Release cert-manager v1.21.0#2202
Conversation
Signed-off-by: hjoshi123 <mail@hjoshi.me> Signed-off-by: hjoshi123 <hemant.joshi@vizio.com>
Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com> Agent-Logs-Url: https://github.com/cert-manager/website/sessions/da9fb3ce-9f2a-46e3-885e-a42f48313a26 Co-authored-by: ThatsMrTalbot <15379715+ThatsMrTalbot@users.noreply.github.com>
…nstall Update docs for Gateway API nested config fields
…effallback annotation (#2095) * docs: update ListenerSet example to use http01-parentreffallback annotation Signed-off-by: apkatsikas <apkatsikas@gmail.com> * docs: document http01-parentreffallback as alternative ListenerSet pattern Signed-off-by: apkatsikas <apkatsikas@gmail.com> * docs: remove Alternative from doc heading Signed-off-by: apkatsikas <apkatsikas@gmail.com> * chore: add parentrefnamespace and parentreffallback to .spelling file Signed-off-by: apkatsikas <apkatsikas@gmail.com> --------- Signed-off-by: apkatsikas <apkatsikas@gmail.com> Co-authored-by: apkatsikas <apkatsikas@gmail.com>
Signed-off-by: Richard Wall <richard@the-moon.net>
…ster-20260521 Sync the release-next branch with master
Add the boilerplate content for release-1.21 release notes
Signed-off-by: felix.phipps <felix.phipps@cyberark.com> Co-authored-by: Mael Valais <mael@vls.dev>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com> Co-authored-by: Mael Valais <mael@vls.dev>
Reapply #2114 (NGTS documentation)
Reapply #2117 (document 2 new Venafi client metrics)
Signed-off-by: Maël Valais <mael@vls.dev>
Fix wording: NGTS stands for Security, not Services
…-next-with-master-20260623
…t-with-master-20260623 Sync the release-next branch with master
Document the breaking change from cert-manager/cert-manager#8931 which removes the default tokenrequest Role and RoleBinding from the Helm chart. Add an upgrading note with migration guidance and a release note entry under Major Themes with the⚠️ Breaking change callout. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…uest-rbac-docs Add upgrade note for tokenrequest RBAC removal in 1.21
Add documentation for the waitInsteadOfSelfCheck solver option for ACME HTTP01 and DNS01 challenges, introduced in cert-manager v1.21. - ACME configuration page: new section explaining the feature, when to use it, behaviour with zero and negative durations, and an example Issuer/ClusterIssuer configuration - Troubleshooting page: new section linking waitInsteadOfSelfCheck as a workaround for environments where the self-check cannot succeed - Release notes: major theme entry and changelog feature entry - .spelling: add waitInsteadOfSelfCheck Part of cert-manager/cert-manager#1292. Cross-reference: cert-manager/cert-manager#8858. Signed-off-by: Richard Wall <richard@the-moon.net> Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document ACME delayed challenge acceptance
Add a Major Themes entry to the 1.21 release notes explaining the webhook serving certificate renewal fix for system suspend and VM live migration (cert-manager/cert-manager#8464). Add a note to the webhook concepts page about the renewal resilience improvement in 1.21. Expand the troubleshooting section for "x509: certificate has expired" with the system suspend root cause and the upgrade path. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document webhook certificate renewal after system suspend
Merge the master branch into release-next
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…c-docs Document ACME Challenge and Order RBAC restriction for v1.21
Add release notes and upgrade notes for the removal of prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path Helm values, and the controller Service metrics port rename from tcp-prometheus-servicemonitor to http-metrics. Relates: cert-manager/cert-manager#8952 Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document Helm metrics cleanup breaking change for 1.21
- Add Major Themes section for the new --certificate-request-maximum-backoff-duration controller flag, with links to the CLI reference, ControllerConfiguration API, and FAQ retry section. - Add Feature changelog entry for cert-manager/cert-manager#8893. - Update FAQ to mention both backoff flags are now configurable. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…x-backoff-release-notes Document configurable CertificateRequest max backoff duration for v1.21
Populate the contributors, maintainers, steering committee, and v1.21.0 changelog sections using the release-notes generator tool (scripts/release-notes). Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Update gendocs script to pull from release-1.21 branch
- Regenerate content/docs/reference/api-docs.md from release-1.21
- Regenerate content/docs/cli/{cainjector,controller}.md from release-1.21
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Rewrote the intro summary to list all new features alongside breaking changes - Added major theme sections for: ARI (RFC 9773), AWS IAM auth for Vault, Modern2026 PKCS#12 profile, certificate renewal policies, Gateway API improvements (ListenerSet parentRef fallback, ignore-tls-listeners, additional protocols, enableGatewayAPI restructure), cainjector improvements (CAInjectorMerging GA, SSA unconditional, --ignore-namespaces flag), Venafi integration updates (OAuth observability, PANW NGTS support), ACME security hardening (GHSA-8rvj-mm4h-c258, transient error retry), and a Notable Bug Fixes subsection covering integer overflow, infinite re-issuance loop, DNS issuer validation, Vault path traversal, and DoH OOM - Added new GitHub handles and terms to .spelling allowlist Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
[release-1.21] Release cert-manager v1.21.0-beta.0
- Remove draft warning admonition - Remove all references to reverted PR #8948 (ACME Challenge/Order immutability hardening); the RBAC restriction (#8958) is sufficient - Add changelog entry for #8976 (acmesolver.runtimeClassName) - Replace bullet-list introduction with a short prose paragraph - Consolidate 11 individual feature headings into 3 themed sections matching the v1.18/v1.19 format - Trim breaking change sections and bug fix entries for brevity Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…1.21-final Finalise v1.21.0 release notes
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…se-next Merge origin/master into release-next
✅ Deploy Preview for cert-manager ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR updates the website documentation to reflect the cert-manager v1.21.0 release, including version bumps, new release/upgrade pages, and documentation updates for newly added/changed features and configuration keys.
Changes:
- Bump “latest cert-manager version” references and release-branch tooling to v1.21.0 / release-1.21.
- Add v1.21 release notes and an upgrade guide (1.20 → 1.21), and wire them into the docs manifest/navigation.
- Update multiple docs pages to match v1.21 behavior and configuration (e.g., Gateway API Helm values restructure, ACME self-check escape hatch, webhook suspend behavior, new flags/metrics).
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/gendocs/generate-new-import-path-docs | Update docs-generation script to point at the release-1.21 branch. |
| content/docs/variables.json | Update “latest version” to v1.21.0. |
| content/docs/usage/gateway.md | Update Gateway API Helm values structure and add ListenerSet HTTP01 parentRef fallback docs + example. |
| content/docs/usage/certificate.md | Add documentation for certificate renewal windows/policies. |
| content/docs/troubleshooting/webhook.md | Document known webhook cert expiry cause related to suspend/migration pre-1.21 and recommend upgrade. |
| content/docs/troubleshooting/acme.md | Add guidance for environments where self-check fails but ACME validation can succeed; point to waitInsteadOfSelfCheck. |
| content/docs/releases/upgrading/upgrading-1.20-1.21.md | New upgrade guide capturing v1.21 breaking changes. |
| content/docs/releases/release-notes/release-notes-1.21.md | New v1.21 release notes page. |
| content/docs/releases/README.md | Add 1.21 to supported releases, update upcoming releases, and adjust EOL tables/links. |
| content/docs/reference/api-docs.md | Regenerated API reference docs to include v1.21 API/flag updates. |
| content/docs/manifest.json | Add navigation entries for v1.21 release notes and upgrade guide. |
| content/docs/installation/configuring-components.md | Update config example to new gatewayAPI.enabled structure. |
| content/docs/faq/README.md | Update backoff documentation to mention configurable min/max flags/values. |
| content/docs/devops-tips/prometheus-metrics.md | Add documentation for Venafi OAuth token Prometheus metrics. |
| content/docs/configuration/venafi.md | Expand issuer docs to include Palo Alto Networks NGTS setup and reference. |
| content/docs/configuration/acme/README.md | Document waitInsteadOfSelfCheck behavior and usage. |
| content/docs/configuration/acme/http01/README.md | Update Helm values example/command to new gatewayAPI.enabled structure. |
| content/docs/concepts/webhook.md | Note webhook serving-cert renewal resilience to suspend/migration since 1.21. |
| content/docs/cli/controller.md | Document new controller flags/feature gates (ACMEUseARI, backoff max, runtime class name, extra labels, etc.). |
| content/docs/cli/cainjector.md | Update cainjector flags to include --ignore-namespaces and remove the now-GA CAInjectorMerging feature gate flag. |
| .spelling | Add new domain terms and contributor names to the spelling whitelist. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - **ACME Renewal Information (ARI)**: experimental support for [RFC 9773](https://www.rfc-editor.org/rfc/rfc9773) behind the `ACMEUseARI` feature gate. When enabled, cert-manager queries the ACME server's `renewalInfo` endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. ([#8798](https://github.com/cert-manager/cert-manager/pull/8798)) | ||
| - **`waitInsteadOfSelfCheck` solver option**: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See [configuration details](../../configuration/acme/README.md#skip-the-self-check-with-waitinsteadofselfcheck). ([#8858](https://github.com/cert-manager/cert-manager/pull/8858)) | ||
| - **AWS IAM authentication for Vault**: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. ([#8422](https://github.com/cert-manager/cert-manager/pull/8422)) | ||
| - **Certificate renewal policies**: a new `renewalPolicies` field on the Certificate API provides more expressive control over renewal scheduling, complementing `renewBefore` and `renewBeforePercentage`. ([#8258](https://github.com/cert-manager/cert-manager/pull/8258)) |
| minute (0-59) | ||
| ``` | ||
| For example: | ||
| - `0 0 * * *` - everyday at `00:00`. |
| > Care should be taken to ensure that there is at least one valid renewal window between the | ||
| > calculated renewal time and the certificate's expiry. If no valid window exists, cert-manager | ||
| > cannot calculate a renewal time and the Certificate status will report an error. However, the renewal | ||
| > will still happen at the calculated `desiredRenewalTime` using the `spec.renewBefore`/ `spec.renewBeforePercentage` fields. | ||
| > This behavior is intentional and is done to avoid certificates from expiring due to window misconfiguration. |
| listeners: | ||
| - name: http | ||
| protocol: HTTP | ||
| port: 80 | ||
| allowedListeners: | ||
| namespaces: | ||
| from: All |
|
self merging. I'll address those copilot comments in followup PRs. |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/release-notes/release-notes-1.21/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/upgrading/upgrading-1.20-1.21/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/installation/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/usage/gateway/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/configuration/acme/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/configuration/venafi/
Summary
Merge
release-nextintomasterto publish the v1.21.0 documentation.This brings in all content developed on the
release-nextbranch during the v1.21 cycle:release-1.21)waitInsteadOfSelfCheck, renewal policies, AWS IAM Vault auth, Gateway API improvements, and PANW NGTS Venafi supportvariables.jsonversion bump tov1.21.0generate-new-import-path-docsscript updated forrelease-1.21Motivation
Final step of the v1.21.0 release process. Merges the
release-nextbranch intomasternow that the freeze docs PR (#2200) has been merged.See: Release Process — Merge
release-nextPrior art: #2136 (v1.20.0)