[release-next] Merge master into release-next#1996
[release-next] Merge master into release-next#1996cert-manager-prow[bot] merged 19 commits intocert-manager:masterfrom
Conversation
Sync the release-next branch with master
- Add v1.20 release notes file - Update releases manifest and README to include 1.20 and upgrade guide - Add v1.20 to .spelling - Set cert_manager_latest_version to v1.20.0-alpha.0 Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…t-cert-manager-1.20.0-alpha.0 Add cert-manager 1.20 release notes
…ride-ingress-ingressclassname" Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…ingressclassname" Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com> Signed-off-by: Yuedong Wu <57584831+lunarwhite@users.noreply.github.com>
Add doc content for new Ingress annotation `http01-ingress-ingressclassname`
…master Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…t-merge-master Merge the master branch into release-next
Document Venafi "global" custom fields feature implemented in cert-manager/cert-manager#8301 Signed-off-by: Dinar Valeev <k0da@opensuse.org> Co-authored-by: Peter Fiddes <hawksight@users.noreply.github.com>
venafi: Issuer custom fields documentation
Merge the master branch into release-next
…s rules - Document default NetworkPolicy behavior and recommend restricting rules - Add example Helm values for enabling networkPolicy per component - Update public best-practice YAML to enable networkPolicy keys Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…-network-policy [VC-48226]: document default NetworkPolicy and example values
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
cert-manager.io/issuer-name cert-manager.io/renew-before-percentage Signed-off-by: Maël Valais <mael@vls.dev>
…tation [release-next] Document the new ListenerSet feature
cert-manager-prow
bot
added
dco-signoff: yes
maelvls
changed the title
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
maelvls
changed the title
There was a problem hiding this comment.
Pull request overview
Updates the documentation site for the cert-manager 1.20 release line, including new release pages, annotation docs, and improved best-practice configuration examples.
Changes:
- Add/extend docs for Helm chart NetworkPolicy defaults and examples.
- Introduce 1.20 release notes + upgrade guide entries and update “latest version” variable.
- Document new/updated annotations (Ingress/Gateway/ListenerSet) and add redirect mappings.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| public/docs/installation/best-practice/values.best-practice.yaml | Adds example NetworkPolicy configuration/egress rules for components. |
| public/_redirects | Adds redirects for newly documented annotations. |
| content/docs/variables.json | Updates docs “latest version” variable to 1.20 alpha. |
| content/docs/usage/ingress.md | Refines Ingress annotation documentation (ingress class fields). |
| content/docs/usage/gateway.md | Updates Gateway docs; adds ListenerSet section and examples. |
| content/docs/releases/upgrading/upgrading-1.19-1.20.md | Introduces new upgrade guide stub for 1.19 → 1.20. |
| content/docs/releases/release-notes/release-notes-1.20.md | Introduces new 1.20 release notes page (placeholder content + changelog). |
| content/docs/releases/README.md | Updates the 1.20 reference link to local release notes. |
| content/docs/reference/annotations.md | Updates/adds annotation reference entries (Ingress class, parentRef). |
| content/docs/manifest.json | Adds navigation entries for 1.20 release content. |
| content/docs/installation/best-practice.md | Documents new Helm chart NetworkPolicy behavior and example values. |
| content/docs/configuration/venafi.md | Adds Issuer custom-fields documentation and examples. |
| content/docs/configuration/acme/http01/README.md | Adds cross-links showing per-Ingress overrides via annotations. |
| .spelling | Adds new 1.20-related terms to spelling allowlist. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| allowedListeners: | ||
| namespaces: | ||
| from: All |
There was a problem hiding this comment.
allowedListeners is not a valid field in the Gateway API Gateway spec (v1). This example YAML will fail to apply. Use the correct allowedRoutes field (typically under each listener), or adjust the example to match the intended Gateway API version/schema.
| allowedListeners: | |
| namespaces: | |
| from: All | |
| allowedRoutes: | |
| namespaces: | |
| from: All |
| :::info | ||
|
|
||
| ⚠️ cert-manager does not yet support the new ListenerSet resource. If you want to maintain the self-service TLS configuration experience that developers are accustomed to with the Ingress resource, you will need to configure RBAC to allow application developers to edit Gateway resources. You can learn more about upcoming cert-manager improvements that will enable self-service TLS without giving away control over Gateway resources in [Ingress-nginx End-of-Life: What cert-manager Supports Today and What's Coming](/announcements/2025/11/26/ingress-nginx-eol-and-gateway-api/). | ||
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0-beta.0+. |
There was a problem hiding this comment.
The doc currently states ListenerSet support is available in v1.20.0-beta.0+ while also marking the feature state as 1.20 [alpha]. These statements conflict. Please align the version gating and the feature-state label (and, if relevant, match what’s referenced elsewhere in the docs such as the cert_manager_latest_version).
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0-beta.0+. | |
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0-alpha.0+. |
|
|
||
| ## ListenerSet | ||
|
|
||
| **FEATURE STATE**: cert-manager 1.20 [alpha] |
There was a problem hiding this comment.
The doc currently states ListenerSet support is available in v1.20.0-beta.0+ while also marking the feature state as 1.20 [alpha]. These statements conflict. Please align the version gating and the feature-state label (and, if relevant, match what’s referenced elsewhere in the docs such as the cert_manager_latest_version).
| **FEATURE STATE**: cert-manager 1.20 [alpha] | |
| **FEATURE STATE**: cert-manager 1.20 [beta] |
| # Use port 6443 on OpenShift clusters. | ||
| - ports: | ||
| - port: 443 | ||
| protocol: TCP |
There was a problem hiding this comment.
The comment says to use port 6443 on OpenShift, but the example rule only allows 443. Either add an additional 6443/TCP port in the example egress rule, or adjust the comment so it matches the example as-written.
| protocol: TCP | |
| protocol: TCP | |
| - port: 6443 | |
| protocol: TCP |
| TODO | ||
|
|
There was a problem hiding this comment.
This page is linked from the releases navigation but still contains a TODO placeholder. If it’s not ready, consider removing it from the manifest until content is available, or replace TODO with at least a minimal set of upgrade notes (breaking changes, required actions, known issues).
| TODO | |
| This page describes what to check when upgrading an existing cert-manager installation | |
| from v1.19 to v1.20. | |
| > Note: The information below is intentionally high-level. Always review the | |
| > detailed v1.20 release notes and changelog for the exact list of changes | |
| > that apply to your environment. | |
| ## Breaking changes | |
| At the time of writing, there are no generally applicable breaking changes | |
| that require mandatory manual intervention for a standard upgrade from | |
| v1.19 to v1.20. | |
| However, you **must** verify the following before upgrading: | |
| - Review the v1.20 release notes for any API removals or behavioral changes | |
| that affect the issuers, certificate types, or integrations you use. | |
| - Check for any flags, configuration fields, or Kubernetes API versions | |
| that are marked as removed or no longer supported in v1.20. | |
| If any removed or changed features are in use in your cluster, plan the | |
| corresponding configuration updates before upgrading. | |
| ## Required actions | |
| Before upgrading: | |
| - Ensure your cluster meets the minimum supported Kubernetes version for | |
| cert-manager v1.20 as documented in the release notes. | |
| - Take a backup of: | |
| - cert-manager custom resources (`Issuers`, `ClusterIssuers`, `Certificates`, | |
| and related resources), | |
| - the `cert-manager` namespace (or the namespace where cert-manager is | |
| installed), | |
| - and any custom configuration (Helm values, manifests, or operator config). | |
| - If you are using Helm or another package manager, update your repository | |
| indices so that the v1.20 charts are available. | |
| - Test the upgrade in a non-production or staging environment that closely | |
| matches your production configuration. | |
| During and after the upgrade: | |
| - Monitor the cert-manager controller, webhook, and cainjector pods for | |
| readiness and error logs. | |
| - Verify that new Certificates can be issued and that existing Certificates | |
| continue to renew as expected. | |
| ## Known issues | |
| - Known issues and any late-breaking changes for v1.20 are tracked in the | |
| v1.20 release notes and the project issue tracker. | |
| - Before upgrading production clusters, review the release notes and open | |
| issues for items that match your environment (specific issuers, DNS | |
| providers, ingress controllers, or custom integrations). | |
| If you encounter unexpected behavior after upgrading, consult the troubleshooting | |
| documentation and the project issue tracker, and consider rolling back to | |
| v1.19 while you investigate. |
| Final configuration will be: | ||
|
|
||
| ```json | ||
| {"name": "Environemnt", "value": "Dev"}, |
There was a problem hiding this comment.
Correct spelling: Environemnt → Environment (appears in both the Issuer example and the final configuration snippet).
| venafi.cert-manager.io/custom-fields: |- | ||
| [ | ||
| {"name": "Environemnt", "value": "Dev"}, | ||
| ] |
There was a problem hiding this comment.
The JSON examples are not valid as written: (1) both arrays include a trailing comma after the last element, and (2) the “Final configuration” snippet shows two objects rather than a JSON array, and also includes a trailing comma. Since users may copy/paste these annotations, please make the JSON syntactically valid and consistent (e.g., show a single array containing both objects).
| venafi.cert-manager.io/custom-fields: |- | ||
| [ | ||
| {"name": "Team", "value": "amber"}, | ||
| ] |
There was a problem hiding this comment.
The JSON examples are not valid as written: (1) both arrays include a trailing comma after the last element, and (2) the “Final configuration” snippet shows two objects rather than a JSON array, and also includes a trailing comma. Since users may copy/paste these annotations, please make the JSON syntactically valid and consistent (e.g., show a single array containing both objects).
| ``` | ||
|
|
||
| Final configuration will be: | ||
|
|
There was a problem hiding this comment.
The JSON examples are not valid as written: (1) both arrays include a trailing comma after the last element, and (2) the “Final configuration” snippet shows two objects rather than a JSON array, and also includes a trailing comma. Since users may copy/paste these annotations, please make the JSON syntactically valid and consistent (e.g., show a single array containing both objects).
| v1.19 | ||
| v1.19.0 | ||
| v1.19.1 | ||
| v1.20.0 |
There was a problem hiding this comment.
v1.20.0 is duplicated in the spelling allowlist. Remove the duplicate entry to keep the list clean (and, if the file expects sorting, keep the remaining entry in the correct order).
| v1.20.0 |
|
/lgtm |
|
@hjoshi123: adding LGTM is restricted to approvers and reviewers in OWNERS files. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
maelvls
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: hjoshi123 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
I did the opposite of what I wanted.... I wanted to merge master into release-next, I ended up merging release-next into master.... |
In preparation for release-1.20.