feat(helm)!: Update crossplane-genmachine (major)

[pipelines-github-app]

This PR contains the following updates:

Package	Update	Change
crossplane (source)	major	1.20.5 -> 2.2.0
xpkg.upbound.io/crossplane/crossplane	major	v1.20.5 -> v2.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

crossplane/crossplane (crossplane)

v2.2.0

Compare Source

The v2.2.0 release is a regular quarterly Crossplane release that is focused on maturing a number of key areas of functionality across the project, as Crossplane continues to become more capable, more reliable, and more performant for your production workloads. This release includes many fixes and reliability improvements, a new alpha feature for debugging (the pipeline inspector), and usability improvements.

ℹ️ Extended support for v1.20

Normally, the release of v2.2 would correspond with the end-of-life for v1.20. However, because v1.20 is the last minor release of the v1 series and major version upgrades require additional planning for users, v1.20 will continue to receive critical fixes. The final EOL date for v1.20 is to be determined.

⚠️ Upgrade from v2.1

It is strongly advised to upgrade to v2.2 from the previous minor version, which is v2.1. Upon upgrade for each minor release, Crossplane performs any necessary migrations of its CRDs to ensure the latest versions are stored in the Kubernetes API server. Therefore, it is important to upgrade sequentially through one minor version at a time as described in the upgrade docs.

🚨 Notable and Breaking Changes

• Input CRDs included in Function packages are no longer installed by the package manager, following the xpkg specification. Unknown or disallowed resources in a package are now ignored instead of causing package installation to fail. See #​6976.
• The on-disk structure of the package cache has changed. This breaks an undocumented behavior via which packages could be side-loaded into Crossplane, which was especially useful for testing. See #​6981 for details on the change and #​7147 for discussion of the test changes necessary to accommodate it.

🎉 Highlights

• ImageConfig can now be used to configure the DeploymentRuntimeConfig used for packages, including those installed as dependencies. Note that a matching ImageConfig takes precedence over the runtimeConfigRef in a package spec if both are present. See #​6382.
• The MRD controller now uses server-side apply to update CRDs, improving reliability. See #​6934.
• The pipeline inspector is now available as an alpha feature (disabled by default). When enabled, the inspector forwards function requests and responses to a user-configured gRPC endpoint for debugging or observability. See #​7025 and #​7031.
• XRDs can now configure x-kubernetes-validations outside of the spec. This allows for validation of metadata such as names and labels. See #​7018.
• Composition and operation functions can now request OpenAPI schemas for any resource kind in the cluster using the RequiredSchemas field in the function response. Crossplane now advertises capabilities (including required schemas) to functions in a new function request field. See #​7022.
• The crossplane beta trace CLI command now supports tracing all resources of a given kind, and supports watching resources. See #​6552 and #​7015.
• New documentation has been added regarding connection details for composite resources and workload identity with Crossplane.

🏅 Release MVP

@​jonasz-lasut is the v2.2 release MVP! Their work driving enhancements, fixing bugs, and maintaining quality across Crossplane and its ecosystem is much appreciated by the Crossplane maintainers. Additionally, @​jonasz-lasut is an active participant on the Crossplane Slack instance, answering questions and providing guidance to many new and experienced members of the community. Thank you for your dedication, @​jonasz-lasut! 🎉

What's Changed

• chore(deps): bump crossplane-runtime to v2.2.0-rc.0 by @​jbw976 in #​6888
• build: add release-2.1 to renovate baseBranches by @​jbw976 in #​6892
• Fix Docker port binding race condition on macOS by using HostPort "0" by @​kaessert in #​6897
• v2.1 release follow ups by @​jbw976 in #​6903
• Fix XR circuit breaker to account for double token consumption by @​negz in #​6911
• chore: add Evaneos to adopters list by @​jbw976 in #​6916
• chore(deps): update docker/login-action digest to 5e57cd1 (main) by @​crossplane-renovate[bot] in #​6890
• chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (main) by @​crossplane-renovate[bot] in #​6921
• chore: add ambev tech as adopter by @​rafaelvilarinho in #​6925
• Update ADOPTERS.md by @​O5ten in #​6900
• Fix claim controller watch startup after transient failures by @​negz in #​6929
• Add option to prevent events from being emitted in default namespace by @​frigaut-orange in #​6733
• Allow configuring custom annotations on Crossplane helm chart secret resources by @​ravilr in #​6917
• Use server-side apply for MRD controller by @​negz in #​6934
• fix: Add TLS as app protocol to function service by @​ezgidemirel in #​6943
• pkg: Allow configuration of DeploymentRuntimeConfig via ImageConfig by @​adamwg in #​6940
• chore(deps): update module github.com/jmattheis/goverter to v1.9.2 (main) by @​crossplane-renovate[bot] in #​6918
• chore(deps): update github/codeql-action digest to d3ced5c (main) by @​crossplane-renovate[bot] in #​6891
• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (main) by @​crossplane-renovate[bot] in #​6937
• chore(deps): update actions/checkout digest to 34e1148 (main) by @​crossplane-renovate[bot] in #​6954
• add yaml support to render --context-files and --context-values flag by @​u-kai in #​6830
• chore(deps): update github/codeql-action digest to 497990d (main) by @​crossplane-renovate[bot] in #​6955
• Add Netclab to adopters list with usage details by @​mbakalarski in #​6972
• fix(render): propagate root composite identity through nested XR trees by @​jcogilvie in #​6957
• Add Sumo Logic to adopters by @​jcogilvie in #​6958
• Update ADOPTERS.md by @​TheBelgarion in #​6754
• fix(deps): update module google.golang.org/protobuf to v1.36.11 (main) by @​crossplane-renovate[bot] in #​6960
• Disable CodeRabbit issue enrichment beta feature by @​negz in #​6993
• chore: update run function proto comments for v2 connection details by @​jbw976 in #​6992
• pkg: Stop installing function input CRDs and ignore disallowed kinds by @​adamwg in #​6976
• fix broken link by @​cahillsf in #​6995
• chore: Remove ESS leftovers by @​ezgidemirel in #​7001
• tests: add error handling test for printPodsTable by @​intojhanurag in #​6944
• feat: Support list of resources for crossplane beta trace by @​twobiers in #​6552
• Introduce xpkg.Client to consolidate package fetching by @​negz in #​6981
• Bump golangci-lint to v2.6.2 by @​negz in #​7009
• apis: Eliminate imports of internal packages in apis by @​adamwg in #​7002
• Add sidecar container support to Crossplane Helm chart by @​phisco in #​7007
• feat(helm): Set automountServiceAccountToken on service accounts by @​bradyz7 in #​6873
• chore: add adamwg as maintainer, move turkenh to emeritus by @​jbw976 in #​7027
• docs: fix typo in comments by @​NAM-MAN in #​7028
• Pipeline inspector hook one-pager by @​phisco in #​7025
• chore(deps): update module github.com/go-chi/chi/v5 to v5.2.4 [security] (main) by @​crossplane-renovate[bot] in #​7033
• Add Cosign v3 support by @​jonasz-lasut in #​6985
• pkg: Fix upgrading packages with common transitive dependencies by @​adamwg in #​7030
• Add an option to prevent caching of resources in other namespaces by @​frigaut-orange in #​6732
• feat: add defaultCompositionRevisionSelector for v1 and v2 APIs by @​markussiebert in #​7032
• docs(links): update links in crds by @​haarchri in #​7045
• Migrate build system from Earthly to Nix by @​negz in #​6999
• Fix Renovate local preset syntax to use owner/repo//path format by @​negz in #​7055
• Fix Nix config for Renovate post-upgrade tasks by @​negz in #​7058
• Disable Nix build-users-group for Renovate by @​negz in #​7059
• fix(deps): update module github.com/sigstore/cosign/v3 to v3.0.4 [security] (main) by @​crossplane-renovate[bot] in #​7047
• chore(deps): pin dependencies (main) by @​crossplane-renovate[bot] in #​7057
• skip checklist-completed check for comments by @​lsviben in #​7061
• chore(deps): update module github.com/go-chi/chi/v5 to v5.2.4 [security] (main) by @​crossplane-renovate[bot] in #​7046
• chore(deps): update module github.com/theupdateframework/go-tuf/v2 to v2.4.1 [security] (main) by @​crossplane-renovate[bot] in #​7048
• chore(deps): update module github.com/sigstore/rekor to v1.5.0 [security] (main) by @​crossplane-renovate[bot] in #​7034
• fix(deps): update module github.com/sigstore/sigstore to v1.10.4 [security] (main) by @​crossplane-renovate[bot] in #​7035
• chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] (main) by @​crossplane-renovate[bot] in #​6977
• fix(fn-cache): prevent caching responses with unfulfilled requirements by @​haarchri in #​6961
• fix: improve errors for malformed xpkg examples by @​majiayu000 in #​6990
• Add Christopher Haar as a maintainer by @​negz in #​7069
• chore(deps): update docker/login-action digest to c94ce9f (main) by @​crossplane-renovate[bot] in #​7070
• chore(deps): update github/codeql-action digest to 439137e (main) by @​crossplane-renovate[bot] in #​7071
• Remove Earthfile and .ko.yaml by @​negz in #​7073
• chore(deps): update module github.com/jmattheis/goverter to v1.9.3 (main) by @​crossplane-renovate[bot] in #​7074
• chore(deps): update actions/checkout action to v4.3.1 (main) by @​crossplane-renovate[bot] in #​7076
• chore(deps): update aquasecurity/trivy-action action to v0.33.1 (main) by @​crossplane-renovate[bot] in #​7077
• fix(deps): update module github.com/sirupsen/logrus to v1.9.4 (main) by @​crossplane-renovate[bot] in #​7075
• chore(deps): update buildpulse/buildpulse-action action to v0.12.0 (main) by @​crossplane-renovate[bot] in #​7078
• fix(deps): update module github.com/alecthomas/kong to v1.13.0 (main) by @​crossplane-renovate[bot] in #​7081
• fix(deps): update module github.com/emicklei/dot to v1.10.0 (main) by @​crossplane-renovate[bot] in #​7083
• fix(deps): update module github.com/go-git/go-billy/v5 to v5.7.0 (main) by @​crossplane-renovate[bot] in #​7087
• Remove unused tools/ dir by @​negz in #​7085
• Use lockFileMaintenance to update flake.lock by @​negz in #​7084
• feat(trace): add watch for trace by @​haarchri in #​7015
• Pipeline inspector implementation by @​phisco in #​7031
• chore(deps): update github/codeql-action digest to 2588666 (main) by @​crossplane-renovate[bot] in #​7092
• fix(deps): update module github.com/go-git/go-git/v5 to v5.16.4 (main) by @​crossplane-renovate[bot] in #​7088
• fix(deps): update module github.com/docker/go-connections to v0.6.0 (main) by @​crossplane-renovate[bot] in #​7082
• chore(deps): update actions/checkout action to v6 (main) by @​crossplane-renovate[bot] in #​7095
• chore(deps): update actions/upload-artifact action to v6 (main) by @​crossplane-renovate[bot] in #​7098
• chore(deps): lock file maintenance (main) by @​crossplane-renovate[bot] in #​7102
• chore(deps): update actions/create-github-app-token action to v2 (main) by @​crossplane-renovate[bot] in #​7096
• chore(deps): update actions/stale action to v10 (main) by @​crossplane-renovate[bot] in #​7097
• chore(deps): update codecov/codecov-action action to v5 (main) by @​crossplane-renovate[bot] in #​7099
• chore(deps): update renovatebot/github-action action to v46 (main) by @​crossplane-renovate[bot] in #​7100
• chore(deps): update zeebe-io/backport-action action to v4 (main) by @​crossplane-renovate[bot] in #​7101
• chore(deps): update dependency ubuntu to v24 (main) by @​crossplane-renovate[bot] in #​7103
• chore(deps): update github/codeql-action action to v4 (main) by @​crossplane-renovate[bot] in #​7104
• fix(deps): update module github.com/in-toto/in-toto-golang to v0.10.0 (main) by @​crossplane-renovate[bot] in #​7093
• build: add args support for hack target, add new unhack target by @​jbw976 in #​7106
• fix: exclude ClusterProviderConfigUsages from CRD to MRD conversion by @​LukeTimeWalker in #​7090
• Handle CronOperation and WatchOperation in alpha render op by @​bobh66 in #​7021
• build: add values file support for hack target by @​phisco in #​7107
• fix(deps): update module github.com/posener/complete to v2 (main) by @​crossplane-renovate[bot] in #​7105
• feat(install.sh): download and unpack the compressed file by @​tampakrap in #​6436
• Add shell script linting and expand lint app to format all code by @​negz in #​7112
• Add CLI argument support to hack Nix app by @​negz in #​7111
• fix: check correct condition in package reconciler by @​tenstad in #​7091
• Add support for composition functions to request OpenAPI schemas by @​negz in #​7022
• Use function-python:v0.4.0 in required schemas E2Es by @​negz in #​7117
• Use --watched-resource flag for WatchOperations by @​negz in #​7113
• chore(deps): update gomod2nix digest to 0629af8 (main) by @​crossplane-renovate[bot] in #​7115
• chore(deps): update gomod2nix digest to 75c2866 (main) by @​crossplane-renovate[bot] in #​7120
• chore(deps): update github/codeql-action digest to 45cbd0c (main) by @​crossplane-renovate[bot] in #​7119
• fix(deps): update module github.com/posener/complete to v2 (main) by @​crossplane-renovate[bot] in #​7116
• Allow XRDs to configure x-kubernetes-validations outside of spec by @​jonasz-lasut in #​7018
• feat(helm): make sidecars, extra volumes, and volume mounts templatable by @​phisco in #​7122
• fix(deps): update module github.com/posener/complete to v2 (main) by @​crossplane-renovate[bot] in #​7121
• fix(deps): update module github.com/alecthomas/kong to v1.14.0 (main) by @​crossplane-renovate[bot] in #​7125
• chore: update steering committee table for 2026 election results by @​jbw976 in #​7127
• chore(deps): update renovatebot/github-action action to v46.0.2 (main) by @​crossplane-renovate[bot] in #​7132
• Bump crossplane-runtime dependency to v2.2.0-rc.1 by @​adamwg in #​7135
• [Backport release-2.2] Use foreground cascading deletion for unneeded composed resources by @​github-actions[bot] in #​7144
• deps: Update crossplane-runtime to v2.2.0 by @​adamwg in #​7150

New Contributors

• @​kaessert made their first contribution in #​6897
• @​rafaelvilarinho made their first contribution in #​6925
• @​O5ten made their first contribution in #​6900
• @​mbakalarski made their first contribution in #​6972
• @​cahillsf made their first contribution in #​6995
• @​intojhanurag made their first contribution in #​6944
• @​bradyz7 made their first contribution in #​6873
• @​NAM-MAN made their first contribution in #​7028
• @​markussiebert made their first contribution in #​7032
• @​majiayu000 made their first contribution in #​6990

Full Changelog: crossplane/crossplane@v2.1.0...v2.2.0

v2.1.4

Compare Source

This release backports #​7030 to the 2.1 branch to fix one of the issues reported in #​3423, where shared transitive dependencies could not be upgraded successfully. It also contains security updates to Crossplane's dependencies.

What's Changed

• chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] (release-2.1) by @​crossplane-renovate[bot] in #​6978
• Backport #​7030 to release-2.1 by @​adamwg in #​7054
• [release-2.1] Update sigstore dependencies to fix CVEs by @​negz in #​7064
• chore(deps): update module github.com/theupdateframework/go-tuf/v2 to v2.4.1 [security] (release-2.1) by @​crossplane-renovate[bot] in #​7067
• chore(deps): update module github.com/go-chi/chi/v5 to v5.2.4 [security] (release-2.1) by @​crossplane-renovate[bot] in #​7040
• [Backport release-2.1] fix(render): propagate root composite identity through nested XR trees by @​github-actions[bot] in #​6974

Full Changelog: crossplane/crossplane@v2.1.3...v2.1.4

v2.1.3

Compare Source

This release resolves #​6761 - issues when upgrading providers that manifest with errors like these:

cannot establish control of object: addresses.compute.gcp.upbound.io is already controlled by ProviderRevision provider-gcp-compute-a41e4ba551fc (UID 58db5de-38e7-40f9-9d31-669bb25a688e)

What's Changed

• [Backport release-2.1] Use server-side apply for MRD controller by @​negz in #​6952

Full Changelog: crossplane/crossplane@v2.1.2...v2.1.3

v2.1.2

Compare Source

What's Changed

• chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (release-2.1) by @​crossplane-renovate[bot] in #​6926
• [Backport release-2.1] Fix claim controller watch startup after transient failures by @​github-actions[bot] in #​6933
• [Backport release-2.1] fix: Add TLS as app protocol to function service by @​github-actions[bot] in #​6946
• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-2.1) by @​crossplane-renovate[bot] in #​6941

Full Changelog: crossplane/crossplane@v2.1.1...v2.1.2

v2.1.1

Compare Source

This release backports #​6911, which makes the new XR watch circuit breaker a little more lenient. We noticed sometimes simple XRs were triggering the circuit breaker during initial creation, which usually involves a burst of watch events as resources are created and update to reach a stable state.

What's Changed

• [Backport release-2.1] Fix XR circuit breaker to account for double token consumption by @​github-actions[bot] in #​6912

Full Changelog: crossplane/crossplane@v2.1.0...v2.1.1

v2.1.0

Compare Source

The v2.1.0 release is a regular quarterly Crossplane release that is focused on maturing a number of key areas of functionality across the project, as Crossplane continues to become more capable, more reliable, and more performant for your production workloads. After the major v2.0 release, we spent time focusing on polishing and hardening the experience with the goal of enhancing core reliability.

⚠️ Upgrade from v2.0

It is strongly advised to upgrade to v2.1 from the previous minor version, which is v2.0. Upon upgrade for each minor release, Crossplane performs any necessary migrations of its CRDs to ensure the latest versions are stored in the Kubernetes API server. Therefore, it is important to upgrade sequentially through one minor version at a time as described in the upgrade docs.

🎉 Highlights

• XR circuit breaker: A circuit breaker was added to all Composite Resource (XR) controllers in #​6777 to prevent reconciliation thrashing when controllers fight over composed resource state. This addresses a common cause of excessive resource (CPU) usage.
  • Each circuit breaker monitors reconciliation rates for their XR and opens ("breaks the circuit") when thresholds are exceeded (50 burst, 1 every 2s sustained). While open, it blocks most reconcile requests but allows one through every 30 seconds. The circuit stays open for 5 minutes, then automatically closes and returns to normal operation. If thrashing resumes, the circuit will open again.
• Realtime compositions for namespaced XRs: #​6780 fixes an issue where namespaced XRs were not being reconciled in response to changes in their composed resources.
• crossplane render for remote Docker daemons: #​6799 fixes an issue that prevented crossplane render from establishing a connection to the remote Docker host.
  • crossplane render now allows function annotations to be passed on the command line with -a/--function-annotations flags. Two new function annotations are now supported:
    • render.crossplane.io/runtime-docker-publish-address controls the host address Docker publishes the container port to (defaults to 127.0.0.1 for security)
    • render.crossplane.io/runtime-docker-target controls the address the CLI connects to (defaults to the publish address)
• XRD change detection: In previous versions of Crossplane, XRD spec fields could change without the XR controller being restarted automatically. With #​6806, users no longer need to manually restart the Crossplane deployment for some XRD changes to take effect.

🚨 Warnings and breaking changes

• Crossplane's custom rate limiting implementation as well as client-side rate limiting has been removed in #​6851 as proposed and described in detail in #​6790.
  • Crossplane's reconcilers will rely on a combination of the Kubernetes API Priority and Fairness, the circuit breaker described in the highlights below, and worker pool size configuration to appropriately manage reconciliation load and retries in the control plane.
  • --max-concurrent-reconciles can be set to influence the maximum number of concurrent reconcile operations (worker pool size) that Crossplane will perform.
    • The --max-reconcile-rate flag has been renamed to this new --max-concurrent-reconciles flag to better represent what this flag controls
    • The old --max-reconcile-rate flag is now an alias for the new flag name
  • Providers are unaffected by this change, only core Crossplane reconcilers are affected.

🏅 Release MVP

@​binarycode is the v2.1 release MVP! They discovered a critical issue preventing realtime compositions from functioning correctly for namespaced XRs. Their fix in #​6780 now properly configures an index for each namespaced XR so that events generated from changes in their composed resources correctly result in the XR being enqueued for reconciliation.

Thank you very much to @​binarycode, our latest release MVP! 🙇‍♂️

What's Changed

• chore(deps) bump crossplane-runtime to v2.1.0-rc.0 by @​jbw976 in #​6690
• build: add release-2.0 branch to renovate baseBranches by @​jbw976 in #​6692
• Add alpha render subcommands for XRs and Operations by @​negz in #​6695
• Fuzzy match function capabilities by @​negz in #​6697
• Use FILE level buf breaking change detection by @​negz in #​6698
• chore: bump releases table, remove 1.18 from renovate baseBranches by @​jbw976 in #​6703
• Support function cache XfnCacheMaxTTL CLI option by @​stevendborrelli in #​6710
• chore(deps): update docker/login-action digest to 184bdaa (main) by @​crossplane-renovate[bot] in #​6706
• Fix composed resource names containing invalid characters by @​negz in #​6705
• Fix CRD-to-MRD converter to preserve provider configuration CRDs by @​negz in #​6721
• adds Terradue as adopter by @​fabricebrito in #​6723
• Update Get Started Docs link by @​itsrainingmani in #​6713
• Add Sophotech to adopters list by @​archy-rock3t-cloud in #​6760
• Address some linter/format issues from main by @​negz in #​6775
• fix realtime Compositions for Namespaced XRs by @​binarycode in #​6780
• pkg: Ignore tags that are incomplete semantic versions by @​adamwg in #​6776
• Initial CodeRabbit configuration by @​negz in #​6791
• Rename WebhooksEnabled by EnableWebhooks in init cmd by @​frigaut-orange in #​6793
• Set CodeRabbit to chill mode by @​negz in #​6794
• Disable code rabbit review status messages by @​negz in #​6795
• run the validating webhook remover only if webhooks are enabled by @​frigaut-orange in #​6801
• Isolate buf and code generation tools in separate module by @​negz in #​6796
• Apply consistent error handling pattern in apiextensions reconcilers by @​negz in #​6755
• Include kind logs when running E2Es by @​negz in #​6786
• Update ADOPTERS.md by @​zouldapp in #​6811
• Update ADOPTERS.md by @​zouldapp in #​6816
• chore(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] (main) by @​crossplane-renovate[bot] in #​6815
• Update ADOPTERS.md by @​PI-Victor in #​6807
• Separate go mod tidy from code generation to speed development by @​negz in #​6814
• Queue reconciles for packages when ImageConfigs change by @​negz in #​6765
• Support remote Docker daemons in render commands by @​negz in #​6799
• Add MRD and MRAP to package kind linter by @​negz in #​6797
• Fix XRD controller restart to detect all spec changes by @​negz in #​6806
• Add circuit breaker to prevent XR reconciliation thrashing by @​negz in #​6777
• fix(render): propagate XR namespace to composed resources by @​u-kai in #​6812
• Fix circuit breaker tests to match consistent error handling pattern by @​negz in #​6822
• Sort extra resources alphabetically to guarantee stable order by @​twobiers in #​6819
• Move cached function response protos to internal/proto by @​negz in #​6825
• Update adding monday.com to ADOPTERS.md by @​elhayef in #​6828
• README: clarify purpose of SIGs by @​jbw976 in #​6835
• governance: community extension projects list by @​jbw976 in #​6836
• Update Add Baloise to ADOPTERS.md by @​jonasz-lasut in #​6838
• fix: add missing permissions on protection and ops groups by @​phisco in #​6829
• docs: add RELEASE.md and links to crossplane/release for better discoverability of release process by @​jbw976 in #​6843
• One pager for a namespace-restricted option by @​frigaut-orange in #​6419
• fix(deps): update module github.com/go-git/go-billy/v5 to v5.6.2 (main) by @​crossplane-renovate[bot] in #​6568
• fix(deps): update module github.com/google/go-containerregistry to v0.20.6 (main) by @​crossplane-renovate[bot] in #​6642
• chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (main) by @​crossplane-renovate[bot] in #​6740
• chore(deps): update actions/checkout digest to 08eba0b (main) by @​crossplane-renovate[bot] in #​6715
• build: update releases/charts bucket names by @​jbw976 in #​6849
• chore(deps): Update k8s.io modules to latest by @​branden in #​6844
• Remove watch debug message by @​bobh66 in #​6720
• Add XR circuit breaker Prometheus metrics by @​mfkd in #​6854
• Refactor circuit breaker metrics to match Crossplane patterns by @​negz in #​6870
• chore: remove all migrators that are no longer needed by @​jbw976 in #​6869
• feat(crl): remove custom rate limiting by @​haarchri in #​6851
• doc(crank): Remove deprecated subcommands from the convert help message by @​tampakrap in #​6743
• fix: ensure enforcedCompositionRef properly controls composition selection by @​ezgidemirel in #​6881
• fix(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (main) by @​crossplane-renovate[bot] in #​6845
• chore(deps): update module github.com/quic-go/quic-go to v0.54.1 [security] (main) by @​crossplane-renovate[bot] in #​6846
• Fix XRD controller watch startup after transient failures by @​negz in #​6885
• chore(deps): bump crossplane-runtime to v2.1.0-rc.1 by @​jbw976 in #​6889
• [Backport release-2.1] Fix Docker port binding race condition on macOS by using HostPort "0" by @​github-actions[bot] in #​6901
• chore(deps): bump crossplane-runtime to v2.1.0 by @​jbw976 in #​6902

New Contributors

• @​fabricebrito made their first contribution in #​6723
• @​itsrainingmani made their first contribution in #​6713
• @​archy-rock3t-cloud made their first contribution in #​6760
• @​binarycode made their first contribution in #​6780
• @​frigaut-orange made their first contribution in #​6793
• @​zouldapp made their first contribution in #​6811
• @​PI-Victor made their first contribution in #​6807
• @​u-kai made their first contribution in #​6812
• @​elhayef made their first contribution in #​6828
• @​jonasz-lasut made their first contribution in #​6838
• @​branden made

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[pipelines-github-app]

--- main/crossplane_gitops_manifests_crossplane_genmachine_manifest_main.yaml	2026-03-11 04:31:17.978352612 +0000
+++ pr/crossplane_gitops_manifests_crossplane_genmachine_manifest_pr.yaml	2026-03-11 04:31:17.025352120 +0000
@@ -1,42 +1,44 @@
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: rbac-manager
   namespace: default
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
+automountServiceAccountToken: true
 ---
 # Source: crossplane/charts/crossplane/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: crossplane
   namespace: default
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
+automountServiceAccountToken: true
 ---
 # Source: crossplane/charts/komoplane/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: crossplane-komoplane
   labels:
     helm.sh/chart: komoplane-0.1.6
     app.kubernetes.io/name: komoplane
     app.kubernetes.io/instance: crossplane
@@ -76,46 +78,46 @@
   namespace: default
 type: Opaque
 ---
 # Source: crossplane/charts/crossplane/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-crossplane: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:system:aggregate-to-crossplane
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
     crossplane.io/scope: "system"
     rbac.crossplane.io/aggregate-to-crossplane: "true"
 rules:
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - update
@@ -142,22 +144,23 @@
   - delete
 - apiGroups:
   - ""
   resources:
   - serviceaccounts
   - services
   verbs:
   - "*"
 - apiGroups:
   - apiextensions.crossplane.io
+  - ops.crossplane.io
   - pkg.crossplane.io
-  - secrets.crossplane.io
+  - protection.crossplane.io
   resources:
   - "*"
   verbs:
   - "*"
 - apiGroups:
   - extensions
   - apps
   resources:
   - deployments
   verbs:
@@ -196,46 +199,46 @@
   - watch
   - delete
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:allowed-provider-permissions
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane-rbac-manager
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 rules:
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - update
   - patch
   - delete
@@ -356,104 +359,104 @@
   - watch
   - delete
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane-admin
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-admin: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane-edit
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-edit: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane-view
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-view: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane-browse
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-browse: "true"
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:aggregate-to-admin
   labels:
     rbac.crossplane.io/aggregate-to-admin: "true"
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 rules:
 # Crossplane administrators have access to view events.
 - apiGroups: [""]
   resources: [events]
   verbs: [get, list, watch]
 # Crossplane administrators must create provider credential secrets, and may
 # need to read or otherwise interact with connection secrets. They may also need
 # to create or annotate namespaces.
 - apiGroups: [""]
   resources: [secrets, namespaces]
@@ -478,36 +481,44 @@
   resources: ["*"]
   verbs: ["*"]
 - apiGroups:
   - secrets.crossplane.io
   resources: ["*"]
   verbs: ["*"]
 # Crossplane administrators have access to view CRDs in order to debug XRDs.
 - apiGroups: [apiextensions.k8s.io]
   resources: [customresourcedefinitions]
   verbs: [get, list, watch]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:aggregate-to-edit
   labels:
     rbac.crossplane.io/aggregate-to-edit: "true"
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 rules:
 # Crossplane editors have access to view events.
 - apiGroups: [""]
   resources: [events]
   verbs: [get, list, watch]
 # Crossplane editors must create provider credential secrets, and may need to
 # read or otherwise interact with connection secrets.
 - apiGroups: [""]
   resources: [secrets]
   verbs: ["*"]
@@ -521,36 +532,44 @@
   resources: ["*"]
   verbs: ["*"]
 - apiGroups:
   - pkg.crossplane.io
   resources: ["*"]
   verbs: ["*"]
 - apiGroups:
   - secrets.crossplane.io
   resources: ["*"]
   verbs: ["*"]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:aggregate-to-view
   labels:
     rbac.crossplane.io/aggregate-to-view: "true"
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 rules:
 # Crossplane viewers have access to view events.
 - apiGroups: [""]
   resources: [events]
   verbs: [get, list, watch]
 # Crossplane viewers may see which namespaces exist.
 - apiGroups: [""]
   resources: [namespaces]
   verbs: [get, list, watch]
 # Crossplane viewers have read-only access to built in Crossplane types.
@@ -559,36 +578,44 @@
   resources: ["*"]
   verbs: [get, list, watch]
 - apiGroups:
   - pkg.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
 - apiGroups:
   - secrets.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: [get, list, watch]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: [get, list, watch]
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: crossplane:aggregate-to-browse
   labels:
     rbac.crossplane.io/aggregate-to-browse: "true"
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 rules:
 # Crossplane browsers have access to view events.
 - apiGroups: [""]
   resources: [events]
   verbs: [get, list, watch]
 # Crossplane browsers have read-only access to compositions and XRDs. This
 # allows them to discover and select an appropriate composition when creating a
 # resource claim.
 - apiGroups:
   - apiextensions.crossplane.io
@@ -611,73 +638,73 @@
     resources: ["*"]
     verbs: ["get", "list", "watch"]
 ---
 # Source: crossplane/charts/crossplane/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: crossplane
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: crossplane
 subjects:
 - kind: ServiceAccount
   name: crossplane
   namespace: default
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: crossplane-rbac-manager
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: crossplane-rbac-manager
 subjects:
 - kind: ServiceAccount
   name: rbac-manager
   namespace: default
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: crossplane-admin
   labels:
     app: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: crossplane-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: crossplane:masters
 ---
 # Source: crossplane/charts/komoplane/templates/serviceaccount.yaml
@@ -702,27 +729,27 @@
 ---
 # Source: crossplane/charts/crossplane/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: crossplane-webhooks
   namespace: default
   labels:
     app: crossplane
     release: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
   annotations:
 spec:
   selector:
     app: crossplane
     release: crossplane
   ports:
   - protocol: TCP
     port: 9443
     targetPort: 9443
 ---
@@ -750,57 +777,59 @@
 ---
 # Source: crossplane/charts/crossplane/templates/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: crossplane
   namespace: default
   labels:
     app: crossplane
     release: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: crossplane
       release: crossplane
   strategy:
     type: RollingUpdate
   template:
     metadata:
       labels:
         app: crossplane
         release: crossplane        
-        helm.sh/chart: crossplane-1.20.5
+        helm.sh/chart: crossplane-2.2.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: cloud-infrastructure-controller
         app.kubernetes.io/part-of: crossplane
         app.kubernetes.io/name: crossplane
         app.kubernetes.io/instance: crossplane
-        app.kubernetes.io/version: "1.20.5"
+        app.kubernetes.io/version: "2.2.0"
     spec:
       serviceAccountName: crossplane
       hostNetwork: false
       initContainers:
-        - image: "xpkg.upbound.io/crossplane/crossplane:v1.20.5"
+        - name: crossplane-init
+          image: "xpkg.upbound.io/crossplane/crossplane:v2.2.0"
+          imagePullPolicy: IfNotPresent
           args:
           - core
           - init
-          imagePullPolicy: IfNotPresent
-          name: crossplane-init
+          - --activation
+          - "*"
           resources:
             limits:
               cpu: 500m
               memory: 1024Mi
             requests:
               cpu: 100m
               memory: 256Mi
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -835,26 +864,26 @@
                 fieldPath: metadata.namespace
           - name: "WEBHOOK_SERVICE_PORT"
             value: "9443"
           - name: "TLS_CA_SECRET_NAME"
             value: crossplane-root-ca
           - name: "TLS_SERVER_SECRET_NAME"
             value: crossplane-tls-server
           - name: "TLS_CLIENT_SECRET_NAME"
             value: crossplane-tls-client
       containers:
-      - image: "xpkg.upbound.io/crossplane/crossplane:v1.20.5"
+      - name: crossplane
+        image: "xpkg.upbound.io/crossplane/crossplane:v2.2.0"
         args:
         - core
         - start
         imagePullPolicy: IfNotPresent
-        name: crossplane
         resources:
             limits:
               cpu: 500m
               memory: 1024Mi
             requests:
               cpu: 100m
               memory: 256Mi
         startupProbe:
           failureThreshold: 30
           periodSeconds: 2
@@ -928,56 +957,56 @@
 ---
 # Source: crossplane/charts/crossplane/templates/rbac-manager-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: crossplane-rbac-manager
   namespace: default
   labels:
     app: crossplane-rbac-manager
     release: crossplane    
-    helm.sh/chart: crossplane-1.20.5
+    helm.sh/chart: crossplane-2.2.0
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: cloud-infrastructure-controller
     app.kubernetes.io/part-of: crossplane
     app.kubernetes.io/name: crossplane
     app.kubernetes.io/instance: crossplane
-    app.kubernetes.io/version: "1.20.5"
+    app.kubernetes.io/version: "2.2.0"
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: crossplane-rbac-manager
       release: crossplane
   strategy:
     type: RollingUpdate
   template:
     metadata:
       labels:
         app: crossplane-rbac-manager
         release: crossplane        
-        helm.sh/chart: crossplane-1.20.5
+        helm.sh/chart: crossplane-2.2.0
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/component: cloud-infrastructure-controller
         app.kubernetes.io/part-of: crossplane
         app.kubernetes.io/name: crossplane
         app.kubernetes.io/instance: crossplane
-        app.kubernetes.io/version: "1.20.5"
+        app.kubernetes.io/version: "2.2.0"
     spec:
       serviceAccountName: rbac-manager
       initContainers:
-      - image: "xpkg.upbound.io/crossplane/crossplane:v1.20.5"
+      - name: crossplane-init
+        image: "xpkg.upbound.io/crossplane/crossplane:v2.2.0"
         args:
         - rbac
         - init
         imagePullPolicy: IfNotPresent
-        name: crossplane-init
         resources:
             limits:
               cpu: 100m
               memory: 512Mi
             requests:
               cpu: 100m
               memory: 256Mi
         securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
@@ -990,27 +1019,27 @@
                 containerName: crossplane-init
                 resource: limits.cpu
                 divisor: "1"
           - name: GOMEMLIMIT
             valueFrom:
               resourceFieldRef:
                 containerName: crossplane-init
                 resource: limits.memory
                 divisor: "1"
       containers:
-      - image: "xpkg.upbound.io/crossplane/crossplane:v1.20.5"
+      - name: crossplane
+        image: "xpkg.upbound.io/crossplane/crossplane:v2.2.0"
         args:
         - rbac
         - start
         - --provider-clusterrole=crossplane:allowed-provider-permissions
         imagePullPolicy: IfNotPresent
-        name: crossplane
         resources:
             limits:
               cpu: 100m
               memory: 512Mi
             requests:
               cpu: 100m
               memory: 256Mi
         securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true