Once every quarter, look for stale issues, reprioritize, and de-duplicate.

Quarterly Scrub

223 unique items

Completion ETA: ~2026-03-11

Assi Issues nearing expiration Features that deserve a follow-up comment Features that have not been commented on within 90 days Bugs that deserve a follow-up comment Bugs that have not been commented on within 60 days Items that deserve a follow-up comment Items that have not been commented on within 60 days

trust-manager#58 Support injection pem into an existing configmap
🌊

community#43 Allow non-Venafi employee maintainers full release capabilities
🌊

cert-manager#2820 Add ability to set `pathlen:0` for CA certs in `X509v3 Basic Constraints`
🌊

cert-manager#7879 Remove no-op certificate metrics controller
🌊

cert-manager#8183 Add helm diff output to cert-manager PRs
🌊

cert-manager#7598 More fine-grained control of powerful RBAC permission granted via Helm chart
🌊

cert-manager#2930 Mirror to gcr.io or dockerhub
🌊

cert-manager#7864 failed to call webhook: certificate has expired or is not yet valid
🌊

cert-manager#7826 If issuer is incorrect, it is still shown as READY
🌊

cert-manager#7234 AWS Route53: Stale/Stuck Challenges should be deleted after a given timeout
🌊

website#1262 v1.9 to v1.10 upgrade instructions does not mention container name change
🌊

website#1186 Document that/why we don't use Helm's CRD installation mechanism
🌊
nobody
cert-manager#8023 ACME issuer fails when CA includes Name Constraints with x509: unhandled critical extension
cert-manager#7914 Output tls.crt in CA cert to another secret
cert-manager#7829 Support to auto delete Certificaterequest
cert-manager#7741 Certmanager attempts infinite renewals if the Issuer Certificate read from Vault has expired
cert-manager#7684 Add support for namespaced deployment
cert-manager#7422 Please provide standalone helm chart for CRDs
cert-manager#6179 CRDs shouldn't be templated in Helm
cert-manager#7906 fix: Venafi call GetRefreshToken only when access token invalid for password/username authentication
cert-manager#7399 Add renew window to restrict when certificate renewal can happen
cert-manager#7662 Fix the issue of webhook routes generating duplicate operation IDs
cert-manager#7289 Design proposal for delayed certificate activation
trust-manager#650 Pod goes out of readiness
trust-manager#645 Unable to pass helm lint due to certificate yaml stripping too much whitespace
trust-manager#629 The crds is not installed automatically when trust-manager is a sub-chart
trust-manager#222 [Feature] - Ability to inject a CA cert into a cert-manager managed secret resource
trust-manager#142 expose bundles CRD as release artifact
trust-manager#33 Support CRDs as target
trust-manager#4 Feature: By default, require only self-signed certificates in a bundle
trust-manager#683 feat: Add a very basic pre-commit configuration
cert-manager#8235 Cert-manager support for Issuer-managed keys
cert-manager#8209 Add revocation at certificate deletion
cert-manager#8121 Support for Creating CertificateRequest from Kubernetes Secret
cert-manager#7868 Metrics for webhook certificate
cert-manager#7817 Support `global.nodeSelector` in the Helm chart
cert-manager#7747 [suggestion] Add Kustomize install documentation
cert-manager#7561 Feature Request RFC: Push notifications from cert-manager to <other service> when certificates are issued
cert-manager#6662 support overriding of ttl in cloudflare
cert-manager#6010 Support the ACME Renewal Information (ARI) extension
trust-manager#742 Add option to disable webhook in Helm chart
cert-manager#8194 Update e2e Documentation - for the make e2e-setup command
cert-manager#7788 Be able to default `acme.cert-manager.io/http01-edit-in-place: "true"` behavior in deployment/chart values
cert-manager#7520 ClusterIssuer read caBundle from Secret
cert-manager#6470 ingress-shim: allow to impersonate ingress-creator instead of using cert-manager serviceaccount
cert-manager#6224 Option to store certificate history in individual secrets
cert-manager#3521 Integration with ExternalDNS
cert-manager#3298 Let's encrypt certificate caching to mitigate rate limits problems
cert-manager#2538 cert-manager does not use ingress.class from Ingress annotated with cert-manager.io/cluster-issuer
cert-manager#2525 Better support multi-namespace & single-namespace deployments
cert-manager#2178 Handling 'unregistering' certificates from Venafi TPP
cert-manager#5566 upload Helm charts to OCI registry and sign them with cosign
cert-manager#6051 Detecting Gateway hostnames based on attached HTTPRoutes
website#155 Add 'unreleased version' & 'old version' warning banner to non-latest versions of docs
makefile-modules#154 Publish SBOMs
cert-manager#8095 DNS-01 Delegated zone is not following CNAME and creating wrong records
cert-manager#8086 ACME ClusterIssuer not recovering after Vault restart
cert-manager#7768 Stuck in a loop with `multiple challenge solver pods found for challenge`
cert-manager#7486 `"Unhandled Error" err="ingress '...' in work queue no longer exists"` should be handled (clean up dangling `Certificate`)
cert-manager#7522 Non standard "cert-manager.io" used in event "Reason"
cert-manager#7438 certificate not updated after enabling SSA
cert-manager#7388 Kid missing in the new order request
cert-manager#6741 ACME account private key and URI are not updated if the path of the ACME server is changed
cert-manager#7862 Requesting a certificate from ZeroSSL sometimes takes more than 10 minutes to complete
cert-manager#5751 Wildcard DNS domains and `cnameStrategy: Follow` don't work nicely together
cert-manager#4749 rfc2136 seems to not work with deep subdomains
cert-manager#4685 Unexpected EOF during watch stream event decoding: unexpected EOF -- possibly due to api server upgrades / restarts
cert-manager#8058 Cert-manager fails to import ECDSA private keys generated by openssl
cert-manager#8102 cert-manager-startupapicheck erroring while installation
cert-manager#8234 Vault Issuer: certmanager spams thousands of CertificateRequest resources if Issuer is configured to use the Vault issue endpoint rather than the sign endpoint
cert-manager#7845 ClusterIssuer.cert-manager.io "letsencrypt" is invalid: spec.acme.privateKeySecretRef: Required value...
cert-manager#7828 Cert-manager created multiple CertificateRequests (over 30k) for a valid certificate
cert-manager#7476 [Helm Chart] - Wrong handling of image registry and repository
cert-manager#6969 Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled
cert-manager#6716 leader election namespace should default to `.Release.Namespace`, not `kube-system`
cert-manager#6331 CSR not signed by referenced private key
cert-manager#5959 `ImagePullBackoff` on `cm-acme-http-solver` pod, if using private registries
cert-manager#6230 DigitalOcean: cert-manager DDoSes DNS-01 solver - infinite rate limiting
cert-manager#5101 No backoff/delay when failing to create challenge solver pods
cert-manager#5867 Controller can't handle hitting request rate limits of zerossl ACME API
cert-manager#5864 Certmgr allows creating certificates expiring after ca expiration.
cert-manager#8085 Feature Request: Add annotation to disable automatic certificate renewal
cert-manager#8082 EOF during self check with Pomerium
cert-manager#7895 if certificate is already expired, it shown like a True
cert-manager#7531 punycode issue
cert-manager#7492 `UseCertificateRequestBasicConstraints` should probably add `Critical` for `isCA`
cert-manager#6820 Ongoing dependency evaluation
cert-manager#3992 Add non-CRD yaml file
website#1806 Tutorial depends on no longer available image of kuard
website#1802 Invalid certificate
website#1643 Let's Encrypt Ending Support for Notification Emails
website#1625 Configuration issue potentially leading to a memory leak
website#1623 Claim about v1beta1/v1alpha2 support for gateway api is misleading
website#1620 Cert Manager allows the creation of Illegal wilcard SANs
website#1608 Renaming Securing NGINX-ingress to ingress-nginx
website#1596 Wrong key for cloudflare secret ref in DNS Validation tutorial page
website#1585 Broken install instructions due wrong cert_manager_latest_version - v1.16.1
website#1549 Brand guideline page
website#1490 GKE tutorial falsely claims it's possible to create LE certificate without domain (only IP)
website#1473 Add ArtifactHub packages to website
website#1063 "Securing Ingresses with Venafi" tutorial contains link to missing manifest
website#944 Document how to install cert-manager in a different namespace
website#850 Document available cert-manager Prometheus metrics
website#484 Please add anchor tags to your subheadings
website#354 DigitalOcean access-token should not be base64-encoded
website#237 docs for ACMEChallengeSolverHTTP01Ingress doesn't specify what `class` values are available
website#228 Documentation needs correction for external-account-bindings
website#197 Document ACME account mismatch
website#130 FAQ: How does cert-manager handle ingresses with valid TLS secrets?
website#76 Upgrading from v0.10 to v0.11 - missing cainjector annotation
istio-csr#501 Error logs not very helpful
istio-csr#431 istio-csr pod healthz check fails for long time in v0.11.0 and v0.12.0
istio-csr#287 Getting Readiness probe failed when using cert-manager-istio-csr
istio-csr#244 Populate Subject Fields in Certificate
istio-csr#176 certificateDuration is not used for the Istio CSR generated certificate requests
istio-csr#137 Documentation on rotating the root certificate
istio-csr#130 Document best-practices for minimal vault role configuration for istio-csr
istio-csr#113 Integrating with istio helm chart installs
istio-csr#84 csr readiness probe failed, istio ingress pod also failed
approver-policy#667 Cannot create secret cert-manager-approver-policy-tls
approver-policy#638 Approver cannot find applicable policy
approver-policy#466 Document How to Configure Common Scenarios
approver-policy#452 CRDs in the Release files
trust-manager#778 Add option to use a specific issuer in the helm chart
trust-manager#761 Feat: Add a namespaced trust bundle CRD alongside the cluster-scoped Bundle
trust-manager#750 Feat: Emit Events on the controller Pod instead of cluster-scoped Bundle
trust-manager#560 Support rotated certificate sources
trust-manager#465 Installing trust-manager just after installing cert-manager makes it FAIL forever
trust-manager#301 Add support for kubectl installation
csi-driver#521 RFC: Cert-Manager CSI Driver as Secret Store Provider
csi-driver#385 Helm Install of cert-manager-csi-driver Fails on Minikube with /dev/bus/usb Errors
csi-driver#383 [Feature Request] Adding attributes that available in Certificate CRD to CSI Driver
csi-driver#353 mismatch between the key and the certificate signature algorithm
csi-driver#267 Does cert-manager-csi-driver support AWS EKS with AWS Fargate nodes?
csi-driver#264 Certificate renewal doesn't change file 'modified date'
csi-driver#241 Missing cert-manager.io/revision-history-limit volume attributes for CSI-Driver
csi-driver#130 JKS support
csi-driver#17 ability to specify pod IP in volume attributes
openshift-routes#204 Support for creating certificate for wildcard route
openshift-routes#174 Standby Replicas without lease use lots of CPU
openshift-routes#116 Release static manifests (no helm) for v0.6.0-alpha.0+
openshift-routes#58 certificate cannot be renewed, error message: "key does not match certificate"
openshift-routes#56 Support for destinationCaCertificate / Reencrypt Routes
openshift-routes#54 Same certificate in path based Routes
cert-manager-olm#46 Cert-manager operator fails to issue certificates
cert-manager-olm#22 Customize the deployment of cert-manager installed via OLM
cert-manager-olm#17 Operator prevents passing extraArgs helm value
cert-manager-olm#3 Restrict operator RBAC permissions
csi-lib#74 Consistency issues due to the use of mount binds
csi-lib#40 Optional auto rotating/renewing certificates
sample-external-issuer#63 Is it possible to only create Issuer and remove the CluserIssuer
sample-external-issuer#62 Limit the controller-manager to access secrets only from specific namespace
cmctl#122 asdf cmctl installer issues
cmctl#83 As cmctl user, I want to use different kubectl context on command line ( --context='kubectl-context-abc' )
testing#690 Clean up Presets
testing#594 Document infra image bumps and versioning
webhook-example#81 How to enable leader election in the webhook?
webhook-example#80 How to deal with K8s timelimit in 30s ?
webhook-example#74 Why cert-manager looks for a CNAME record instead of a TXT record?
webhook-example#72 readyz and healthz api
webhook-example#38 Set repository to be a GitHub template repository
webhook-example#37 Add logging example
google-cas-issuer#361 [Helm] allow `enabled` as key in values schema
google-cas-issuer#162 Issue: Broken config when using commonLabels
google-cas-issuer#148 Certificate chain is not split correctly
google-cas-issuer#133 Allow to use a custom Service Account
google-cas-issuer#102 certificate renewal does not work in due to auth issue to privatecaapi end point
cert-manager#8201 Timeout contacting Cloudflare API during cert-manager DNS-01 challenge
cert-manager#7822 Tracking: Kubernetes Gateway API follow up tasks
cert-manager#6709 1.14 Release Review
cert-manager#5298 Complete the Migration Away From Jetstack Names
cert-manager#4950 General flakiness of our end-to-end suite
cert-manager#4191 Setting default values for Pod's "resources"?
cert-manager#2334 Add network policy allowance into documentation
website#1546 Self upgrade PRs don't run checks
website#1194 Confusing paragraph - cert-manager integration.
website#697 [IRSA] Needs `runAsUser: 1001`
website#401 Bring tutorials up to date
website#320 Document how to install cert-manager using gitops and known issues with particular gitops implementations
website#223 Document wildcard certificate tutorial
website#195 Document keystores
website#174 Add documentation for CRD conversion webhook ca injection
website#1174 Document the docker images and how to find them
website#1101 Feature request for updating documentation.
website#234 Backup and Restore Resources
istio-csr#153 It is possible to have several CAs within the same cluster.
approver-policy#394 Limit number of SANs by policy
approver-policy#288 Feature: Take control of approval for the whole cluster
approver-policy#216 Simplify configuration by creating RBAC by default
approver-policy#203 Improve CRD fields for specifying key requirements
approver-policy#169 Webhook Custom CA
trust-manager#741 Using an Image Volume to deploy certifiats
trust-manager#592 Feature: ClusterTrustBundle as Sources
trust-manager#591 Feature: ClusterTrustBundle as Target
trust-manager#297 Allow all resources to be namespaced
trust-manager#245 Split Bundle controller into multiple controllers
trust-manager#39 Don't sync targets to all namespaces by default
trust-manager#131 Feature: per namespace trust bundle
trust-manager#99 Allow removing Bundles whilst keeping the synced CA certs
trust-manager#242 New version of Bundle API
trust-manager#63 nit: Rename "Bundle" to "ClusterBundle"
issuer-lib#204 clarify SetCAOnCertificateRequest deprecation status
csi-driver#171 E2E Test Cleanup
csi-driver#45 Unable to mount and read only file error
openshift-routes#38 Route with cert-manager annotations is not created
cert-manager-olm#70 OLM deployment with ArgoCD is OutOfSync
sample-external-issuer#56 Struggling to get controller running in local KIND cluster
cmctl#264 commands should provide help when called w/o arguments if they require inputs
infrastructure#59 Process regarding worrying emails sent to the maintainers mailing list
testing#81 Configuring Peribolos for Github org management
makefile-modules#451 Re-enable testing with specific kubernetes versions in subprojects
makefile-modules#202 Makefile Modules, Go Versions and Vendoring
makefile-modules#3 Migrating all cert-manager projects to "Makefile modules"
community#64 Open Standup: Updating an event didn't send new invitations to already registered people
community#63 CNCF-paid GitHub Actions runners
community#60 Lazy vote: Zoom for standup meetings to be able to add the standups to the LFX calendar
community#35 Post-Graduation Suggestion Tracker
webhook-example#27 failed with: OpenAPI spec does not exist
webhook-example#3 Make unit testing easier/make examples work
google-cas-issuer#197 Kubectl One-line Installation Support

cert-manager#3381 Setup separate package for cert-manager API
🌊

csi-lib#33 Create e2e test to validate CertificateRequest garbage collection
🌊

website#414 Explain cert-manager repo structure
🌊
Triage Party v1.4.0