[master] (release 1.20) Merge release-next into master#2001
[master] (release 1.20) Merge release-next into master#2001cert-manager-prow[bot] merged 26 commits intomasterfrom
Conversation
Sync the release-next branch with master
- Add v1.20 release notes file - Update releases manifest and README to include 1.20 and upgrade guide - Add v1.20 to .spelling - Set cert_manager_latest_version to v1.20.0-alpha.0 Signed-off-by: Richard Wall <richard.wall@cyberark.com>
…er-1.20.0-alpha.0 Add cert-manager 1.20 release notes
…ride-ingress-ingressclassname" Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
…ingressclassname" Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com> Signed-off-by: Yuedong Wu <57584831+lunarwhite@users.noreply.github.com>
Add doc content for new Ingress annotation `http01-ingress-ingressclassname`
…master Signed-off-by: Richard Wall <richard.wall@cyberark.com>
Merge the master branch into release-next
Document Venafi "global" custom fields feature implemented in cert-manager/cert-manager#8301 Signed-off-by: Dinar Valeev <k0da@opensuse.org> Co-authored-by: Peter Fiddes <hawksight@users.noreply.github.com>
venafi: Issuer custom fields documentation
Merge the master branch into release-next
…s rules - Document default NetworkPolicy behavior and recommend restricting rules - Add example Helm values for enabling networkPolicy per component - Update public best-practice YAML to enable networkPolicy keys Signed-off-by: Richard Wall <richard.wall@cyberark.com>
[VC-48226]: document default NetworkPolicy and example values
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
cert-manager.io/issuer-name cert-manager.io/renew-before-percentage Signed-off-by: Maël Valais <mael@vls.dev>
[release-next] Document the new ListenerSet feature
I found that 40% of the resource names like Certificate were backticked, but 60% weren't. Let's go with non-backticked as it is how the Kubernetes documentation does. Signed-off-by: Maël Valais <mael@vls.dev>
[release-next] Remove the use of backticks around resources (Pod, Certificate...)
cert-manager-prow
bot
added
do-not-merge/work-in-progress
|
@maelvls: Overrode contexts on behalf of maelvls: dco DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cert-manager-prow
bot
added
the
size/XXL
✅ Deploy Preview for cert-manager ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
cert-manager-prow
bot
added
needs-rebase
cert-manager-prow
bot
removed
the
needs-rebase
Signed-off-by: Maël Valais <mael@vls.dev>
[release-next] Release Notes for cert-manager v1.20.0
| --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \ | ||
| --set config.kind="ControllerConfiguration" \ |
There was a problem hiding this comment.
You don't need to specify this - it is automatically set
There was a problem hiding this comment.
ah, thanks, will update the docs in another PR (this one is just a plain merge)
| apiVersion: controller.config.cert-manager.io/v1alpha1 | ||
| kind: ControllerConfiguration |
There was a problem hiding this comment.
You don't need to specify this - it is automatically set
maelvls
changed the title
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
[release-next] (release 1.20) Version Bumps
cert-manager-prow
bot
added
size/XXL
cert-manager-prow
bot
removed
the
do-not-merge/work-in-progress
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
There was a problem hiding this comment.
Pull request overview
This PR merges the release-next branch into master as part of the cert-manager website “release 1.20” process, updating versioned docs, release notes, redirects, and generated reference content to reflect cert-manager v1.20.0.
Changes:
- Bump “latest version” to v1.20.0 and add 1.20 release notes + upgrade guide.
- Update docs for new/changed features (ListenerSet docs, HTTP-01 annotations, NetworkPolicy best-practice values) and add redirects for new annotation anchors.
- Refresh generated reference docs/CLI docs and adjust the docs-generation helper script.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/gendocs/generate-new-import-path-docs |
Updates docs generation inputs for the 1.20 release branch. |
public/docs/installation/best-practice/values.best-practice.yaml |
Adds NetworkPolicy example values for controller/webhook/cainjector. |
public/_redirects |
Adds redirects for new annotation pages/anchors. |
content/docs/variables.json |
Bumps cert_manager_latest_version to v1.20.0. |
content/docs/usage/ingress.md |
Documents new HTTP-01 ingress class override annotation. |
content/docs/usage/gateway.md |
Updates Gateway docs and adds a ListenerSet section. |
content/docs/releases/upgrading/upgrading-1.19-1.20.md |
Adds the v1.19 → v1.20 upgrade page. |
content/docs/releases/release-notes/release-notes-1.20.md |
Adds release notes for 1.20. |
content/docs/releases/README.md |
Updates supported/upcoming releases table and 1.20 link. |
content/docs/reference/api-docs.md |
Updates generated API reference docs for new fields/wording. |
content/docs/reference/annotations.md |
Updates annotation reference pages (new HTTP-01 override + parentRef annotations). |
content/docs/manifest.json |
Adds navigation entries for 1.20 release notes and upgrade guide. |
content/docs/installation/best-practice.md |
Documents new Helm chart NetworkPolicy behavior and example values. |
content/docs/configuration/venafi.md |
Adds Issuer/ClusterIssuer custom fields documentation. |
content/docs/configuration/acme/http01/README.md |
Adds notes about per-Ingress overrides for class/ingressClassName. |
content/docs/cli/webhook.md |
Updates webhook CLI reference output. |
content/docs/cli/controller.md |
Updates controller CLI reference output. |
.spelling |
Adds new version strings/terms to the spelling allowlist. |
Comments suppressed due to low confidence (1)
content/docs/reference/api-docs.md:6942
- The generated field names include the suffix ",omitzero" (e.g. "ingressShimConfig,omitzero"), which looks like a struct tag leaking into the docs and is confusing for users. The docs should render the field name without tag options; consider updating the generator/postprocess step to strip ",omitzero" from displayed field names.
<td>
<code>ingressShimConfig,omitzero</code>
<br />
<em>
<a href="#controller.config.cert-manager.io/v1alpha1.IngressShimConfig">IngressShimConfig</a>
</em>
</td>
<td>
<p>ingressShimConfig configures the behaviour of the ingress-shim controller</p>
</td>
</tr>
<tr>
<td>
<code>acmeHTTP01Config,omitzero</code>
<br />
<em>
<a href="#controller.config.cert-manager.io/v1alpha1.ACMEHTTP01Config">ACMEHTTP01Config</a>
</em>
</td>
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| CM_BRANCH="release-1.20" | ||
| DOCS_FOLDER="docs" | ||
|
|
||
| genversionwithcli "$CM_BRANCH" "$DOCS_FOLDER" | ||
|
|
||
| # Rather than generate the same docs again for /docs, copy from the latest version | ||
|
|
||
| cp -r "${REPO_ROOT}/content/${LATEST_VERSION}/cli" "${REPO_ROOT}/content/docs/" | ||
| cp "${REPO_ROOT}/content/${LATEST_VERSION}/reference/api-docs.md" "${REPO_ROOT}/content/docs/reference/" | ||
| cp -r "${REPO_ROOT}/content/${DOCS_FOLDER}/cli" "${REPO_ROOT}/content/docs/" | ||
| cp "${REPO_ROOT}/content/${DOCS_FOLDER}/reference/api-docs.md" "${REPO_ROOT}/content/docs/reference/" |
There was a problem hiding this comment.
The script sets DOCS_FOLDER="docs" and then copies "content/${DOCS_FOLDER}/cli" into "content/docs/", which resolves to copying a directory onto itself (same path) and will fail. Either set DOCS_FOLDER to a versioned folder (e.g. v1.20-docs) and keep the copy step, or guard the copy step so it only runs when DOCS_FOLDER != "docs".
| "title": "Upgrade 1.19 to 1.20", | ||
| "path": "/docs/releases/upgrading/upgrading-1.19-1.20.md" | ||
| }, | ||
| { | ||
| "title": "1.19", | ||
| "path": "/docs/releases/release-notes/release-notes-1.19.md" | ||
| }, |
There was a problem hiding this comment.
Indentation in this JSON block is inconsistent with the surrounding entries (these lines are indented further than the other route objects). Please align indentation to match the existing 2-space style used throughout the file to keep diffs stable and readable.
| venafi.cert-manager.io/custom-fields: |- | ||
| [ | ||
| {"name": "Team", "value": "amber"}, | ||
| ] |
There was a problem hiding this comment.
This JSON example also has a trailing comma after the last element, which makes the annotation value invalid JSON. Please remove the trailing comma so users can copy/paste the example as-is.
| venafi.cert-manager.io/custom-fields: |- | ||
| [ | ||
| {"name": "Environemnt", "value": "Dev"}, | ||
| ] | ||
| ``` |
There was a problem hiding this comment.
These JSON examples contain a trailing comma after the last element, which makes the JSON invalid. Since the docs say the annotation value is a JSON array, the examples should be valid JSON (no trailing commas).
| {"name": "Environemnt", "value": "Dev"}, | ||
| {"name": "Team", "value": "amber"} |
There was a problem hiding this comment.
The "Final configuration" JSON snippet is not valid JSON (it’s missing the surrounding array and includes commas as if it were part of a list). Consider showing the merged value as a proper JSON array to match what the annotation expects.
| {"name": "Environemnt", "value": "Dev"}, | |
| {"name": "Team", "value": "amber"} | |
| [ | |
| {"name": "Environemnt", "value": "Dev"}, | |
| {"name": "Team", "value": "amber"} | |
| ] |
| :::info | ||
|
|
||
| ⚠️ cert-manager does not yet support the new ListenerSet resource. If you want to maintain the self-service TLS configuration experience that developers are accustomed to with the Ingress resource, you will need to configure RBAC to allow application developers to edit Gateway resources. You can learn more about upcoming cert-manager improvements that will enable self-service TLS without giving away control over Gateway resources in [Ingress-nginx End-of-Life: What cert-manager Supports Today and What's Coming](/announcements/2025/11/26/ingress-nginx-eol-and-gateway-api/). | ||
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0-beta.0+. |
There was a problem hiding this comment.
This line says ListenerSet support is available in "v1.20.0-beta.0+", but this is the v1.20.0 release docs. If ListenerSet support ships in v1.20.0, this should likely read "v1.20.0+" to avoid implying it’s only in beta builds.
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0-beta.0+. | |
| ⚠️ **ListenerSet support** is now available in cert-manager v1.20.0+. |
| <em>bool</em> | ||
| </td> | ||
| <td> | ||
| <p>Specifies whether the ListenerSet controller should be enabled with-in cert-manager. This along with ListenerSet feature gate enabled allows the user to consume ListenerSet for self-service TLS.</p> |
There was a problem hiding this comment.
Typo in generated API docs: "with-in" should be "within".
| <p>Specifies whether the ListenerSet controller should be enabled with-in cert-manager. This along with ListenerSet feature gate enabled allows the user to consume ListenerSet for self-service TLS.</p> | |
| <p>Specifies whether the ListenerSet controller should be enabled within cert-manager. This along with ListenerSet feature gate enabled allows the user to consume ListenerSet for self-service TLS.</p> |
| of the ingress. If not specified and the `acme-http01-edit-in-place` annotation | ||
| is not set, this defaults to the `http01.ingress.class` defined in the Issuer resource. | ||
|
|
||
| - `acme.cert-manager.io/http01-ingress-ingressclassname`: this annotation allows you to | ||
| configure the `spec.ingressClassName` that will be used to solve challenges | ||
| for this ingress. Customizing this is useful when you are trying to secure internal | ||
| services, and need to solve challenges using a different ingress class to that | ||
| of the ingress. If not specified and the `acme-http01-edit-in-place` annotation |
There was a problem hiding this comment.
The text references the acme-http01-edit-in-place annotation, but the supported annotations list uses acme.cert-manager.io/http01-edit-in-place. Please update this reference to the correct annotation key for consistency.
| of the ingress. If not specified and the `acme-http01-edit-in-place` annotation | |
| is not set, this defaults to the `http01.ingress.class` defined in the Issuer resource. | |
| - `acme.cert-manager.io/http01-ingress-ingressclassname`: this annotation allows you to | |
| configure the `spec.ingressClassName` that will be used to solve challenges | |
| for this ingress. Customizing this is useful when you are trying to secure internal | |
| services, and need to solve challenges using a different ingress class to that | |
| of the ingress. If not specified and the `acme-http01-edit-in-place` annotation | |
| of the ingress. If not specified and the `acme.cert-manager.io/http01-edit-in-place` annotation | |
| is not set, this defaults to the `http01.ingress.class` defined in the Issuer resource. | |
| - `acme.cert-manager.io/http01-ingress-ingressclassname`: this annotation allows you to | |
| configure the `spec.ingressClassName` that will be used to solve challenges | |
| for this ingress. Customizing this is useful when you are trying to secure internal | |
| services, and need to solve challenges using a different ingress class to that | |
| of the ingress. If not specified and the `acme.cert-manager.io/http01-edit-in-place` annotation |
| Allows the Ingress's `spec.ingressClassName` to be configured. | ||
| Customizing this is useful when you are trying | ||
| to secure internal services, and need to solve challenges using a different ingress class | ||
| to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is | ||
| not set, this defaults to the `http01.ingress.ingressClassName` defined in the Issuer resource. |
There was a problem hiding this comment.
This section refers to the acme-http01-edit-in-place annotation, but the correct annotation name is acme.cert-manager.io/http01-edit-in-place. Please update the reference to avoid pointing users at a non-existent key.
| <td> | ||
| <em>(Optional)</em> | ||
| <p>TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified.</p> | ||
| <p>TPP specifies CyberArk Certificate Manager Self-Hosted configuration settings. Only one of CyberArk Certificate Manager may be specified.</p> | ||
| </td> |
There was a problem hiding this comment.
This sentence reads incorrectly: "Only one of CyberArk Certificate Manager may be specified." It looks like it should indicate mutual exclusivity between the tpp and cloud fields (e.g. only one of them may be set). Please adjust the wording to clearly state which fields are mutually exclusive.
This is part of the "release 1.20" series of PRs, see Slack thread. Here is the series of PRs for this release:
What I've done
I clicked the link present in the "Merge the 4 Website PRs" section in https://cert-manager.io/docs/contributing/release-process/.
/override dco
Don't mind the "Update branch". The release-next branch is up to date but GitHub thinks it isn't.