 @@ spec:
         app.kubernetes.io/component: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cainjector
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9467,7 +9478,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-cainjector:v1.8.0
+        image: quay.io/jetstack/cert-manager-cainjector:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         securityContext:
@@ -9496,7 +9507,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager
   namespace: kube-system
 spec:
@@ -9518,7 +9529,7 @@ spec:
         app.kubernetes.io/component: controller
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: cert-manager
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9542,7 +9553,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-controller:v1.8.0
+        image: quay.io/jetstack/cert-manager-controller:v1.9.1
         imagePullPolicy: IfNotPresent
         name: cert-manager
         ports:
@@ -9576,7 +9587,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
   namespace: kube-system
 spec:
@@ -9594,7 +9605,7 @@ spec:
         app.kubernetes.io/component: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/name: webhook
-        app.kubernetes.io/version: v1.8.0
+        app.kubernetes.io/version: v1.9.1
         kops.k8s.io/managed-by: kops
     spec:
       affinity:
@@ -9619,7 +9630,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/jetstack/cert-manager-webhook:v1.8.0
+        image: quay.io/jetstack/cert-manager-webhook:v1.9.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3
@@ -9674,7 +9685,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:
@@ -9716,7 +9727,7 @@ metadata:
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: webhook
-    app.kubernetes.io/version: v1.8.0
+    app.kubernetes.io/version: v1.9.1
   name: cert-manager-webhook
 webhooks:
 - admissionReviewVersions:

upup/models/cloudup/resources/addons/certmanager.io/k8s-1.16.yaml.template

@@ -23,7 +23,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -144,7 +144,7 @@ spec:
                   description: Usages is the set of x509 usages that are requested for the certificate. If usages are set they SHOULD be encoded inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified.
                   type: array
                   items:
-                    description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
+                    description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
                     type: string
                     enum:
                       - signing
@@ -235,7 +235,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -411,6 +411,9 @@ spec:
                             name:
                               description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
                               type: string
+                literalSubject:
+                  description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook.
+                  type: string
                 privateKey:
                   description: Options to control private keys used for the Certificate.
                   type: object
@@ -512,7 +515,7 @@ spec:
                   description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified.
                   type: array
                   items:
-                    description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3      https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
+                    description: 'KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Valid KeyUsage values are as follows: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"'
                     type: string
                     enum:
                       - signing
@@ -617,7 +620,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -950,8 +953,20 @@ spec:
                             - region
                           properties:
                             accessKeyID:
-                              description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                               type: string
+                            accessKeyIDSecretRef:
+                              description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                              type: object
+                              required:
+                                - name
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                  type: string
                             hostedZoneID:
                               description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
                               type: string
@@ -1268,7 +1283,7 @@ spec:
                                                             additionalProperties:
                                                               type: string
                                                       namespaceSelector:
-                                                        description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                        description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                         type: object
                                                         properties:
                                                           matchExpressions:
@@ -1298,7 +1313,7 @@ spec:
                                                             additionalProperties:
                                                               type: string
                                                       namespaces:
-                                                        description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                        description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                         type: array
                                                         items:
                                                           type: string
@@ -1349,7 +1364,7 @@ spec:
                                                         additionalProperties:
                                                           type: string
                                                   namespaceSelector:
-                                                    description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                    description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                     type: object
                                                     properties:
                                                       matchExpressions:
@@ -1379,7 +1394,7 @@ spec:
                                                         additionalProperties:
                                                           type: string
                                                   namespaces:
-                                                    description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                    description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                     type: array
                                                     items:
                                                       type: string
@@ -1437,7 +1452,7 @@ spec:
                                                             additionalProperties:
                                                               type: string
                                                       namespaceSelector:
-                                                        description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                        description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                         type: object
                                                         properties:
                                                           matchExpressions:
@@ -1467,7 +1482,7 @@ spec:
                                                             additionalProperties:
                                                               type: string
                                                       namespaces:
-                                                        description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                        description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                         type: array
                                                         items:
                                                           type: string
@@ -1518,7 +1533,7 @@ spec:
                                                         additionalProperties:
                                                           type: string
                                                   namespaceSelector:
-                                                    description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                    description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                     type: object
                                                     properties:
                                                       matchExpressions:
@@ -1548,7 +1563,7 @@ spec:
                                                         additionalProperties:
                                                           type: string
                                                   namespaces:
-                                                    description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                    description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                     type: array
                                                     items:
                                                       type: string
@@ -1664,7 +1679,7 @@ metadata:
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -2350,7 +2365,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaceSelector:
-                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                               type: object
                                                               properties:
                                                                 matchExpressions:
@@ -2380,7 +2395,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaces:
-                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                               type: array
                                                               items:
                                                                 type: string
@@ -2431,7 +2446,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaceSelector:
-                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                           type: object
                                                           properties:
                                                             matchExpressions:
@@ -2461,7 +2476,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaces:
-                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                           type: array
                                                           items:
                                                             type: string
@@ -2519,7 +2534,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaceSelector:
-                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                               type: object
                                                               properties:
                                                                 matchExpressions:
@@ -2549,7 +2564,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaces:
-                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                               type: array
                                                               items:
                                                                 type: string
@@ -2600,7 +2615,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaceSelector:
-                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                           type: object
                                                           properties:
                                                             matchExpressions:
@@ -2630,7 +2645,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaces:
-                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                           type: array
                                                           items:
                                                             type: string
@@ -2921,14 +2936,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: issuers.cert-manager.io
-  annotations:
-    cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
   labels:
     app: 'cert-manager'
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -3296,8 +3309,20 @@ spec:
                                   - region
                                 properties:
                                   accessKeyID:
-                                    description: 'The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                     type: string
+                                  accessKeyIDSecretRef:
+                                    description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                                    type: object
+                                    required:
+                                      - name
+                                    properties:
+                                      key:
+                                        description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                        type: string
+                                      name:
+                                        description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                                        type: string
                                   hostedZoneID:
                                     description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
                                     type: string
@@ -3308,7 +3333,7 @@ spec:
                                     description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
                                     type: string
                                   secretAccessKeySecretRef:
-                                    description: The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+                                    description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                                     type: object
                                     required:
                                       - name
@@ -3614,7 +3639,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaceSelector:
-                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                               type: object
                                                               properties:
                                                                 matchExpressions:
@@ -3644,7 +3669,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaces:
-                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                               type: array
                                                               items:
                                                                 type: string
@@ -3695,7 +3720,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaceSelector:
-                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                           type: object
                                                           properties:
                                                             matchExpressions:
@@ -3725,7 +3750,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaces:
-                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                           type: array
                                                           items:
                                                             type: string
@@ -3783,7 +3808,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaceSelector:
-                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                              description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                               type: object
                                                               properties:
                                                                 matchExpressions:
@@ -3813,7 +3838,7 @@ spec:
                                                                   additionalProperties:
                                                                     type: string
                                                             namespaces:
-                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                              description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                               type: array
                                                               items:
                                                                 type: string
@@ -3864,7 +3889,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaceSelector:
-                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is beta-level and is only honored when PodAffinityNamespaceSelector feature is enabled.
+                                                          description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.
                                                           type: object
                                                           properties:
                                                             matchExpressions:
@@ -3894,7 +3919,7 @@ spec:
                                                               additionalProperties:
                                                                 type: string
                                                         namespaces:
-                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"
+                                                          description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".
                                                           type: array
                                                           items:
                                                             type: string
@@ -4185,14 +4210,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: orders.acme.cert-manager.io
-  annotations:
-    cert-manager.io/inject-ca-from-secret: 'kube-system/cert-manager-webhook-ca'
   labels:
     app: 'cert-manager'
     app.kubernetes.io/name: 'cert-manager'
     app.kubernetes.io/instance: 'cert-manager'
     # Generated labels
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   conversion:
     strategy: Webhook
@@ -4388,7 +4411,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 ---
 # Source: cert-manager/templates/serviceaccount.yaml
 apiVersion: v1
@@ -4402,7 +4425,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 ---
 # Source: cert-manager/templates/webhook-serviceaccount.yaml
 apiVersion: v1
@@ -4416,7 +4439,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 ---
 # Source: cert-manager/templates/webhook-config.yaml
 apiVersion: v1
@@ -4441,7 +4464,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates"]
@@ -4473,7 +4496,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["issuers", "issuers/status"]
@@ -4499,7 +4522,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["clusterissuers", "clusterissuers/status"]
@@ -4525,7 +4548,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
@@ -4560,7 +4583,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["acme.cert-manager.io"]
     resources: ["orders", "orders/status"]
@@ -4598,7 +4621,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   # Use to update challenge resource status
   - apiGroups: ["acme.cert-manager.io"]
@@ -4658,7 +4681,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates", "certificaterequests"]
@@ -4695,7 +4718,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -4717,7 +4740,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
@@ -4742,7 +4765,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
@@ -4762,7 +4785,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["certificates.k8s.io"]
     resources: ["certificatesigningrequests"]
@@ -4788,7 +4811,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
@@ -4804,7 +4827,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4824,7 +4847,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4844,7 +4867,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4864,7 +4887,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4884,7 +4907,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4904,7 +4927,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4924,7 +4947,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4944,7 +4967,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4964,7 +4987,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cert-manager"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -4984,7 +5007,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -5007,7 +5030,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   # Used for leader election by the controller
   # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
@@ -5033,7 +5056,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
@@ -5054,7 +5077,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
@@ -5079,7 +5102,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5102,7 +5125,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5124,7 +5147,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -5146,7 +5169,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   type: ClusterIP
   ports:
@@ -5170,7 +5193,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   type: ClusterIP
   ports:
@@ -5194,7 +5217,7 @@ metadata:
     app.kubernetes.io/name: cainjector
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "cainjector"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   replicas: 1
   selector:
@@ -5209,7 +5232,7 @@ spec:
         app.kubernetes.io/name: cainjector
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "cainjector"
-        app.kubernetes.io/version: "v1.8.0"
+        app.kubernetes.io/version: "v1.9.1"
     spec:
       nodeSelector: null
       affinity:
@@ -5233,7 +5256,7 @@ spec:
         operator: Exists
       containers:
         - name: cert-manager
-          image: "quay.io/jetstack/cert-manager-cainjector:v1.8.0"
+          image: "quay.io/jetstack/cert-manager-cainjector:v1.9.1"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
@@ -5257,7 +5280,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "controller"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   replicas: 1
   selector:
@@ -5272,7 +5295,7 @@ spec:
         app.kubernetes.io/name: cert-manager
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "controller"
-        app.kubernetes.io/version: "v1.8.0"
+        app.kubernetes.io/version: "v1.9.1"
       annotations:
         prometheus.io/path: "/metrics"
         prometheus.io/scrape: 'true'
@@ -5308,7 +5331,7 @@ spec:
         operator: Exists
       containers:
         - name: cert-manager
-          image: "quay.io/jetstack/cert-manager-controller:v1.8.0"
+          image: "quay.io/jetstack/cert-manager-controller:v1.9.1"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
@@ -5345,7 +5368,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
 spec:
   replicas: 1
   selector:
@@ -5360,7 +5383,7 @@ spec:
         app.kubernetes.io/name: webhook
         app.kubernetes.io/instance: cert-manager
         app.kubernetes.io/component: "webhook"
-        app.kubernetes.io/version: "v1.8.0"
+        app.kubernetes.io/version: "v1.9.1"
     spec:
       nodeSelector: null
       affinity:
@@ -5384,7 +5407,7 @@ spec:
         operator: Exists
       containers:
         - name: cert-manager
-          image: "quay.io/jetstack/cert-manager-webhook:v1.8.0"
+          image: "quay.io/jetstack/cert-manager-webhook:v1.9.1"
           imagePullPolicy: IfNotPresent
           args:
           - --v=2
@@ -5434,7 +5457,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
   annotations:
     cert-manager.io/inject-ca-from-secret: "kube-system/cert-manager-webhook-ca"
 webhooks:
@@ -5475,7 +5498,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/instance: cert-manager
     app.kubernetes.io/component: "webhook"
-    app.kubernetes.io/version: "v1.8.0"
+    app.kubernetes.io/version: "v1.9.1"
   annotations:
     cert-manager.io/inject-ca-from-secret: "kube-system/cert-manager-webhook-ca"
 webhooks:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml

@@ -49,7 +49,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: certmanager.io/k8s-1.16.yaml
-    manifestHash: fa3e4adb14fc2f64a688763b14c13aa599f17a03db832ce9e404983cfec43a97
+    manifestHash: 79bc70f8f9b7a91e97830ecaa8968a51e0c5b78318444cb5a44935e8f9f73aa1
     name: certmanager.io
     selector: null
     version: 9.99.0