Skip to content

Release cert-manager v1.21.0#2202

Merged
cert-manager-prow[bot] merged 39 commits into
masterfrom
release-next
Jul 8, 2026
Merged

Release cert-manager v1.21.0#2202
cert-manager-prow[bot] merged 39 commits into
masterfrom
release-next

Conversation

@wallrj-cyberark

@wallrj-cyberark wallrj-cyberark commented Jul 8, 2026

Copy link
Copy Markdown
Member

Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/release-notes/release-notes-1.21/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/releases/upgrading/upgrading-1.20-1.21/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/installation/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/usage/gateway/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/configuration/acme/
Preview: https://deploy-preview-2202--cert-manager.netlify.app/docs/configuration/venafi/

Summary

Merge release-next into master to publish the v1.21.0 documentation.

This brings in all content developed on the release-next branch during the v1.21 cycle:

  • v1.21.0 release notes and upgrading guide (1.20 → 1.21)
  • Updated API reference docs (regenerated from release-1.21)
  • New documentation for ARI, waitInsteadOfSelfCheck, renewal policies, AWS IAM Vault auth, Gateway API improvements, and PANW NGTS Venafi support
  • Updated CLI reference (controller, cainjector)
  • Spelling dictionary updates
  • variables.json version bump to v1.21.0
  • Supported releases page updated (1.21 promoted, 1.19 moved to old releases)
  • generate-new-import-path-docs script updated for release-1.21

Motivation

Final step of the v1.21.0 release process. Merges the release-next branch into master now that the freeze docs PR (#2200) has been merged.

See: Release Process — Merge release-next

Prior art: #2136 (v1.20.0)

hjoshi123 and others added 30 commits April 23, 2026 11:43
Signed-off-by: hjoshi123 <mail@hjoshi.me>
Signed-off-by: hjoshi123 <hemant.joshi@vizio.com>
Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com>

Agent-Logs-Url: https://github.com/cert-manager/website/sessions/da9fb3ce-9f2a-46e3-885e-a42f48313a26

Co-authored-by: ThatsMrTalbot <15379715+ThatsMrTalbot@users.noreply.github.com>
…nstall

Update docs for Gateway API nested config fields
…effallback annotation (#2095)

* docs: update ListenerSet example to use http01-parentreffallback annotation

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* docs: document http01-parentreffallback as alternative ListenerSet pattern

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* docs: remove Alternative from doc heading

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

* chore: add parentrefnamespace and parentreffallback to .spelling file

Signed-off-by: apkatsikas <apkatsikas@gmail.com>

---------

Signed-off-by: apkatsikas <apkatsikas@gmail.com>
Co-authored-by: apkatsikas <apkatsikas@gmail.com>
Signed-off-by: Richard Wall <richard@the-moon.net>
…ster-20260521

Sync the release-next branch with master
Add the boilerplate content for release-1.21 release notes
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Co-authored-by: Mael Valais <mael@vls.dev>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
Co-authored-by: Mael Valais <mael@vls.dev>
Reapply #2117 (document 2 new Venafi client metrics)
Signed-off-by: Maël Valais <mael@vls.dev>
Fix wording: NGTS stands for Security, not Services
…t-with-master-20260623

Sync the release-next branch with master
Document the breaking change from cert-manager/cert-manager#8931 which
removes the default tokenrequest Role and RoleBinding from the Helm
chart. Add an upgrading note with migration guidance and a release note
entry under Major Themes with the ⚠️ Breaking change callout.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…uest-rbac-docs

Add upgrade note for tokenrequest RBAC removal in 1.21
Add documentation for the waitInsteadOfSelfCheck solver option for
ACME HTTP01 and DNS01 challenges, introduced in cert-manager v1.21.

- ACME configuration page: new section explaining the feature, when to
  use it, behaviour with zero and negative durations, and an example
  Issuer/ClusterIssuer configuration
- Troubleshooting page: new section linking waitInsteadOfSelfCheck as a
  workaround for environments where the self-check cannot succeed
- Release notes: major theme entry and changelog feature entry
- .spelling: add waitInsteadOfSelfCheck

Part of cert-manager/cert-manager#1292.
Cross-reference: cert-manager/cert-manager#8858.

Signed-off-by: Richard Wall <richard@the-moon.net>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document ACME delayed challenge acceptance
Add a Major Themes entry to the 1.21 release notes explaining the
webhook serving certificate renewal fix for system suspend and VM live
migration (cert-manager/cert-manager#8464).

Add a note to the webhook concepts page about the renewal resilience
improvement in 1.21.

Expand the troubleshooting section for "x509: certificate has expired"
with the system suspend root cause and the upgrade path.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document webhook certificate renewal after system suspend
Merge the master branch into release-next
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…c-docs

Document ACME Challenge and Order RBAC restriction for v1.21
Add release notes and upgrade notes for the removal of
prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path,
and prometheus.podmonitor.path Helm values, and the controller Service
metrics port rename from tcp-prometheus-servicemonitor to http-metrics.

Relates: cert-manager/cert-manager#8952

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Document Helm metrics cleanup breaking change for 1.21
- Add Major Themes section for the new --certificate-request-maximum-backoff-duration
  controller flag, with links to the CLI reference, ControllerConfiguration API,
  and FAQ retry section.
- Add Feature changelog entry for cert-manager/cert-manager#8893.
- Update FAQ to mention both backoff flags are now configurable.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…x-backoff-release-notes

Document configurable CertificateRequest max backoff duration for v1.21
Populate the contributors, maintainers, steering committee, and v1.21.0
changelog sections using the release-notes generator tool
(scripts/release-notes).

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj-cyberark and others added 9 commits July 1, 2026 08:02
- Update gendocs script to pull from release-1.21 branch
- Regenerate content/docs/reference/api-docs.md from release-1.21
- Regenerate content/docs/cli/{cainjector,controller}.md from release-1.21

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
- Rewrote the intro summary to list all new features alongside breaking changes
- Added major theme sections for: ARI (RFC 9773), AWS IAM auth for Vault,
  Modern2026 PKCS#12 profile, certificate renewal policies, Gateway API
  improvements (ListenerSet parentRef fallback, ignore-tls-listeners,
  additional protocols, enableGatewayAPI restructure), cainjector improvements
  (CAInjectorMerging GA, SSA unconditional, --ignore-namespaces flag),
  Venafi integration updates (OAuth observability, PANW NGTS support),
  ACME security hardening (GHSA-8rvj-mm4h-c258, transient error retry),
  and a Notable Bug Fixes subsection covering integer overflow, infinite
  re-issuance loop, DNS issuer validation, Vault path traversal, and DoH OOM
- Added new GitHub handles and terms to .spelling allowlist

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
[release-1.21] Release cert-manager v1.21.0-beta.0
- Remove draft warning admonition
- Remove all references to reverted PR #8948 (ACME Challenge/Order
  immutability hardening); the RBAC restriction (#8958) is sufficient
- Add changelog entry for #8976 (acmesolver.runtimeClassName)
- Replace bullet-list introduction with a short prose paragraph
- Consolidate 11 individual feature headings into 3 themed sections
  matching the v1.18/v1.19 format
- Trim breaking change sections and bug fix entries for brevity

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…1.21-final

Finalise v1.21.0 release notes
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…se-next

Merge origin/master into release-next
@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 8, 2026
@wallrj-cyberark wallrj-cyberark requested a review from Copilot July 8, 2026 22:39
@netlify

netlify Bot commented Jul 8, 2026

Copy link
Copy Markdown

Deploy Preview for cert-manager ready!

Name Link
🔨 Latest commit 1068186
🔍 Latest deploy log https://app.netlify.com/projects/cert-manager/deploys/6a4ed19afd0b17000861f201
😎 Deploy Preview https://deploy-preview-2202--cert-manager.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the website documentation to reflect the cert-manager v1.21.0 release, including version bumps, new release/upgrade pages, and documentation updates for newly added/changed features and configuration keys.

Changes:

  • Bump “latest cert-manager version” references and release-branch tooling to v1.21.0 / release-1.21.
  • Add v1.21 release notes and an upgrade guide (1.20 → 1.21), and wire them into the docs manifest/navigation.
  • Update multiple docs pages to match v1.21 behavior and configuration (e.g., Gateway API Helm values restructure, ACME self-check escape hatch, webhook suspend behavior, new flags/metrics).

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
scripts/gendocs/generate-new-import-path-docs Update docs-generation script to point at the release-1.21 branch.
content/docs/variables.json Update “latest version” to v1.21.0.
content/docs/usage/gateway.md Update Gateway API Helm values structure and add ListenerSet HTTP01 parentRef fallback docs + example.
content/docs/usage/certificate.md Add documentation for certificate renewal windows/policies.
content/docs/troubleshooting/webhook.md Document known webhook cert expiry cause related to suspend/migration pre-1.21 and recommend upgrade.
content/docs/troubleshooting/acme.md Add guidance for environments where self-check fails but ACME validation can succeed; point to waitInsteadOfSelfCheck.
content/docs/releases/upgrading/upgrading-1.20-1.21.md New upgrade guide capturing v1.21 breaking changes.
content/docs/releases/release-notes/release-notes-1.21.md New v1.21 release notes page.
content/docs/releases/README.md Add 1.21 to supported releases, update upcoming releases, and adjust EOL tables/links.
content/docs/reference/api-docs.md Regenerated API reference docs to include v1.21 API/flag updates.
content/docs/manifest.json Add navigation entries for v1.21 release notes and upgrade guide.
content/docs/installation/configuring-components.md Update config example to new gatewayAPI.enabled structure.
content/docs/faq/README.md Update backoff documentation to mention configurable min/max flags/values.
content/docs/devops-tips/prometheus-metrics.md Add documentation for Venafi OAuth token Prometheus metrics.
content/docs/configuration/venafi.md Expand issuer docs to include Palo Alto Networks NGTS setup and reference.
content/docs/configuration/acme/README.md Document waitInsteadOfSelfCheck behavior and usage.
content/docs/configuration/acme/http01/README.md Update Helm values example/command to new gatewayAPI.enabled structure.
content/docs/concepts/webhook.md Note webhook serving-cert renewal resilience to suspend/migration since 1.21.
content/docs/cli/controller.md Document new controller flags/feature gates (ACMEUseARI, backoff max, runtime class name, extra labels, etc.).
content/docs/cli/cainjector.md Update cainjector flags to include --ignore-namespaces and remove the now-GA CAInjectorMerging feature gate flag.
.spelling Add new domain terms and contributor names to the spelling whitelist.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- **ACME Renewal Information (ARI)**: experimental support for [RFC 9773](https://www.rfc-editor.org/rfc/rfc9773) behind the `ACMEUseARI` feature gate. When enabled, cert-manager queries the ACME server's `renewalInfo` endpoint for the recommended renewal window, allowing servers like Let's Encrypt to proactively prompt renewal during mass revocations or CA key rollovers. ([#8798](https://github.com/cert-manager/cert-manager/pull/8798))
- **`waitInsteadOfSelfCheck` solver option**: skip cert-manager's own self-check and instead wait a configured duration before asking the ACME server to validate. An escape hatch for split-horizon DNS and NAT hairpin environments. See [configuration details](../../configuration/acme/README.md#skip-the-self-check-with-waitinsteadofselfcheck). ([#8858](https://github.com/cert-manager/cert-manager/pull/8858))
- **AWS IAM authentication for Vault**: the Vault issuer now supports IRSA, EKS Pod Identity, and ambient EC2/ECS credentials, removing the need for long-lived AWS Secrets. ([#8422](https://github.com/cert-manager/cert-manager/pull/8422))
- **Certificate renewal policies**: a new `renewalPolicies` field on the Certificate API provides more expressive control over renewal scheduling, complementing `renewBefore` and `renewBeforePercentage`. ([#8258](https://github.com/cert-manager/cert-manager/pull/8258))
minute (0-59)
```
For example:
- `0 0 * * *` - everyday at `00:00`.
Comment on lines +408 to +412
> Care should be taken to ensure that there is at least one valid renewal window between the
> calculated renewal time and the certificate's expiry. If no valid window exists, cert-manager
> cannot calculate a renewal time and the Certificate status will report an error. However, the renewal
> will still happen at the calculated `desiredRenewalTime` using the `spec.renewBefore`/ `spec.renewBeforePercentage` fields.
> This behavior is intentional and is done to avoid certificates from expiring due to window misconfiguration.
Comment on lines +739 to +745
listeners:
- name: http
protocol: HTTP
port: 80
allowedListeners:
namespaces:
from: All
@wallrj-cyberark

Copy link
Copy Markdown
Member Author

self merging. I'll address those copilot comments in followup PRs.

@wallrj-cyberark wallrj-cyberark added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. labels Jul 8, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot merged commit b77ea65 into master Jul 8, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants