From 64342e021585d92d522f19c60eebd948aefbeb35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Valais?= <mael@vls.dev>
Date: Tue, 10 Mar 2026 22:57:30 +0100
Subject: [PATCH 1/2] bump supported releases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maël Valais <mael@vls.dev>
---
 content/docs/releases/README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md
index 8fe0d76fa8..67478f6de5 100644
--- a/content/docs/releases/README.md
+++ b/content/docs/releases/README.md
@@ -21,14 +21,14 @@ should be stable enough to run.
 
 | Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:--------:|:------------:|:---------------:|:----------------------------------------------:|:----------------------------------:|
+| [1.20][] | Mar 10, 2026 | Release of 1.22 | 1.32 → 1.35 / 4.19 → 4.21                      | 1.32 → 1.35                        |
 | [1.19][] | Oct 07, 2025 | Release of 1.21 | 1.31 → 1.35 / 4.18 → 4.20                      | 1.31 → 1.35                        |
-| [1.18][] | Jun 10, 2025 | Release of 1.20 | 1.29 → 1.33 / 4.16 → 4.20                      | 1.29 → 1.33                        |
 
 ## Upcoming releases
 
 | Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:--------:|:------------:|:---------------:|:----------------------------------------------:|:----------------------------------:|
-| [1.20][] | Feb 24, 2026 | Release of 1.22 | 1.32 → 1.35 / 4.19 → 4.21                      | 1.32 → 1.35                        |
+| 1.21     | Jun 24, 2026 | Release of 1.23 | 1.33 → 1.36 / 4.20 → 4.22                      | 1.33 → 1.36                        |
 
 Dates in the future are not firm commitments and are subject to change.
 
@@ -222,7 +222,7 @@ newer Kubernetes features.
 The table below lists the major Kubernetes distributions we check. In parentheses next to each release is the <abbr title="End-of-life">EOL</abbr>
 for that release. EOL dates often change throughout the lifecycle of a release.
 
-The "Oldest Kubernetes Release" is the oldest release we deemed relevant to the next cert-manager release, as of 2025-11-07
+The "Oldest Kubernetes Release" is the oldest release we deemed relevant to the next cert-manager release, as of 2026-03-10
 
 | Vendor                | Oldest K8s Release  | Other Kubernetes Releases                                     |
 |:---------------------:|:-------------------:|---------------------------------------------------------------|
@@ -302,6 +302,7 @@ are no longer supported.
 
 | Release      | Release Date | EOL          | Compatible Kubernetes versions | Compatible OpenShift versions |
 |--------------|:------------:|:------------:|:------------------------------:|:-----------------------------:|
+| [1.18][]     | Jun 10, 2025 | Mar 10, 2026 | 1.29 → 1.33                    | 4.16 → 4.20                   |
 | [1.17][]     | Feb 03, 2025 | Oct 07, 2025 | 1.29 → 1.33                    | 4.16 → 4.20                   |
 | [1.16][]     | Oct 03, 2024 | Jun 10, 2025 | 1.25 → 1.32                    | 4.14 → 4.17                   |
 | [1.15][]     | Jun 05, 2024 | Feb 03, 2025 | 1.25 → 1.32                    | 4.12 → 4.16                   |

From 90cb77c4d356175895a6e78e7190d31cab0bbf4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ma=C3=ABl=20Valais?= <mael@vls.dev>
Date: Wed, 11 Mar 2026 13:37:34 +0100
Subject: [PATCH 2/2] ran ./scripts/gendocs/generate-new-import-path-docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maël Valais <mael@vls.dev>
---
 content/docs/cli/controller.md                | 140 ++++++------
 content/docs/cli/webhook.md                   |  14 +-
 content/docs/reference/api-docs.md            | 214 +++++++++++++++---
 scripts/gendocs/generate-new-import-path-docs |  31 +--
 4 files changed, 272 insertions(+), 127 deletions(-)

diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
index 3ea5406815..06d6ff28cf 100644
--- a/content/docs/cli/controller.md
+++ b/content/docs/cli/controller.md
@@ -14,71 +14,77 @@ Usage:
   controller [flags]
 
 Flags:
-      --acme-http01-solver-image string                      The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary")
-      --acme-http01-solver-nameservers strings               A list of comma separated dns server endpoints used for ACME HTTP01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53
-      --acme-http01-solver-resource-limits-cpu string        Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m")
-      --acme-http01-solver-resource-limits-memory string     Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
-      --acme-http01-solver-resource-request-cpu string       Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
-      --acme-http01-solver-resource-request-memory string    Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
-      --acme-http01-solver-run-as-non-root                   Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
-      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate (default [kubernetes.io/tls-acme])
-      --cluster-issuer-ambient-credentials                   Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true)
-      --cluster-resource-namespace string                    Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system")
-      --concurrent-workers int                               The number of concurrent workers for each controller. (default 5)
-      --config string                                        Path to a file containing a ControllerConfiguration object used to configure the controller
-      --controllers strings                                  A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'.
-                                                             All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager, certificatesigningrequests-issuer-acme, certificatesigningrequests-issuer-ca, certificatesigningrequests-issuer-selfsigned, certificatesigningrequests-issuer-venafi, certificatesigningrequests-issuer-vault (default [*])
-      --copied-annotation-prefixes strings                   Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kubernetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/])
-      --default-issuer-group string                          Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io")
-      --default-issuer-kind string                           Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer")
-      --default-issuer-name string                           Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.
-      --dns01-check-retry-period duration                    The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s)
-      --dns01-recursive-nameservers <ip address>:<port>      A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: <ip address>:<port> or `https://<DoH RFC 8484 server address>`. For example: `8.8.8.8:53,8.8.4.4:53,[2001:4860:4860::8888]:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true.
-      --dns01-recursive-nameservers-only                     When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers.
-      --enable-certificate-owner-ref                         Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.
-      --enable-gateway-api                                   Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).
-      --enable-profiling                                     Enable profiling for controller.
-      --extra-certificate-annotations strings                Extra annotation to be added by the ingress-shim controller to certificate object
-      --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
-                                                             AllAlpha=true|false (ALPHA - default=false)
-                                                             AllBeta=true|false (BETA - default=false)
-                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
-                                                             ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
-                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
-                                                             LiteralCertificateSubject=true|false (BETA - default=true)
-                                                             NameConstraints=true|false (BETA - default=true)
-                                                             OtherNames=true|false (ALPHA - default=false)
-                                                             SecretsFilteredCaching=true|false (BETA - default=true)
-                                                             ServerSideApply=true|false (ALPHA - default=false)
-                                                             StableCertificateRequestName=true|false (BETA - default=true)
-                                                             UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             ValidateCAA=true|false (ALPHA - default=false)
-  -h, --help                                                 help for controller
-      --issuer-ambient-credentials                           Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
-      --kube-api-burst int                                   the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50)
-      --kube-api-qps float32                                 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20)
-      --kubeconfig string                                    Paths to a kubeconfig. Only required if out-of-cluster.
-      --leader-elect                                         If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true)
-      --leader-election-lease-duration duration              The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
-      --leader-election-namespace string                     Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
-      --leader-election-renew-deadline duration              The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
-      --leader-election-retry-period duration                The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
-      --log-flush-frequency duration                         Maximum number of seconds between log flushes (default 5s)
-      --logging-format string                                Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
-      --master string                                        Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
-      --max-concurrent-challenges int                        The maximum number of challenges that can be scheduled as 'processing' at once. (default 60)
-      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
-      --metrics-dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs serving certificates
-      --metrics-dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the dynamic serving CA
-      --metrics-dynamic-serving-leaf-duration duration       leaf duration of serving certificates (default 168h0m0s)
-      --metrics-listen-address string                        The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402")
-      --metrics-tls-cert-file string                         path to the file containing the TLS certificate to serve with
-      --metrics-tls-cipher-suites strings                    Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
-      --metrics-tls-min-version string                       Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
-      --metrics-tls-private-key-file string                  path to the file containing the TLS private key to serve with
-      --namespace string                                     If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched
-      --profiler-address string                              The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
-  -v, --v Level                                              number for the log level verbosity
-      --vmodule pattern=N,...                                comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+      --acme-http01-solver-image string                         The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary")
+      --acme-http01-solver-nameservers strings                  A list of comma separated dns server endpoints used for ACME HTTP01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53
+      --acme-http01-solver-resource-limits-cpu string           Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m")
+      --acme-http01-solver-resource-limits-memory string        Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
+      --acme-http01-solver-resource-request-cpu string          Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
+      --acme-http01-solver-resource-request-memory string       Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
+      --acme-http01-solver-run-as-non-root                      Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
+      --auto-certificate-annotations strings                    The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate (default [kubernetes.io/tls-acme])
+      --certificate-request-minimum-backoff-duration duration   Duration of the initial certificate request backoff when a certificate request fails. The backoff duration is exponentially increased based on consecutive failures, up to a maximum of 32 hours. (default 1h0m0s)
+      --cluster-issuer-ambient-credentials                      Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true)
+      --cluster-resource-namespace string                       Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system")
+      --concurrent-workers int                                  The number of concurrent workers for each controller. (default 5)
+      --config string                                           Path to a file containing a ControllerConfiguration object used to configure the controller
+      --controllers strings                                     A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'.
+                                                                All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager, certificatesigningrequests-issuer-acme, certificatesigningrequests-issuer-ca, certificatesigningrequests-issuer-selfsigned, certificatesigningrequests-issuer-venafi, certificatesigningrequests-issuer-vault (default [*])
+      --copied-annotation-prefixes strings                      Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kubernetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/])
+      --default-issuer-group string                             Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io")
+      --default-issuer-kind string                              Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer")
+      --default-issuer-name string                              Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.
+      --dns01-check-retry-period duration                       The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s)
+      --dns01-recursive-nameservers <ip address>:<port>         A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: <ip address>:<port> or `https://<DoH RFC 8484 server address>`. For example: `8.8.8.8:53,8.8.4.4:53,[2001:4860:4860::8888]:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true.
+      --dns01-recursive-nameservers-only                        When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers.
+      --enable-certificate-owner-ref                            Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.
+      --enable-gateway-api                                      Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).
+      --enable-gateway-api-listenerset                          Whether ListenerSets support is enabled within cert-manager. The ListenerSet feature gate must also be enabled.
+      --enable-profiling                                        Enable profiling for controller.
+      --extra-certificate-annotations strings                   Extra annotation to be added by the ingress-shim controller to certificate object
+      --feature-gates mapStringBool                             A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                                                ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
+                                                                AllAlpha=true|false (ALPHA - default=false)
+                                                                AllBeta=true|false (BETA - default=false)
+                                                                ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
+                                                                ExperimentalGatewayAPISupport=true|false (BETA - default=true)
+                                                                ListenerSets=true|false (ALPHA - default=false)
+                                                                LiteralCertificateSubject=true|false (BETA - default=true)
+                                                                NameConstraints=true|false (BETA - default=true)
+                                                                OtherNames=true|false (BETA - default=true)
+                                                                SecretsFilteredCaching=true|false (BETA - default=true)
+                                                                ServerSideApply=true|false (ALPHA - default=false)
+                                                                StableCertificateRequestName=true|false (BETA - default=true)
+                                                                UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
+                                                                ValidateCAA=true|false (ALPHA - default=false)
+  -h, --help                                                    help for controller
+      --issuer-ambient-credentials                              Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
+      --kube-api-burst int                                      the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50)
+      --kube-api-qps float32                                    indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20)
+      --kubeconfig string                                       Paths to a kubeconfig. Only required if out-of-cluster.
+      --leader-elect                                            If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true)
+      --leader-election-lease-duration duration                 The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
+      --leader-election-namespace string                        Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
+      --leader-election-renew-deadline duration                 The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
+      --leader-election-retry-period duration                   The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
+      --log-flush-frequency duration                            Maximum number of seconds between log flushes (default 5s)
+      --logging-format string                                   Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+      --master string                                           Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+      --max-certificate-bundle-size int                         Maximum size in bytes for PEM-encoded certificate bundles. (default 330000)
+      --max-certificate-chain-length int                        Maximum size in bytes for a PEM-encoded certificate chain. (default 95000)
+      --max-certificate-size int                                Maximum size in bytes for a single PEM-encoded certificate. Large certificates with many DNS names may need larger values. (default 36500)
+      --max-concurrent-challenges int                           The maximum number of challenges that can be scheduled as 'processing' at once. (default 60)
+      --max-private-key-size int                                Maximum size in bytes for a single PEM-encoded private key. (default 13000)
+      --metrics-dynamic-serving-ca-secret-name string           name of the secret used to store the CA that signs serving certificates
+      --metrics-dynamic-serving-ca-secret-namespace string      namespace of the secret used to store the CA that signs serving certificates
+      --metrics-dynamic-serving-dns-names strings               DNS names that should be present on certificates generated by the dynamic serving CA
+      --metrics-dynamic-serving-leaf-duration duration          leaf duration of serving certificates (default 168h0m0s)
+      --metrics-listen-address string                           The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402")
+      --metrics-tls-cert-file string                            path to the file containing the TLS certificate to serve with
+      --metrics-tls-cipher-suites strings                       Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+      --metrics-tls-min-version string                          Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+      --metrics-tls-private-key-file string                     path to the file containing the TLS private key to serve with
+      --namespace string                                        If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched
+      --profiler-address string                                 The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
+  -v, --v Level                                                 number for the log level verbosity
+      --vmodule pattern=N,...                                   comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
 ```
diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
index 5c5cfce43e..07ba558e68 100644
--- a/content/docs/cli/webhook.md
+++ b/content/docs/cli/webhook.md
@@ -15,27 +15,21 @@ Usage:
 
 Flags:
       --api-server-host string                               Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+      --client-ca-path string                                The client cert CA used to verify clients contacting webhooks.
+      --client-subject-names strings                         One or more client certificate subject names (CN or DNS SAN) that the apiserver may present when contacting the webhook. Should be a comma-separated list.
       --config string                                        Path to a file containing a WebhookConfiguration object used to configure the webhook
       --dynamic-serving-ca-secret-name string                name of the secret used to store the CA that signs serving certificates
       --dynamic-serving-ca-secret-namespace string           namespace of the secret used to store the CA that signs serving certificates
       --dynamic-serving-dns-names strings                    DNS names that should be present on certificates generated by the dynamic serving CA
       --dynamic-serving-leaf-duration duration               leaf duration of serving certificates (default 168h0m0s)
+      --enable-client-verification                           Enable client cert authenticate of apiserver to webhooks.
       --enable-profiling                                     Enable profiling for webhook.
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
-                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
-                                                             ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
-                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
                                                              NameConstraints=true|false (BETA - default=true)
-                                                             OtherNames=true|false (ALPHA - default=false)
-                                                             SecretsFilteredCaching=true|false (BETA - default=true)
-                                                             ServerSideApply=true|false (ALPHA - default=false)
-                                                             StableCertificateRequestName=true|false (BETA - default=true)
-                                                             UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             ValidateCAA=true|false (ALPHA - default=false)
+                                                             OtherNames=true|false (BETA - default=true)
       --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                                 help for webhook
       --kubeconfig string                                    optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
index 90d0f48a36..2daefcd1e3 100644
--- a/content/docs/reference/api-docs.md
+++ b/content/docs/reference/api-docs.md
@@ -1783,6 +1783,22 @@ description: >-
         <p>Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>zoneType</code>
+        <br />
+        <em>
+          <a href="#acme.cert-manager.io/v1.AzureZoneType">AzureZoneType</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>ZoneType determines which type of Azure DNS zone to use.</p>
+        <p>Valid values are: - AzurePublicZone (default): Use a public Azure DNS zone. - AzurePrivateZone: Use an Azure Private DNS zone.</p>
+        <p>If not specified, AzurePublicZone is used.</p>
+        <p>Support for Azure Private DNS zones is currently experimental and may change in future releases.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderCloudDNS">ACMEIssuerDNS01ProviderCloudDNS</h3>
@@ -2005,7 +2021,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p> The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
+        <p> The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
       </td>
     </tr>
     <tr>
@@ -2016,7 +2032,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p> The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
+        <p> The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
       </td>
     </tr>
     <tr>
@@ -2027,7 +2043,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p> The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
+        <p> The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: <a href="https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials">https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials</a> </p>
       </td>
     </tr>
     <tr>
@@ -2203,7 +2219,7 @@ description: >-
 <h3 id="acme.cert-manager.io/v1.AzureManagedIdentity">AzureManagedIdentity</h3>
 <p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderAzureDNS">ACMEIssuerDNS01ProviderAzureDNS</a>) </p>
 <div>
-  <p>AzureManagedIdentity contains the configuration for Azure Workload Identity or Azure Managed Service Identity If the AZURE_FEDERATED_TOKEN_FILE environment variable is set, the Azure Workload Identity will be used. Otherwise, we fall-back to using Azure Managed Service Identity.</p>
+  <p>AzureManagedIdentity contains the configuration for Azure Workload Identity or Azure Managed Service Identity If the AZURE_FEDERATED_TOKEN_FILE environment variable is set, the Azure Workload Identity will be used. Otherwise, we fall back to using Azure Managed Service Identity.</p>
 </div>
 <table>
   <thead>
@@ -2248,6 +2264,31 @@ description: >-
     </tr>
   </tbody>
 </table>
+<h3 id="acme.cert-manager.io/v1.AzureZoneType"> AzureZoneType (<code>string</code> alias) </h3>
+<p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderAzureDNS">ACMEIssuerDNS01ProviderAzureDNS</a>) </p>
+<div></div>
+<table>
+  <thead>
+    <tr>
+      <th>Value</th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <p>&#34;AzurePrivateZone&#34;</p>
+      </td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>
+        <p>&#34;AzurePublicZone&#34;</p>
+      </td>
+      <td></td>
+    </tr>
+  </tbody>
+</table>
 <h3 id="acme.cert-manager.io/v1.CNAMEStrategy"> CNAMEStrategy (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverDNS01">ACMEChallengeSolverDNS01</a>) </p>
 <div>
@@ -4181,7 +4222,7 @@ description: >-
       <td>
         <em>(Optional)</em>
         <p>RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed.</p>
-        <p> If set to <code>Never</code>, a private key will only be generated if one does not already exist in the target <code>spec.secretName</code>. If one does exist but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to <code>Always</code>, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is <code>Always</code>. The default was changed from <code>Never</code> to <code>Always</code> in cert-manager &gt;=v1.18.0. The new default can be disabled by setting the <code>--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false</code> option on the controller component. </p>
+        <p> If set to <code>Never</code>, a private key will only be generated if one does not already exist in the target <code>spec.secretName</code>. If one does exist but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to <code>Always</code>, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is <code>Always</code>. The default was changed from <code>Never</code> to <code>Always</code> in cert-manager &gt;=v1.18.0. </p>
       </td>
     </tr>
     <tr>
@@ -5195,7 +5236,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone.</p>
+        <p>Venafi configures this issuer to sign certificates using a CyberArk Certificate Manager Self-Hosted or SaaS policy zone.</p>
       </td>
     </tr>
   </tbody>
@@ -5786,7 +5827,7 @@ description: >-
         <p>&#34;PKCS1&#34;</p>
       </td>
       <td>
-        <p> PKCS1 private key encoding. PKCS1 produces a PEM block that contains the private key algorithm in the header and the private key in the body. A key that uses this can be recognised by its <code>BEGIN RSA PRIVATE KEY</code> or <code>BEGIN EC PRIVATE KEY</code> header. NOTE: This encoding is not supported for Ed25519 keys. Attempting to use this encoding with an Ed25519 key will be ignored and default to PKCS8. </p>
+        <p> PKCS1 private key encoding. For RSA keys: produces PEM block with <code>BEGIN RSA PRIVATE KEY</code> header and private key in PKCS#1 format. For EC keys: produces PEM block with <code>BEGIN EC PRIVATE KEY</code> header and private key in SEC 1 format. For Ed25519 keys: option will be ignored and PKCS8 encoding will be used instead. </p>
       </td>
     </tr>
     <tr>
@@ -5833,7 +5874,7 @@ description: >-
 <h3 id="cert-manager.io/v1.ServiceAccountRef">ServiceAccountRef</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VaultKubernetesAuth">VaultKubernetesAuth</a>) </p>
 <div>
-  <p> ServiceAccountRef is a service account used by cert-manager to request a token. Default audience is generated by cert-manager and takes the form <code>vault://namespace-name/issuer-name</code> for an Issuer and <code>vault://issuer-name</code> for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes. </p>
+  <p> ServiceAccountRef is a service account used by cert-manager to request a token. By default two audiences are included: the address of the Vault server as specified on the issuer, and a generated audience taking the form of <code>vault://namespace-name/issuer-name</code> for an Issuer and <code>vault://issuer-name</code> for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes. </p>
 </div>
 <table>
   <thead>
@@ -5861,7 +5902,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token consisting of the issuer&rsquo;s namespace and name is always included.</p>
+        <p>TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default audiences are always included in the token.</p>
       </td>
     </tr>
   </tbody>
@@ -6034,7 +6075,7 @@ description: >-
 <h3 id="cert-manager.io/v1.VaultClientCertificateAuth">VaultClientCertificateAuth</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VaultAuth">VaultAuth</a>) </p>
 <div>
-  <p>VaultKubernetesAuth is used to authenticate against Vault using a client certificate stored in a Secret.</p>
+  <p>VaultClientCertificateAuth is used to authenticate against Vault using a client certificate stored in a Secret.</p>
 </div>
 <table>
   <thead>
@@ -6255,7 +6296,7 @@ description: >-
 <h3 id="cert-manager.io/v1.VenafiCloud">VenafiCloud</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VenafiIssuer">VenafiIssuer</a>) </p>
 <div>
-  <p>VenafiCloud defines connection configuration details for Venafi Cloud</p>
+  <p>VenafiCloud defines connection configuration details for CyberArk Certificate Manager SaaS</p>
 </div>
 <table>
   <thead>
@@ -6273,7 +6314,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p> URL is the base URL for Venafi Cloud. Defaults to &ldquo;<a href='https://api.venafi.cloud/"'>https://api.venafi.cloud/&rdquo;</a>. </p>
+        <p> URL is the base URL for CyberArk Certificate Manager SaaS. Defaults to &ldquo;<a href='https://api.venafi.cloud/"'>https://api.venafi.cloud/&rdquo;</a>. </p>
       </td>
     </tr>
     <tr>
@@ -6283,7 +6324,7 @@ description: >-
         <em>github.com/cert-manager/cert-manager/pkg/apis/meta/v1.SecretKeySelector</em>
       </td>
       <td>
-        <p>APITokenSecretRef is a secret key selector for the Venafi Cloud API token.</p>
+        <p>APITokenSecretRef is a secret key selector for the CyberArk Certificate Manager SaaS API token.</p>
       </td>
     </tr>
   </tbody>
@@ -6291,7 +6332,7 @@ description: >-
 <h3 id="cert-manager.io/v1.VenafiIssuer">VenafiIssuer</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.IssuerConfig">IssuerConfig</a>) </p>
 <div>
-  <p>Configures an issuer to sign certificates using a Venafi TPP or Cloud policy zone.</p>
+  <p>Configures an issuer to sign certificates using a CyberArk Certificate Manager Self-Hosted or SaaS policy zone.</p>
 </div>
 <table>
   <thead>
@@ -6308,7 +6349,7 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p>Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required.</p>
+        <p>Zone is the Certificate Manager Policy Zone to use for this issuer. All requests made to the Certificate Manager platform will be restricted by the named zone policy. This field is required.</p>
       </td>
     </tr>
     <tr>
@@ -6321,7 +6362,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.</p>
+        <p>TPP specifies CyberArk Certificate Manager Self-Hosted configuration settings. Only one of CyberArk Certificate Manager may be specified.</p>
       </td>
     </tr>
     <tr>
@@ -6334,7 +6375,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified.</p>
+        <p>Cloud specifies the CyberArk Certificate Manager SaaS configuration settings. Only one of CyberArk Certificate Manager may be specified.</p>
       </td>
     </tr>
   </tbody>
@@ -6342,7 +6383,7 @@ description: >-
 <h3 id="cert-manager.io/v1.VenafiTPP">VenafiTPP</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VenafiIssuer">VenafiIssuer</a>) </p>
 <div>
-  <p>VenafiTPP defines connection configuration details for a Venafi TPP instance</p>
+  <p>VenafiTPP defines connection configuration details for a CyberArk Certificate Manager Self-Hosted instance</p>
 </div>
 <table>
   <thead>
@@ -6359,7 +6400,7 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p> URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: &ldquo;<a href='https://tpp.example.com/vedsdk"'>https://tpp.example.com/vedsdk&rdquo;</a>. </p>
+        <p> URL is the base URL for the vedsdk endpoint of the CyberArk Certificate Manager Self-Hosted instance, for example: &ldquo;<a href='https://tpp.example.com/vedsdk"'>https://tpp.example.com/vedsdk&rdquo;</a>. </p>
       </td>
     </tr>
     <tr>
@@ -6369,7 +6410,7 @@ description: >-
         <em>github.com/cert-manager/cert-manager/pkg/apis/meta/v1.LocalObjectReference</em>
       </td>
       <td>
-        <p>CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. The secret must contain the key &lsquo;access-token&rsquo; for the Access Token Authentication, or two keys, &lsquo;username&rsquo; and &lsquo;password&rsquo; for the API Keys Authentication.</p>
+        <p>CredentialsRef is a reference to a Secret containing the CyberArk Certificate Manager Self-Hosted API credentials. The secret must contain the key &lsquo;access-token&rsquo; for the Access Token Authentication, or two keys, &lsquo;username&rsquo; and &lsquo;password&rsquo; for the API Keys Authentication.</p>
       </td>
     </tr>
     <tr>
@@ -6380,7 +6421,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.</p>
+        <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the CyberArk Certificate Manager Self-Hosted server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.</p>
       </td>
     </tr>
     <tr>
@@ -6391,7 +6432,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.</p>
+        <p>Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the CyberArk Certificate Manager Self-Hosted server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.</p>
       </td>
     </tr>
   </tbody>
@@ -6659,7 +6700,8 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p> apiServerHost is used to override the API server connection address. Deprecated: use <code>kubeConfig</code> instead. </p>
+        <p>apiServerHost is used to override the API server connection address.</p>
+        <p> Deprecated: use <code>kubeConfig</code> instead. </p>
       </td>
     </tr>
     <tr>
@@ -6764,6 +6806,16 @@ description: >-
         <p>Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>enableGatewayAPIListenerSet</code>
+        <br />
+        <em>bool</em>
+      </td>
+      <td>
+        <p>Specifies whether the ListenerSet controller should be enabled with-in cert-manager. This along with ListenerSet feature gate enabled allows the user to consume ListenerSet for self-service TLS.</p>
+      </td>
+    </tr>
     <tr>
       <td>
         <code>copiedAnnotationPrefixes</code>
@@ -6870,7 +6922,7 @@ description: >-
     </tr>
     <tr>
       <td>
-        <code>ingressShimConfig</code>
+        <code>ingressShimConfig,omitzero</code>
         <br />
         <em>
           <a href="#controller.config.cert-manager.io/v1alpha1.IngressShimConfig">IngressShimConfig</a>
@@ -6882,7 +6934,7 @@ description: >-
     </tr>
     <tr>
       <td>
-        <code>acmeHTTP01Config</code>
+        <code>acmeHTTP01Config,omitzero</code>
         <br />
         <em>
           <a href="#controller.config.cert-manager.io/v1alpha1.ACMEHTTP01Config">ACMEHTTP01Config</a>
@@ -6894,7 +6946,7 @@ description: >-
     </tr>
     <tr>
       <td>
-        <code>acmeDNS01Config</code>
+        <code>acmeDNS01Config,omitzero</code>
         <br />
         <em>
           <a href="#controller.config.cert-manager.io/v1alpha1.ACMEDNS01Config">ACMEDNS01Config</a>
@@ -6904,6 +6956,28 @@ description: >-
         <p>acmeDNS01Config configures the behaviour of the ACME DNS01 challenge solver</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>pemSizeLimitsConfig,omitzero</code>
+        <br />
+        <em>
+          <a href="#controller.config.cert-manager.io/v1alpha1.PEMSizeLimitsConfig">PEMSizeLimitsConfig</a>
+        </em>
+      </td>
+      <td>
+        <p>pemSizeLimitsConfig configures the maximum sizes for PEM-encoded data</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>certificateRequestMinimumBackoffDuration</code>
+        <br />
+        <em>github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.Duration</em>
+      </td>
+      <td>
+        <p>CertificateRequestMinimumBackoffDuration configures the initial backoff duration when a certificate request fails. This duration is exponentially increased (up to a maximum of 32 hours) based on the number of consecutive failures.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="controller.config.cert-manager.io/v1alpha1.IngressShimConfig">IngressShimConfig</h3>
@@ -7002,6 +7076,59 @@ description: >-
     </tr>
   </tbody>
 </table>
+<h3 id="controller.config.cert-manager.io/v1alpha1.PEMSizeLimitsConfig">PEMSizeLimitsConfig</h3>
+<p> (<em>Appears on:</em> <a href="#controller.config.cert-manager.io/v1alpha1.ControllerConfiguration">ControllerConfiguration</a>) </p>
+<div></div>
+<table>
+  <thead>
+    <tr>
+      <th>Field</th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <code>maxCertificateSize</code>
+        <br />
+        <em>int32</em>
+      </td>
+      <td>
+        <p>Maximum size for a single PEM-encoded certificate (in bytes). Defaults to 36500 bytes.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>maxPrivateKeySize</code>
+        <br />
+        <em>int32</em>
+      </td>
+      <td>
+        <p>Maximum size for a single PEM-encoded private key (in bytes). Defaults to 13000 bytes.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>maxChainLength</code>
+        <br />
+        <em>int32</em>
+      </td>
+      <td>
+        <p>Maximum size for a PEM-encoded certificate chain (in bytes). Defaults to 95000 bytes.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>maxBundleSize</code>
+        <br />
+        <em>int32</em>
+      </td>
+      <td>
+        <p>Maximum size for PEM-encoded certificate bundles (in bytes). Defaults to 330000 bytes.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
 <hr />
 <h2 id="webhook.config.cert-manager.io/v1alpha1">webhook.config.cert-manager.io/v1alpha1</h2>
 <div>
@@ -7066,7 +7193,8 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p> apiServerHost is used to override the API server connection address. Deprecated: use <code>kubeConfig</code> instead. </p>
+        <p>apiServerHost is used to override the API server connection address.</p>
+        <p> Deprecated: use <code>kubeConfig</code> instead. </p>
       </td>
     </tr>
     <tr>
@@ -7133,9 +7261,39 @@ description: >-
         <p>metricsTLSConfig is used to configure the metrics server TLS settings.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>enableClientVerification</code>
+        <br />
+        <em>bool</em>
+      </td>
+      <td>
+        <p>EnableClientVerification turns on client verification of requests made to the webhook server</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>clientCAPath</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <p>ClientCAPath is the CA certificate name which server used to verify remote(client)&rsquo;s certificate. Defaults to &ldquo;&rdquo;, which means server does not verify client&rsquo;s certificate.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>clientCertificateSubjects</code>
+        <br />
+        <em>[]string</em>
+      </td>
+      <td>
+        <p>ClientCertificateSubjects is a list of acceptable subject names for client certificates used by the apiserver to contact webhooks. Each entry will be matched against the certificate&rsquo;s CommonName and DNS SubjectAltNames. Multiple values allow zero-downtime rotations.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>83820a0</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>0d2f215</code>. </em>
 </p>
diff --git a/scripts/gendocs/generate-new-import-path-docs b/scripts/gendocs/generate-new-import-path-docs
index 503e388435..8b4557eee9 100755
--- a/scripts/gendocs/generate-new-import-path-docs
+++ b/scripts/gendocs/generate-new-import-path-docs
@@ -136,30 +136,17 @@ $output
 EOF
 }
 
-# The branches named here exist in the `cert-manager/cert-manager` repo.
-
-# Note that we cannot generate docs for any version before 1.8 using this script!
-# In 1.8 we changed the import path, and gen-crd-api-reference-docs doesn't seem module-aware
-# This script is _only_ for generating docs for versions of cert-manager with the
-# github.com/cert-manager/cert-manager import path!
-
-LATEST_VERSION="docs" # to also upgrade a specific version, use v1.13-docs, v1.12-docs, etc.
-
-#genversionwithcli "release-1.8" "v1.8-docs"
-#genversionwithcli "release-1.9" "v1.9-docs"
-#genversionwithcli "release-1.10" "v1.10-docs"
-#genversionwithcli "release-1.11" "v1.11-docs"
-#genversionwithcli "release-1.12" "v1.12-docs"
-#genversionwithcli "release-1.13" "v1.13-docs"
-#genversionwithcli "release-1.14" "v1.14-docs"
-#genversionwithcli "release-1.15" "v1.15-docs"
-#genversionwithcli "release-1.16" "v1.16-docs"
-#genversionwithcli "release-1.17" "v1.17-docs"
-genversionwithcli "release-1.19" "$LATEST_VERSION"
+# For final releases such as v1.20.0, DOCS_FOLDER should be `docs` (or a
+# versioned docs folder name such as `v1.20-docs`), and CM_BRANCH should be
+# the release branch, e.g. `release-1.20`.
+CM_BRANCH="release-1.20"
+DOCS_FOLDER="docs"
+
+genversionwithcli "$CM_BRANCH" "$DOCS_FOLDER"
 
 # Rather than generate the same docs again for /docs, copy from the latest version
 
-cp -r "${REPO_ROOT}/content/${LATEST_VERSION}/cli" "${REPO_ROOT}/content/docs/"
-cp "${REPO_ROOT}/content/${LATEST_VERSION}/reference/api-docs.md" "${REPO_ROOT}/content/docs/reference/"
+cp -r "${REPO_ROOT}/content/${DOCS_FOLDER}/cli" "${REPO_ROOT}/content/docs/"
+cp "${REPO_ROOT}/content/${DOCS_FOLDER}/reference/api-docs.md" "${REPO_ROOT}/content/docs/reference/"
 
 echo "Generated reference documentation for cert-manager versions with the github.com/cert-manager/cert-manager import path"

- URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: “https://tpp.example.com/vedsdk”. + URL is the base URL for the vedsdk endpoint of the CyberArk Certificate Manager Self-Hosted instance, for example: “https://tpp.example.com/vedsdk”.
- CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. The secret must contain the key ‘access-token’ for the Access Token Authentication, or two keys, ‘username’ and ‘password’ for the API Keys Authentication. + CredentialsRef is a reference to a Secret containing the CyberArk Certificate Manager Self-Hosted API credentials. The secret must contain the key ‘access-token’ for the Access Token Authentication, or two keys, ‘username’ and ‘password’ for the API Keys Authentication.
(Optional) - Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. + Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the CyberArk Certificate Manager Self-Hosted server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
(Optional) - Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. + Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the CyberArk Certificate Manager Self-Hosted server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
- apiServerHost is used to override the API server connection address. Deprecated: use `kubeConfig` instead. + apiServerHost is used to override the API server connection address. + Deprecated: use `kubeConfig` instead.
+ `enableGatewayAPIListenerSet` + + bool +	+ Specifies whether the ListenerSet controller should be enabled with-in cert-manager. This along with ListenerSet feature gate enabled allows the user to consume ListenerSet for self-service TLS. +
`copiedAnnotationPrefixes` @@ -6870,7 +6922,7 @@ description: >-
- `ingressShimConfig` + `ingressShimConfig,omitzero` IngressShimConfig @@ -6882,7 +6934,7 @@ description: >-
- `acmeHTTP01Config` + `acmeHTTP01Config,omitzero` ACMEHTTP01Config @@ -6894,7 +6946,7 @@ description: >-
- `acmeDNS01Config` + `acmeDNS01Config,omitzero` ACMEDNS01Config @@ -6904,6 +6956,28 @@ description: >- acmeDNS01Config configures the behaviour of the ACME DNS01 challenge solver
+ `pemSizeLimitsConfig,omitzero` + + + PEMSizeLimitsConfig + +	+ pemSizeLimitsConfig configures the maximum sizes for PEM-encoded data +
+ `certificateRequestMinimumBackoffDuration` + + github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.Duration +	+ CertificateRequestMinimumBackoffDuration configures the initial backoff duration when a certificate request fails. This duration is exponentially increased (up to a maximum of 32 hours) based on the number of consecutive failures. +
Field	Description
+ `maxCertificateSize` + + int32 +	+ Maximum size for a single PEM-encoded certificate (in bytes). Defaults to 36500 bytes. +
+ `maxPrivateKeySize` + + int32 +	+ Maximum size for a single PEM-encoded private key (in bytes). Defaults to 13000 bytes. +
+ `maxChainLength` + + int32 +	+ Maximum size for a PEM-encoded certificate chain (in bytes). Defaults to 95000 bytes. +
+ `maxBundleSize` + + int32 +	+ Maximum size for PEM-encoded certificate bundles (in bytes). Defaults to 330000 bytes. +