Once every quarter, look for stale issues, reprioritize, and de-duplicate.

Quarterly Scrub

203 unique items

Completion ETA: ~2025-11-15

Assi Issues nearing expiration Features that deserve a follow-up comment Features that have not been commented on within 90 days Bugs that deserve a follow-up comment Bugs that have not been commented on within 60 days Items that deserve a follow-up comment Items that have not been commented on within 60 days

cert-manager#2930 Mirror to gcr.io or dockerhub
🌊

cert-manager#7002 Confusing messaging when certificate secret name already exist
🌊

cert-manager#5917 Waiting for DNS-01 challenge propagation: DNS record for mydomain.com not yet propagated
🌊

website#414 Explain cert-manager repo structure
🌊

cert-manager#7234 Stale/Stuck Challenges should be deleted after a given timeout
🌊

website#1186 Document that/why we don't use Helm's CRD installation mechanism
🌊

website#1262 v1.9 to v1.10 upgrade instructions does not mention container name change
🌊

trust-manager#58 Support injection pem into an existing configmap
🌊
nobody
cert-manager#7749 Http and PROXY protocol
cert-manager#7741 Certmanager attempts infinite renewals if the Issuer Certificate read from Vault has expired
cert-manager#7717 After uninstalling cert-manager, ingress resources can still only be accessed via https
cert-manager#7660 cert-manager produces invalid (per RFC5280) certificates when `cert sign` usage is set along with another usage
cert-manager#7659 Challenge and resolver pod/ingress killed too soon
cert-manager#7625 Clean install fails to create Issuer
cert-manager#7594 Cloudflare delegated domains returns Found no Zones for domain _acme-challenge.mydomain.com
cert-manager#7536 Digicert ACME order is failing due to invalid validity_years
cert-manager#7520 ClusterIssuer read caBundle from Secret
cert-manager#7288 Missing UID in webhook challenge request
cert-manager#7275 Allow adding new fields such as unhealthyPodEvictionPolicy to the PDB
cert-manager#7654 Implement fallback for git_version creation in forked environments
cert-manager#7728 Add unhealthyPodEvictionPolicy to supported PDB options
cert-manager#7725 chore: allow additional properties in Helm setup #7668
trust-manager#465 Installing trust-manager just after installing cert-manager makes it FAIL forever
cert-manager#7914 Output tls.crt in CA cert to another secret
cert-manager#7834 Provide race condition mitigation support
cert-manager#7772 Reviewing the use of https://github.com/SSLMate/go-pkcs12
cert-manager#7766 Certificate: Let me specify the concatenation order for CombinedPEM output format
cert-manager#7684 Add support for namespaced deployment
cert-manager#7645 Support cross-signed intermediate CAs issued with Vault
cert-manager#7311 helm schema validation should validate `featureGates`
cert-manager#7184 Helm chart: add ability to add appprotocol to port in service
cert-manager#7510 Key Size for Acme Account Key
cert-manager#6662 support overriding of ttl in cloudflare
cert-manager#6472 Create TLSA records automatically
cert-manager#6754 Schedule certificate renewal outside business hours
cert-manager#6010 Support the ACME Renewal Information (ARI) extension
cert-manager#5540 Changelog annotations to chart
cert-manager#7829 Support to auto delete Certificaterequest
cert-manager#7514 Replace some of the webhook functionality with `ValidatingAdmissionPolicy` & CEL
cert-manager#6470 ingress-shim: allow to impersonate ingress-creator instead of using cert-manager serviceaccount
cert-manager#6210 Flag to write/sync secrets to a namespace other than the namespace where the Certificate object is created
cert-manager#6051 Detecting Gateway hostnames based on attached HTTPRoutes
cert-manager#5904 Support Azure Private DNS Zones for DNS Challenge
cert-manager#3103 Adding probes to the cert-manager pods
cert-manager#2538 cert-manager does not use ingress.class from Ingress annotated with cert-manager.io/cluster-issuer
cert-manager#2525 Better support multi-namespace & single-namespace deployments
cert-manager#2239 Create a CertificatePreset resource type to allow configurable defaulting
cert-manager#2178 Handling 'unregistering' certificates from Venafi TPP
website#155 Add 'unreleased version' & 'old version' warning banner to non-latest versions of docs
trust-manager#588 Add ability to monitor validity period for CAs in bundle
trust-manager#4 Feature: By default, require only self-signed certificates in a bundle
makefile-modules#154 Publish SBOMs
cert-manager#7864 failed to call webhook: certificate has expired or is not yet valid
cert-manager#7768 Stuck in a loop with `multiple challenge solver pods found for challenge`
cert-manager#7649 [GKE][Cert-Manager]Document Might Need Implementation Details Update to GSA/KSA Integration
cert-manager#7476 [Helm Chart] - Wrong handling of image registry and repository
cert-manager#7438 certificate not updated after enabling SSA
cert-manager#6741 ACME account private key and URI are not updated if the path of the ACME server is changed
cert-manager#5048 certificate not renewed for ingress with multiple hosts and http01-edit-in-place
cert-manager#7760 Is the zone responsible for a domain changes, cert-manager will not pick it up
cert-manager#7765 Propagation tests fails when using IPv6 recursive DNS nameservers
cert-manager#3640 Challenge Records Not Always Cleaned Up
cert-manager#7959 Failed to generate serving certificate, retrying..." err="no tls.Certificate available yet, try again later"
cert-manager#6331 CSR not signed by referenced private key
cert-manager#5959 `ImagePullBackoff` on `cm-acme-http-solver` pod, if using private registries
cert-manager#6622 `make update-licenses` is non-deterministic.
cert-manager#5867 Controller can't handle hitting request rate limits of zerossl ACME API
cert-manager#6969 Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled
cert-manager#8023 ACME issuer fails when CA includes Name Constraints with x509: unhandled critical extension
cert-manager#8082 EOF during self check with Pomerium
cert-manager#7779 RevisionHistoryLimit should follow Kubernetes definition
cert-manager#7755 cert-manager-challenges Error presenting challenge: expected array of Record
cert-manager#7822 Tracking: Kubernetes Gateway API follow up tasks
cert-manager#6820 Ongoing dependency evaluation
cert-manager#6799 ACME challenges stopped working after 1.13/1.14 update
website#1623 Claim about v1beta1/v1alpha2 support for gateway api is misleading
website#1620 Cert Manager allows the creation of Illegal wilcard SANs
website#1609 Azure DNS Documentation Update
website#1608 Renaming Securing NGINX-ingress to ingress-nginx
website#1596 Wrong key for cloudflare secret ref in DNS Validation tutorial page
website#1585 Broken install instructions due wrong cert_manager_latest_version - v1.16.1
website#1549 Brand guideline page
website#1490 GKE tutorial falsely claims it's possible to create LE certificate without domain (only IP)
website#1473 Add ArtifactHub packages to website
website#1625 Configuration issue potentially leading to a memory leak
website#1063 "Securing Ingresses with Venafi" tutorial contains link to missing manifest
website#944 Document how to install cert-manager in a different namespace
website#850 Document available cert-manager Prometheus metrics
website#354 DigitalOcean access-token should not be base64-encoded
website#237 docs for ACMEChallengeSolverHTTP01Ingress doesn't specify what `class` values are available
website#232 Document keystored in usage/certificate
website#228 Documentation needs correction for external-account-bindings
website#197 Document ACME account mismatch
website#1643 Let's Encrypt Ending Support for Notification Emails
website#130 FAQ: How does cert-manager handle ingresses with valid TLS secrets?
website#76 Upgrading from v0.10 to v0.11 - missing cainjector annotation
website#484 Please add anchor tags to your subheadings
istio-csr#413 Panic: runtime error on new installation
istio-csr#431 istio-csr pod healthz check fails for long time in v0.11.0 and v0.12.0
istio-csr#287 Getting Readiness probe failed when using cert-manager-istio-csr
istio-csr#137 Documentation on rotating the root certificate
istio-csr#130 Document best-practices for minimal vault role configuration for istio-csr
istio-csr#113 Integrating with istio helm chart installs
istio-csr#84 csr readiness probe failed, istio ingress pod also failed
istio-csr#501 Error logs not very helpful
istio-csr#176 certificateDuration is not used for the Istio CSR generated certificate requests
istio-csr#244 Populate Subject Fields in Certificate
approver-policy#667 Cannot create secret cert-manager-approver-policy-tls
approver-policy#638 Approver cannot find applicable policy
approver-policy#466 Document How to Configure Common Scenarios
approver-policy#452 CRDs in the Release files
trust-manager#650 Pod goes out of readiness
trust-manager#629 The crds is not installed automatically when trust-manager is a sub-chart
trust-manager#301 Add support for kubectl installation
trust-manager#560 Support rotated certificate sources
issuer-lib#231 ### Question about Configuring Retries in cert-manager
issuer-lib#279 Persisting identifiers for retry calls to Sign()
csi-driver#267 Does cert-manager-csi-driver support AWS EKS with AWS Fargate nodes?
csi-driver#383 [Feature Request] Adding attributes that available in Certificate CRD to CSI Driver
csi-driver#130 JKS support
csi-driver#353 mismatch between the key and the certificate signature algorithm
csi-driver#385 Helm Install of cert-manager-csi-driver Fails on Minikube with /dev/bus/usb Errors
csi-driver#264 Certificate renewal doesn't change file 'modified date'
csi-driver#17 ability to specify pod IP in volume attributes
csi-driver#241 Missing cert-manager.io/revision-history-limit volume attributes for CSI-Driver
openshift-routes#204 Support for creating certificate for wildcard route
openshift-routes#58 certificate cannot be renewed, error message: "key does not match certificate"
openshift-routes#56 Support for destinationCaCertificate / Reencrypt Routes
openshift-routes#174 Standby Replicas without lease use lots of CPU
openshift-routes#116 Release static manifests (no helm) for v0.6.0-alpha.0+
openshift-routes#54 Same certificate in path based Routes
cert-manager-olm#46 Cert-manager operator fails to issue certificates
cert-manager-olm#17 Operator prevents passing extraArgs helm value
cert-manager-olm#3 Restrict operator RBAC permissions
cert-manager-olm#22 Customize the deployment of cert-manager installed via OLM
csi-lib#40 Optional auto rotating/renewing certificates
csi-lib#74 Consistency issues due to the use of mount binds
sample-external-issuer#63 Is it possible to only create Issuer and remove the CluserIssuer
sample-external-issuer#62 Limit the controller-manager to access secrets only from specific namespace
cmctl#122 asdf cmctl installer issues
cmctl#83 As cmctl user, I want to use different kubectl context on command line ( --context='kubectl-context-abc' )
testing#594 Document infra image bumps and versioning
testing#690 Clean up Presets
testing#693 Set up periodics against 'previous previous' branch
webhook-example#81 How to enable leader election in the webhook?
webhook-example#80 How to deal with K8s timelimit in 30s ?
webhook-example#74 Why cert-manager looks for a CNAME record instead of a TXT record?
webhook-example#72 readyz and healthz api
webhook-example#46 Code reference a pull request to be merged, but the pull request was closed by a robot
webhook-example#38 Set repository to be a GitHub template repository
webhook-example#37 Add logging example
google-cas-issuer#162 Issue: Broken config when using commonLabels
google-cas-issuer#148 Certificate chain is not split correctly
google-cas-issuer#133 Allow to use a custom Service Account
google-cas-issuer#102 certificate renewal does not work in due to auth issue to privatecaapi end point
cert-manager#6709 1.14 Release Review
cert-manager#5298 Complete the Migration Away From Jetstack Names
cert-manager#4191 Setting default values for Pod's "resources"?
cert-manager#6160 Helm Chart global repository
cert-manager#4950 General flakiness of our end-to-end suite
website#1194 Confusing paragraph - cert-manager integration.
website#1174 Document the docker images and how to find them
website#1101 Feature request for updating documentation.
website#697 [IRSA] Needs `runAsUser: 1001`
website#401 Bring tutorials up to date
website#234 Backup and Restore Resources
website#223 Document wildcard certificate tutorial
website#195 Document keystores
website#174 Add documentation for CRD conversion webhook ca injection
website#320 Document how to install cert-manager using gitops and known issues with particular gitops implementations
istio-csr#153 It is possible to have several CAs within the same cluster.
approver-policy#394 Limit number of SANs by policy
approver-policy#288 Feature: Take control of approval for the whole cluster
approver-policy#216 Simplify configuration by creating RBAC by default
approver-policy#203 Improve CRD fields for specifying key requirements
approver-policy#169 Webhook Custom CA
trust-manager#645 Unable to pass helm lint due to certificate yaml stripping too much whitespace
trust-manager#242 New version of Bundle API
trust-manager#205 Allow to select multiple "trust" namespaces
trust-manager#142 expose bundles CRD as release artifact
trust-manager#99 Allow removing Bundles whilst keeping the synced CA certs
trust-manager#63 nit: Rename "Bundle" to "ClusterBundle"
trust-manager#60 overriding trusted namespace
trust-manager#33 Support CRDs as target
trust-manager#245 Split Bundle controller into multiple controllers
trust-manager#39 Don't sync targets to all namespaces by default
issuer-lib#204 clarify SetCAOnCertificateRequest deprecation status
csi-driver#171 E2E Test Cleanup
csi-driver#45 Unable to mount and read only file error
openshift-routes#38 Route with cert-manager annotations is not created
cert-manager-olm#70 OLM deployment with ArgoCD is OutOfSync
csi-lib#60 Support prometheus metrics
sample-external-issuer#56 Struggling to get controller running in local KIND cluster
cmctl#264 commands should provide help when called w/o arguments if they require inputs
testing#81 Configuring Peribolos for Github org management
makefile-modules#202 Makefile Modules, Go Versions and Vendoring
makefile-modules#3 Migrating all cert-manager sub-projects to "Makefile modules"
community#35 Post-Graduation Suggestion Tracker
webhook-example#3 Make unit testing easier/make examples work
webhook-example#27 failed with: OpenAPI spec does not exist
google-cas-issuer#197 Kubectl One-line Installation Support

cert-manager#3381 Setup separate package for cert-manager API
🌊

csi-lib#33 Create e2e test to validate CertificateRequest garbage collection
🌊
Triage Party v1.4.0