[master] (release 1.20) Freeze 1.19#2006
[master] (release 1.20) Freeze 1.19#2006cert-manager-prow[bot] merged 1 commit intocert-manager:masterfrom
Conversation
Signed-off-by: Maël Valais <mael@vls.dev>
cert-manager-prow
bot
added
dco-signoff: yes
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Adds/finalizes the cert-manager v1.19 documentation snapshot so v1.20 docs can be released, including new tutorials, reference pages, installation guidance, and troubleshooting content.
Changes:
- Adds multiple ACME tutorials (HTTP01/DNS01, Pomerium ingress, kube-lego migration) plus accompanying example YAML manifests.
- Adds/updates core docs sections for installation, policy, trust/trust-manager, concepts, CLI reference, troubleshooting, and reference material.
- Introduces additional configuration/provider docs (e.g., DNS01 providers) and devops tips pages.
Reviewed changes
Copilot reviewed 90 out of 121 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| content/v1.19-docs/tutorials/acme/pomerium-ingress.md | Adds Pomerium ingress + cert-manager ACME tutorial |
| content/v1.19-docs/tutorials/acme/migrating-from-kube-lego.md | Adds kube-lego migration guide |
| content/v1.19-docs/tutorials/acme/http-validation.md | Adds HTTP01 validation tutorial |
| content/v1.19-docs/tutorials/acme/dns-validation.md | Adds DNS01 validation tutorial |
| content/v1.19-docs/tutorials/acme/example/staging-issuer.yaml | Adds staging Issuer example |
| content/v1.19-docs/tutorials/acme/example/production-issuer.yaml | Adds production Issuer example |
| content/v1.19-docs/tutorials/acme/example/deployment.yaml | Adds kuard Deployment example |
| content/v1.19-docs/tutorials/acme/example/service.yaml | Adds kuard Service example |
| content/v1.19-docs/tutorials/acme/example/ingress.yaml | Adds non-TLS Ingress example |
| content/v1.19-docs/tutorials/acme/example/ingress-tls.yaml | Adds TLS Ingress example |
| content/v1.19-docs/tutorials/acme/example/ingress-tls-final.yaml | Adds “final” prod Issuer TLS Ingress example |
| content/v1.19-docs/tutorials/acme/example/pomerium-values.yaml | Adds Helm values example for Pomerium + cert-manager |
| content/v1.19-docs/tutorials/acme/example/pomerium-staging-issuer.yaml | Adds Pomerium namespace staging Issuer example |
| content/v1.19-docs/tutorials/acme/example/pomerium-production-issuer.yaml | Adds Pomerium namespace production Issuer example |
| content/v1.19-docs/tutorials/acme/example/pomerium-certificates.yaml | Adds Pomerium internal Certificate examples |
| content/v1.19-docs/tutorials/README.md | Adds tutorials index page for v1.19 docs |
| content/v1.19-docs/trust/trust-manager/installation.md | Adds trust-manager install guide |
| content/v1.19-docs/trust/README.md | Adds “Trusting certificates” overview |
| content/v1.19-docs/troubleshooting/README.md | Adds troubleshooting index page |
| content/v1.19-docs/troubleshooting/acme.md | Adds ACME-focused troubleshooting guide |
| content/v1.19-docs/reference/README.md | Adds reference index page |
| content/v1.19-docs/reference/tls-terminology.md | Adds TLS terminology reference page |
| content/v1.19-docs/policy/README.md | Adds policy section index page |
| content/v1.19-docs/policy/defaulting.md | Adds defaulting policy doc |
| content/v1.19-docs/policy/issuing.md | Adds issuing policy doc |
| content/v1.19-docs/policy/approval/README.md | Adds approvals policy overview |
| content/v1.19-docs/policy/approval/approver-policy/installation.md | Adds approver-policy installation guide |
| content/v1.19-docs/installation/README.md | Adds installation section landing page |
| content/v1.19-docs/installation/helm.md | Adds Helm installation guide |
| content/v1.19-docs/installation/kubectl.md | Adds static-manifest (kubectl apply) installation guide |
| content/v1.19-docs/installation/upgrade.md | Adds upgrade guide |
| content/v1.19-docs/installation/uninstall.md | Adds uninstall overview |
| content/v1.19-docs/installation/reinstall.md | Adds reinstall guidance |
| content/v1.19-docs/installation/compatibility.md | Adds platform compatibility guidance |
| content/v1.19-docs/installation/configuring-components.md | Adds component configuration guide |
| content/v1.19-docs/installation/continuous-deployment-and-gitops.md | Adds GitOps/continuous deployment guide |
| content/v1.19-docs/installation/code-signing.md | Adds signature verification / supply-chain guidance |
| content/v1.19-docs/getting-started/README.md | Adds getting-started page |
| content/v1.19-docs/faq/README.md | Adds FAQ page |
| content/v1.19-docs/devops-tips/backup.md | Adds backup/restore guide |
| content/v1.19-docs/devops-tips/prometheus-metrics.md | Adds metrics scraping/Prometheus guide |
| content/v1.19-docs/devops-tips/scaling-cert-manager.md | Adds scaling / performance tuning guide |
| content/v1.19-docs/devops-tips/syncing-secrets-across-namespaces.md | Adds secrets syncing guide |
| content/v1.19-docs/configuration/README.md | Adds issuer configuration landing page |
| content/v1.19-docs/configuration/venafi.md | Adds CyberArk/Venafi issuer doc |
| content/v1.19-docs/configuration/selfsigned.md | Adds SelfSigned issuer doc |
| content/v1.19-docs/configuration/acme/http01/externalloadbalancer.md | Adds HTTP01 external load balancer guidance |
| content/v1.19-docs/configuration/acme/dns01/README.md | Adds DNS01 overview |
| content/v1.19-docs/configuration/acme/dns01/webhook.md | Adds DNS01 webhook solver guidance |
| content/v1.19-docs/configuration/acme/dns01/rfc2136.md | Adds RFC2136 DNS01 provider doc |
| content/v1.19-docs/configuration/acme/dns01/google.md | Adds Google CloudDNS provider doc |
| content/v1.19-docs/configuration/acme/dns01/digitalocean.md | Adds DigitalOcean DNS provider doc |
| content/v1.19-docs/configuration/acme/dns01/cloudflare.md | Adds Cloudflare DNS provider doc |
| content/v1.19-docs/configuration/acme/dns01/akamai.md | Adds Akamai DNS provider doc |
| content/v1.19-docs/configuration/acme/dns01/acme-dns.md | Adds acme-dns provider doc |
| content/v1.19-docs/concepts/README.md | Adds concepts landing page |
| content/v1.19-docs/concepts/issuer.md | Adds issuer concept doc |
| content/v1.19-docs/concepts/webhook.md | Adds webhook concept doc |
| content/v1.19-docs/concepts/ca-injector.md | Adds cainjector concept doc |
| content/v1.19-docs/concepts/acme-orders-challenges.md | Adds ACME orders/challenges concept doc |
| content/v1.19-docs/cli/README.md | Adds CLI reference landing page |
| content/v1.19-docs/cli/controller.md | Adds controller CLI reference |
| content/v1.19-docs/cli/webhook.md | Adds webhook CLI reference |
| content/v1.19-docs/cli/cainjector.md | Adds cainjector CLI reference |
| content/v1.19-docs/cli/acmesolver.md | Adds acmesolver CLI reference |
| content/v1.19-docs/cli/startupapicheck.md | Adds startupapicheck CLI reference |
| content/v1.19-docs/cli/cmctl.md | Adds cmctl CLI reference |
| content/v1.19-docs/README.md | Adds v1.19 docs landing page |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,169 @@ | |||
| --- | |||
| title: DNS Validation | |||
| description: 'cert-manager turorials: Issuing an ACME certificate using DNS validation' | |||
There was a problem hiding this comment.
Typo in the frontmatter description: 'turorials' should be 'tutorials' to keep metadata consistent across pages.
| description: 'cert-manager turorials: Issuing an ACME certificate using DNS validation' | |
| description: 'cert-manager tutorials: Issuing an ACME certificate using DNS validation' |
| # - pomerium/pomerium-proxy-tls | ||
| ``` | ||
|
|
||
| Replace `${YOUR_IdP}` with your identity provider. Apply with `kubectl -f`. |
There was a problem hiding this comment.
These commands are invalid as written (kubectl -f is missing the verb). Update both to the intended kubectl apply -f <file> (or kubectl create -f <file> depending on the desired behavior).
| secretName: pomerium-proxy-tls | ||
| ``` | ||
|
|
||
| Adjust the `dnsNames` value to match your domain space. The subdomain (`authenticate` in our example) must match the domain used for the callback URL in your IdP configuration. Add the certificate with `kubectl -f`. |
There was a problem hiding this comment.
These commands are invalid as written (kubectl -f is missing the verb). Update both to the intended kubectl apply -f <file> (or kubectl create -f <file> depending on the desired behavior).
| Adjust the `dnsNames` value to match your domain space. The subdomain (`authenticate` in our example) must match the domain used for the callback URL in your IdP configuration. Add the certificate with `kubectl -f`. | |
| Adjust the `dnsNames` value to match your domain space. The subdomain (`authenticate` in our example) must match the domain used for the callback URL in your IdP configuration. Add the certificate with `kubectl apply -f`. |
| | Feature | kube-lego | cert-manager | | ||
| |-------------------------------------------|----------------------------------|------------------------| | ||
| | Configuration | Annotations on Ingress resources | CRDs | |
There was a problem hiding this comment.
This table uses || at the start of each row, which creates an extra empty column in Markdown renderers. Use a single leading | per row so the table renders with the intended 3 columns.
| $ kubectl get secret kube-lego-account -o yaml \ | ||
| --namespace kube-lego \ | ||
| --export > kube-lego-account.yaml |
There was a problem hiding this comment.
kubectl get ... --export was deprecated and removed from kubectl, so this command will fail on supported kubectl versions. Remove --export and (if needed) document which metadata fields to delete before re-applying (e.g., metadata.resourceVersion, metadata.uid).
| One of the more important configuration options you might need to consider at install time is which "trust namespace" to use, | ||
| which can be set via the Helm value `app.trust.namespace`. | ||
|
|
||
| By default, the trust namespace is the only namespace where`Secret`s will be read. This restriction is in place |
There was a problem hiding this comment.
Missing spaces around inline code spans reduce readability: add a space before backticked useDefaultCAs and before backticked Secrets.
| data: | ||
| # insert your DO access token here | ||
| access-token: "base64 encoded access-token here" | ||
| ``` |
There was a problem hiding this comment.
The closing triple-backtick fence is indented, which can prevent Markdown from closing the code block properly in many renderers. Align the closing fence (```) to the start of the line.
| ``` |
| ``` | ||
|
|
||
| Here we can see that cert-manager has created two Challenge resources to verify we control specific domains, | ||
| a requirements of the ACME order to obtain a signed certificate. |
There was a problem hiding this comment.
Grammar fixes: 'a requirements' should be 'a requirement', and 'it's lifecycle' should be 'its lifecycle' (possessive, not contraction).
| a requirements of the ACME order to obtain a signed certificate. | |
| a requirement of the ACME order to obtain a signed certificate. |
| This shows that the challenge has been presented using the DNS01 solver | ||
| successfully and now cert-manager is waiting for the 'self check' to pass. | ||
|
|
||
| You can get more information about the challenge and it's lifecycle by using `kubectl describe`: |
There was a problem hiding this comment.
Grammar fixes: 'a requirements' should be 'a requirement', and 'it's lifecycle' should be 'its lifecycle' (possessive, not contraction).
| You can get more information about the challenge and it's lifecycle by using `kubectl describe`: | |
| You can get more information about the challenge and its lifecycle by using `kubectl describe`: |
| Issuer Ref: | ||
| Group: cert-manager.io | ||
| Kind: ClusterIssuer | ||
| Name: letencrypt-production |
There was a problem hiding this comment.
The example issuer name is misspelled as letencrypt-production; it should be letsencrypt-production to match standard naming used elsewhere in the docs.
| Name: letencrypt-production | |
| Name: letsencrypt-production |
wallrj-cyberark
left a comment
wallrj-cyberark
left a comment
There was a problem hiding this comment.
Thanks. Please merge after updating the PR description with a link to the release thread in slack and a link to the release docs you were following when creating this PR.
Also paste in the commands you used to create the changes....they're all generated, right? Which means we can ignore the Copilot reported problems because those exist in the main docs too.
|
This is an automated script that moves around code.. I dont think copilot review makes sense here |
Done. Good point.
Good point too. Done. FWIW, I've opened a PR to update the release process: #2008.
You are right, everything is generated. I've looked around and there doesn't seem to exist a way to disable the automatic Copilot review on a specific PR like this one 😔 |
maelvls
changed the title
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj, wallrj-cyberark The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
This is part of the "release 1.20" series of PRs, see Slack thread. Here is the series of PRs for this release:
What I've done
I've used an edited version of the instructions from https://cert-manager.io/docs/contributing/release-process/ (section "Prepare the Website "Bump Versions" PR.). Here is the edited version of the release process I used (I've opened #2008 with these updated instructions):
All of the files are generated from the
./scripts/freeze-docs 1.19command I ran. The Copilot review is useless. I've looked around and there doesn't seem to exist a way to disable the automatic copilot review on a specific PR like this one.