generic Weekly Triage :: Triage Party

queue to be emptied once a week in a team triage meeting

Weekly Triage

307 unique items

Completion ETA: ~2025-11-15

Assi	Important soon, but no updates in 60 days	Important longterm, but no updates in 120 days	many reactions, low priority	many commenters, low priority	Screaming into the void	Needs information for over 2 weeks	Support request over 30 days old	Issues nearing expiration	Pull requests: Approved and getting old	Pull Requests: Stale	Overdue answers for a question	Updated support requests
nobody	cert-manager#6741 ACME account private key and URI are not updated if the path of the ACME server is changed cert-manager#6709 1.14 Release Review cert-manager#6331 CSR not signed by referenced private key cert-manager#5298 Complete the Migration Away From Jetstack Names cert-manager#5867 Controller can't handle hitting request rate limits of zerossl ACME API 5901 6090 6091 cert-manager#2239 Create a CertificatePreset resource type to allow configurable defaulting 1738 2281 3828 5158 website#955 Document when the vault pki role required setting `require_cn=false` website#174 Add documentation for CRD conversion webhook ca injection website#1425 The `issuer.vault.spec.caBundleSecretRef` docs are missing website#1174 Document the docker images and how to find them website#195 Document keystores website#802 Spelling errors are unclear in pull request CI results and spell checker is unmaintained 806 807 1175 cmctl#127 cmctl version reports only the old CRD version if I upgrade cert-manager without including the CRDs	cert-manager#6969 Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled cert-manager#6820 Ongoing dependency evaluation cert-manager#5959 `ImagePullBackoff` on `cm-acme-http-solver` pod, if using private registries cert-manager#4191 Setting default values for Pod's "resources"? cert-manager#6754 Schedule certificate renewal outside business hours 7399 8091 8101 8139 cert-manager#3103 Adding probes to the cert-manager pods cert-manager#2525 Better support multi-namespace & single-namespace deployments 4219 cert-manager#2178 Handling 'unregistering' certificates from Venafi TPP cert-manager#4950 General flakiness of our end-to-end suite 4960 5136 5141 5317 5318 5323 5325 website#1194 Confusing paragraph - cert-manager integration. website#223 Document wildcard certificate tutorial website#975 Some pages do not make it clear what the user should read next website#1063 "Securing Ingresses with Venafi" tutorial contains link to missing manifest 1090 website#850 Document available cert-manager Prometheus metrics website#401 Bring tutorials up to date csi-driver-spiffe#129 Increase e2e test timeouts cmctl#83 As cmctl user, I want to use different kubectl context on command line ( --context='kubectl-context-abc' ) webhook-example#38 Set repository to be a GitHub template repository webhook-example#3 Make unit testing easier/make examples work 20 31 83	cert-manager#8095 DNS-01 Delegated zone is not following CNAME and creating wrong records cert-manager#6716 leader election namespace should default to `.Release.Namespace`, not `kube-system` 6766 7764 cert-manager#6179 CRDs shouldn't be templated in Helm cert-manager#5566 upload Helm charts to OCI registry and sign them with cosign 7132 cert-manager#2538 cert-manager does not use ingress.class from Ingress annotated with cert-manager.io/cluster-issuer cert-manager#8010 feat: Add client verification for webhook server cert-manager#7748 Design: "Image Configuration in Helm Chart"	cert-manager#8139 feat(design): adding initial design for certificate renewal cert-manager#8141 fix(helm): Align targetPorts in metrics endpoints for webhook and cainjector services website#1787 Update Slack links to include both invite and direct channel URLs trust-manager#762 Add support for injecting CA from secret for trust manager Webhook	cert-manager#4420 ACME DNS solver error "account credentials not found for domain"	cert-manager#8121 Support for Creating CertificateRequest from Kubernetes Secret cert-manager#7845 ClusterIssuer.cert-manager.io "letsencrypt" is invalid: spec.acme.privateKeySecretRef: Required value... cert-manager#7643 jkspassword.txt file in secret is having default password csi-lib#15 Allow data-root to be an absolute path 71	google-cas-issuer#53 Support crlDistributionPoints & ocspServers google-cas-issuer#28 Certificate revocation from CAS Console	cert-manager#7691 Why is the value of the certificate expiration time captured in blackbox different from the value of the certificate expiration time exposed by certmanager cert-manager#7687 Webhook refusing connection even when Ready cert-manager#7673 Support for acmesolver.tolerations/affinity/nodeSelector cert-manager#7648 Solver selector issue cert-manager#7636 cermanager order in pending state cert-manager#7635 Mirroring bind9 image for e2e tests cert-manager#7688 Feature Request: Vertical Pod Autoscaler Support for cert-manager 7689 cert-manager#7572 Certificate Issuance takes long time up to 50 minutes when attempting to create 40+ certificates cert-manager#6229 Race condition when two identical certificate requests are made from different clusters 6351 cert-manager#7668 Allow custom values in Helm chart schema by relaxing additionalProperties: false 7725 cert-manager#7656 Add multiple DNS provider resolvers to an single webhook not working 7662 cert-manager#3848 Wildcard certificates not being resolved correctly. 8205 8221 cert-manager#7467 fix: ❗dns-01 route53 query change status retry timeout cert-manager#7694 add ability to set metadata of created service cert-manager#7658 7196 order reason not set cert-manager#7665 Add cookie jar to Acme client cert-manager#7064 Adds certificate name key annotation validation in secret as part of post issuance policy chain	cert-manager#7327 add more detailed logging when service certificate is generated cert-manager#7689 Add Vertical Pod Autoscaler	cert-manager#7654 Implement fallback for git_version creation in forked environments cert-manager#7728 Add unhealthyPodEvictionPolicy to supported PDB options cert-manager#7718 Switch to makefile modules completely (part 1) cert-manager#7805 feat: refactor challenge controller to be entirely non blocking cert-manager#7852 adds cli option configure ACME challange authorization timeout cert-manager#7614 Lower the minimum certificate duration from 1 hour to 5 minutes cert-manager#7725 chore: allow additional properties in Helm setup #7668 cert-manager#8187 fix: add case for parsing key with ec parameters cert-manager#7646 Support custom ACME account key type. cert-manager#8115 feat: implements `global.imageRegistry` and fixes #6160 cert-manager#8071 Handle ACME Accept asynchronously cert-manager#7558 feat: add (helm) global.imageRepository cert-manager#7764 Doc: Add leaderElection.namespace recommendation cert-manager#5447 Allow extra DNS-01 propagation time to be configured cert-manager#7236 Route53: Allow STS token to be refreshed by the AWS client if necessary cert-manager#5743 Add MaxPathLen and add EncodeBasicConstraintsInRequest option to Certificate and CertificateRequest resources cert-manager#7286 Only remove the cleanup finalizer if the cleanup succeeds cert-manager#7382 Implement a single package for controlling cert-manager RNG cert-manager#7437 fix: annotate account private key secrets cert-manager#7449 WIP: reconcile issuers using issuer-lib cert-manager#7642 fixes #7506: enable configurable max key/cert sizes, defaulting to original safe values introduced in #7401 cert-manager#7823 Adding read perms for pods and services to DNS01 ClusterRole cert-manager#8043 WIP: feat(controller): adding labels to lease cert-manager#7906 fix: Venafi call GetRefreshToken only when access token invalid for password/username authentication cert-manager#7399 Add renew window to restrict when certificate renewal can happen cert-manager#7886 Improve array field characteristics in API cert-manager#7824 Add Azure Private DNS support to cert-manager cert-manager#7450 Make ACME Authorization Timeout Configurable cert-manager#7662 Fix the issue of webhook routes generating duplicate operation IDs cert-manager#7289 Design proposal for delayed certificate activation cert-manager#7521 ClusterIssuer read caBundle from Secret cert-manager#7733 fixes #5864: cert-manager CA to issue certs after verify with CA Certs Validity cert-manager#7652 Helm chart: add ability to add appprotocol to port in service cert-manager#7439 helm: add checksum/config annotations cert-manager#7583 Support for ACME servers that don't finalize within the ACME client finalizer retry window website#1785 WIP: Add release-notes generator script and update release docs website#1447 Explain how to install cert-manager using ArgoCD website#1640 Update issuer.md website#1602 acme troubleshooting: how to fix errored challenges website#1197 doc about new option default-cleanup-policy website#1724 DRAFT: feat(tutorials): Add Gateway API website#1721 Remove whitespace-nowrap from Toc component website#1569 wip: update cert-manager logo svg website#1672 WIP: docs: Add an wrap-up announcement page website#1364 WIP: Patch release checklist website#1611 Update webhook troubleshooting documentation to including necessary curl command. website#1587 Custom Certificate Support for cert-manager Webhook Endpoint website#1607 Document Log Level settings. Document DNS01 delegation using multiple providers. website#1419 fix: TLSConfig secretName description website#1202 Add section about client cert authentication for vault website#1450 Docker testing and validation website#1213 Draft of tutorial for Google's Public CA website#790 Update route53.md website#1075 Move Issuer / ClusterIssuer and Certificate resource content to a sub-folder of configuration/ website#1259 Fixed Azure Workload identity doc website#859 Move the meetings and slack information to a separate page website#528 Update "Setting Nameservers for DNS01 Self Check" example release#201 Add publish stage for pushing OCI helm chart release#43 No more requirement "be in the release folder" to run cmrel, remove the flag --cloudbuild release#36 Add the "cmrel update-release-branch" command release#200 Bump the all group across 1 directory with 12 updates approver-policy#628 Grant cert-manager RBAC to use all policies by default trust-manager#702 WIP: User-facing migration to ClusterBundle trust-manager#689 Add build process for Debian Trixie trust-manager#683 feat: Add a very basic pre-commit configuration trust-manager#558 feat(helm-chart): add ability to set pod level security context trust-manager#304 Add support for PodMonitor trust-manager#659 WIP: Dedicated controller for cleaning up bundle targets trust-manager#395 WIP: feat: inject bundle data into configmap trust-manager#654 Add design for trust source plugins issuer-lib#186 Remove GetIssuerTypeIdentifier from Issuer API issuer-lib#188 Remove SetCertificateRequestConditionError issuer-lib#324 [VC-35742] Handle canceled context to prevent extra retries csi-driver#502 Draft: demo for csi-lib metrics feature csi-driver#251 PoC: Generate SPIFFE identities in csi-driver csi-driver#129 Add attribute support for certificate subject csi-driver#135 Added options to all containers csi-driver-spiffe#107 Remove csi-driver-spiffe approver openshift-routes#148 limit-namespaces for namespace-scope deployments openshift-routes#117 fill spec.tls.caCertificate in route with intermediate ca certificate… csi-lib#71 Refactor filesystem.go and adapt tests to use a real file system testing#1103 Drop separate licenses check on master testing#1114 Add the 'cybr' label makefile-modules#293 Add Helm chart image baking makefile-modules#310 Add generate-applyconfigurations target to controller-gen module makefile-modules#55 feat: add test module helm-tool#104 Add Chart image baking webhook-example#64 Add imagePullSecrets to template webhook-example#59 cleanup: remove unused NOTES.txt file webhook-example#79 Bump github.com/cert-manager/cert-manager from 1.15.1 to 1.15.4 in the go_modules group across 1 directory org#1 Manage the cert-manager GitHub organisation from this repo boilersuite#4 Add support for custom license templates google-cas-issuer#143 feat: allow creating or reusing an existing sa google-cas-issuer#159 Split certificate chain google-cas-issuer#141 re-adding required clusterrole permission google-cas-issuer#345 chore: add existing securityContext settings to values	cert-manager#8102 cert-manager-startupapicheck erroring while installation cert-manager#8023 ACME issuer fails when CA includes Name Constraints with x509: unhandled critical extension cert-manager#7864 failed to call webhook: certificate has expired or is not yet valid cert-manager#7766 Certificate: Let me specify the concatenation order for CombinedPEM output format cert-manager#7755 cert-manager-challenges Error presenting challenge: expected array of Record cert-manager#7747 [suggestion] Add Kustomize install documentation cert-manager#7649 [GKE][Cert-Manager]Document Might Need Implementation Details Update to GSA/KSA Integration cert-manager#7561 Feature Request RFC: Push notifications from cert-manager to <other service> when certificates are issued cert-manager#7476 [Helm Chart] - Wrong handling of image registry and repository cert-manager#7184 Helm chart: add ability to add appprotocol to port in service 7652 cert-manager#6799 ACME challenges stopped working after 1.13/1.14 update cert-manager#6010 Support the ACME Renewal Information (ARI) extension cert-manager#5048 certificate not renewed for ingress with multiple hosts and http01-edit-in-place cert-manager#4749 rfc2136 seems to not work with deep subdomains cert-manager#3640 Challenge Records Not Always Cleaned Up 5121 5126 7286 cert-manager#3521 Integration with ExternalDNS cert-manager#1292 Allowing skipping HTTP01 and DNS01 self-check on a per-solver basis 2772 2783 cert-manager#5864 Certmgr allows creating certificates expiring after ca expiration. 7733 website#944 Document how to install cert-manager in a different namespace website#354 DigitalOcean access-token should not be base64-encoded website#320 Document how to install cert-manager using gitops and known issues with particular gitops implementations 1338 website#197 Document ACME account mismatch istio-csr#431 istio-csr pod healthz check fails for long time in v0.11.0 and v0.12.0 istio-csr#413 Panic: runtime error on new installation istio-csr#137 Documentation on rotating the root certificate istio-csr#287 Getting Readiness probe failed when using cert-manager-istio-csr istio-csr#113 Integrating with istio helm chart installs istio-csr#84 csr readiness probe failed, istio ingress pod also failed istio-csr#130 Document best-practices for minimal vault role configuration for istio-csr istio-csr#176 certificateDuration is not used for the Istio CSR generated certificate requests 453 469 approver-policy#638 Approver cannot find applicable policy trust-manager#629 The crds is not installed automatically when trust-manager is a sub-chart trust-manager#560 Support rotated certificate sources trust-manager#301 Add support for kubectl installation trust-manager#60 overriding trusted namespace issuer-lib#279 Persisting identifiers for retry calls to Sign() csi-driver#130 JKS support csi-driver#17 ability to specify pod IP in volume attributes openshift-routes#58 certificate cannot be renewed, error message: "key does not match certificate" cert-manager-olm#17 Operator prevents passing extraArgs helm value cert-manager-olm#22 Customize the deployment of cert-manager installed via OLM csi-lib#74 Consistency issues due to the use of mount binds google-cas-issuer#148 Certificate chain is not split correctly 159	cert-manager#8227 [HELM] startupapicheck is not using correct name cert-manager#8110 Add ability to be a incoming `HTTP-01` to outgoing `DNS-01` proxy cert-manager#8209 Add revocation at certificate deletion cert-manager#8086 ACME ClusterIssuer not recovering after Vault restart cert-manager#8082 EOF during self check with Pomerium cert-manager#8058 Cert-manager fails to import ECDSA private keys generated by openssl 8187 cert-manager#7914 Output tls.crt in CA cert to another secret cert-manager#7868 Metrics for webhook certificate cert-manager#7862 Requesting a certificate from ZeroSSL sometimes takes more than 10 minutes to complete cert-manager#7834 Provide race condition mitigation support cert-manager#7822 Tracking: Kubernetes Gateway API follow up tasks cert-manager#8094 HTTP-01 challenge returns 502 with App Gateway (works with NGINX ingress controller) cert-manager#7768 Stuck in a loop with `multiple challenge solver pods found for challenge` cert-manager#7765 Propagation tests fails when using IPv6 recursive DNS nameservers cert-manager#7760 Is the zone responsible for a domain changes, cert-manager will not pick it up cert-manager#7645 Support cross-signed intermediate CAs issued with Vault cert-manager#7531 punycode issue cert-manager#7510 Key Size for Acme Account Key 7646 cert-manager#7438 certificate not updated after enabling SSA cert-manager#7422 Please provide standalone helm chart for CRDs cert-manager#6662 support overriding of ttl in cloudflare cert-manager#6472 Create TLSA records automatically cert-manager#5540 Changelog annotations to chart cert-manager#8085 Feature Request: Add annotation to disable automatic certificate renewal 8091 cert-manager#8200 Add commonLabels support for acmesolver cert-manager#7779 RevisionHistoryLimit should follow Kubernetes definition website#1806 Tutorial depends on no longer available image of kuard website#1643 Let's Encrypt Ending Support for Notification Emails website#1625 Configuration issue potentially leading to a memory leak website#1620 Cert Manager allows the creation of Illegal wilcard SANs website#1609 Azure DNS Documentation Update website#1608 Renaming Securing NGINX-ingress to ingress-nginx website#1596 Wrong key for cloudflare secret ref in DNS Validation tutorial page website#1585 Broken install instructions due wrong cert_manager_latest_version - v1.16.1 website#1549 Brand guideline page website#1490 GKE tutorial falsely claims it's possible to create LE certificate without domain (only IP) website#1473 Add ArtifactHub packages to website website#1822 RFC 2136 description of rate limits is misleading website#1802 Invalid certificate website#1623 Claim about v1beta1/v1alpha2 support for gateway api is misleading istio-csr#501 Error logs not very helpful istio-csr#244 Populate Subject Fields in Certificate approver-policy#466 Document How to Configure Common Scenarios approver-policy#452 CRDs in the Release files trust-manager#778 Add option to use a specific issuer in the helm chart trust-manager#650 Pod goes out of readiness trust-manager#465 Installing trust-manager just after installing cert-manager makes it FAIL forever issuer-lib#231 ### Question about Configuring Retries in cert-manager csi-driver#385 Helm Install of cert-manager-csi-driver Fails on Minikube with /dev/bus/usb Errors csi-driver#264 Certificate renewal doesn't change file 'modified date' csi-driver#267 Does cert-manager-csi-driver support AWS EKS with AWS Fargate nodes? csi-driver#383 [Feature Request] Adding attributes that available in Certificate CRD to CSI Driver csi-driver#353 mismatch between the key and the certificate signature algorithm csi-driver#241 Missing cert-manager.io/revision-history-limit volume attributes for CSI-Driver openshift-routes#204 Support for creating certificate for wildcard route openshift-routes#56 Support for destinationCaCertificate / Reencrypt Routes openshift-routes#174 Standby Replicas without lease use lots of CPU openshift-routes#116 Release static manifests (no helm) for v0.6.0-alpha.0+ openshift-routes#54 Same certificate in path based Routes 55 cert-manager-olm#46 Cert-manager operator fails to issue certificates cert-manager-olm#3 Restrict operator RBAC permissions 1 sample-external-issuer#67 Dependency Dashboard sample-external-issuer#63 Is it possible to only create Issuer and remove the CluserIssuer sample-external-issuer#62 Limit the controller-manager to access secrets only from specific namespace cmctl#122 asdf cmctl installer issues testing#690 Clean up Presets 689 testing#594 Document infra image bumps and versioning testing#693 Set up periodics against 'previous previous' branch helm-tool#141 Dependency Dashboard webhook-example#81 How to enable leader election in the webhook? webhook-example#80 How to deal with K8s timelimit in 30s ? webhook-example#74 Why cert-manager looks for a CNAME record instead of a TXT record? webhook-example#72 readyz and healthz api webhook-example#46 Code reference a pull request to be merged, but the pull request was closed by a robot webhook-example#37 Add logging example 76 77 google-cas-issuer#162 Issue: Broken config when using commonLabels google-cas-issuer#133 Allow to use a custom Service Account 143 google-cas-issuer#102 certificate renewal does not work in due to auth issue to privatecaapi end point
										website#1686 docs: harmonize `<p>` formatting by dropping internal spaces 🌊 issuer-lib#24 Add conformance tests 🌊
										website#948 add note to ingress class definition 🌊
											cert-manager#5917 Waiting for DNS-01 challenge propagation: DNS record for mydomain.com not yet propagated 🌊
	cert-manager#2930 Mirror to gcr.io or dockerhub 🌊
		makefile-modules#98 Document new release process for all repos 🌊
										cert-manager#4835 Making sure per fixture only 1 setup is active at the same time 🌊
						cert-manager#7846 ClusterIssuer.Status.Acme.URI disappeared 🌊
	cert-manager#3381 Setup separate package for cert-manager API 🌊
	cert-manager#7234 Stale/Stuck Challenges should be deleted after a given timeout 🌊 7252 7286 7897							cert-manager#7218 cert-manager set don't fragment (DF) bit 🌊			cert-manager#7826 If issuer is incorrect, it is still shown as READY 🌊 cert-manager#7138 Failed to generate serving certificate 🌊 7229 7327
		website#1186 Document that/why we don't use Helm's CRD installation mechanism 🌊
		trust-manager#58 Support injection pem into an existing configmap 🌊 378 395 442 648
			cert-manager#7473 Create certificate based on HTTPRoute configuration 🌊 7608 7839
											cert-manager#7788 Be able to default `acme.cert-manager.io/http01-edit-in-place: "true"` behavior in deployment/chart values 🌊	cert-manager#7879 Remove no-op certificate metrics controller 🌊
											cert-manager#7598 More fine-grained control of powerful RBAC permission granted via Helm chart 🌊 7666 7836	cert-manager#7699 Adding Helm Unittest to all certmanager projects 🌊
												cert-manager#7002 Confusing messaging when certificate secret name already exist 🌊