generic Weekly Triage :: Triage Party

queue to be emptied once a week in a team triage meeting

Weekly Triage

297 unique items

Completion ETA: ~2026-02-15

Assi	Important soon, but no updates in 60 days	Important longterm, but no updates in 120 days	many reactions, low priority	many commenters, low priority	Needs information for over 2 weeks	Support request over 30 days old	Issues nearing expiration	Pull requests: Approved and getting old	Pull Requests: Stale	Overdue answers for a question	Updated support requests
			cert-manager#7473 Create certificate based on HTTPRoute configuration 🌊 7608 7839
nobody	cert-manager#6741 ACME account private key and URI are not updated if the path of the ACME server is changed cert-manager#6709 1.14 Release Review cert-manager#6331 CSR not signed by referenced private key cert-manager#5298 Complete the Migration Away From Jetstack Names cert-manager#5751 Wildcard DNS domains and `cnameStrategy: Follow` don't work nicely together 8474 cert-manager#3992 Add non-CRD yaml file cert-manager#5867 Controller can't handle hitting request rate limits of zerossl ACME API 5901 6090 6091 website#1425 The `issuer.vault.spec.caBundleSecretRef` docs are missing website#955 Document when the vault pki role required setting `require_cn=false` website#1174 Document the docker images and how to find them website#195 Document keystores website#174 Add documentation for CRD conversion webhook ca injection website#802 Spelling errors are unclear in pull request CI results and spell checker is unmaintained 806 807 1175 cmctl#127 cmctl version reports only the old CRD version if I upgrade cert-manager without including the CRDs	cert-manager#8085 Feature Request: Add annotation to disable automatic certificate renewal 8091 cert-manager#6969 Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled cert-manager#6820 Ongoing dependency evaluation cert-manager#6051 Detecting Gateway hostnames based on attached HTTPRoutes 6124 7839 cert-manager#4191 Setting default values for Pod's "resources"? cert-manager#4685 Unexpected EOF during watch stream event decoding: unexpected EOF -- possibly due to api server upgrades / restarts cert-manager#3521 Integration with ExternalDNS cert-manager#2525 Better support multi-namespace & single-namespace deployments 4219 cert-manager#2178 Handling 'unregistering' certificates from Venafi TPP cert-manager#4950 General flakiness of our end-to-end suite 4960 5136 5141 5317 5318 5323 5325 cert-manager#8058 Cert-manager fails to import ECDSA private keys generated by openssl 8187 cert-manager#1292 Allowing skipping HTTP01 and DNS01 self-check on a per-solver basis 2772 2783 website#1194 Confusing paragraph - cert-manager integration. website#975 Some pages do not make it clear what the user should read next website#1063 "Securing Ingresses with Venafi" tutorial contains link to missing manifest 1090 website#401 Bring tutorials up to date website#850 Document available cert-manager Prometheus metrics website#223 Document wildcard certificate tutorial csi-driver-spiffe#129 Increase e2e test timeouts cmctl#83 As cmctl user, I want to use different kubectl context on command line ( --context='kubectl-context-abc' ) webhook-example#38 Set repository to be a GitHub template repository webhook-example#3 Make unit testing easier/make examples work 20 31 83	cert-manager#8493 cloudflare DNS01 - Client.Timeout exceeded while awaiting headers cert-manager#8300 Support for custom, TLS-based application protocols cert-manager#7890 Cluster issuer for HTTP-01 gatewayHTTPRoute should not require a gateway parentRef cert-manager#6716 leader election namespace should default to `.Release.Namespace`, not `kube-system` 6766 7764 cert-manager#6179 CRDs shouldn't be templated in Helm cert-manager#5566 upload Helm charts to OCI registry and sign them with cosign 7132 cert-manager#8422 feat: Add AWS authentication method for Vault Issuer	cert-manager#8375 feat: add health probes to cert-manager pods cert-manager#8258 feat(certificate): renewal policy and windows code cert-manager#8379 acmechallenges: stabilize solver resource names website#1909 docs: add ACK RRSA supported AliDNS webhook trust-manager#841 Does trust-manager require cluster level permissions to read secrets?	cert-manager#8102 cert-manager-startupapicheck erroring while installation cert-manager#8121 Support for Creating CertificateRequest from Kubernetes Secret cert-manager#7845 ClusterIssuer.cert-manager.io "letsencrypt" is invalid: spec.acme.privateKeySecretRef: Required value... cert-manager#5101 No backoff/delay when failing to create challenge solver pods 8379 csi-lib#15 Allow data-root to be an absolute path 71	cert-manager#8296 HTTP-01 challenge stuck in pending with status code 400 google-cas-issuer#53 Support crlDistributionPoints & ocspServers google-cas-issuer#28 Certificate revocation from CAS Console	cert-manager#7749 Http and PROXY protocol cert-manager#7717 After uninstalling cert-manager, ingress resources can still only be accessed via https cert-manager#7660 cert-manager produces invalid (per RFC5280) certificates when `cert sign` usage is set along with another usage cert-manager#7659 Challenge and resolver pod/ingress killed too soon cert-manager#7625 Clean install fails to create Issuer cert-manager#7594 Cloudflare delegated domains returns Found no Zones for domain _acme-challenge.mydomain.com cert-manager#7288 Missing UID in webhook challenge request cert-manager#3706 renewal-hooks cert-manager#7725 chore: allow additional properties in Helm setup #7668 cert-manager#7467 fix: ❗dns-01 route53 query change status retry timeout cert-manager#7654 Implement fallback for git_version creation in forked environments trust-manager#465 Installing trust-manager just after installing cert-manager makes it FAIL forever	cert-manager#7689 Add Vertical Pod Autoscaler	cert-manager#8440 feat(chart): Set ttlSecondsAfterFinished for statupapicheck cert-manager#8253 refactor(issuer): add shared factory and per-instance registries cert-manager#7897 wip: add retry mechanism for challenge solver whenever we detect unauthorized error cert-manager#8255 add dns issuer secrets validation before marking it as ready cert-manager#8438 POC: single cert-manager binary cert-manager#7646 Support custom ACME account key type. cert-manager#8336 Add global.tolerations to helm chart cert-manager#8407 Use generics to make predicates typed cert-manager#8220 Add predicate filtering to queuing handler cert-manager#8395 Clarify code around DNS01 Self Check cert-manager#8367 feat(helm) add startupProbe and readinessProbe to cert-manager-controller cert-manager#5447 Allow extra DNS-01 propagation time to be configured cert-manager#7236 Route53: Allow STS token to be refreshed by the AWS client if necessary cert-manager#5743 Add MaxPathLen and add EncodeBasicConstraintsInRequest option to Certificate and CertificateRequest resources cert-manager#7382 Implement a single package for controlling cert-manager RNG cert-manager#7437 fix: annotate account private key secrets cert-manager#7449 WIP: reconcile issuers using issuer-lib cert-manager#7718 Switch to makefile modules completely (part 1) cert-manager#7823 Adding read perms for pods and services to DNS01 ClusterRole cert-manager#7805 feat: refactor challenge controller to be entirely non blocking cert-manager#8263 fix: dont copy `kapp.k14s.io` annotations from Ingress to created resources cert-manager#8339 feat(pkcs12): Add flag to specify pkcs12 keystore alias cert-manager#7662 Fix the issue of webhook routes generating duplicate operation IDs cert-manager#7450 Make ACME Authorization Timeout Configurable cert-manager#8071 Handle ACME Accept asynchronously cert-manager#8262 Bugfix #7388 kid missing issue with Infisical ACME server or any other ACME that requires EAB cert-manager#7289 Design proposal for delayed certificate activation cert-manager#7521 ClusterIssuer read caBundle from Secret cert-manager#7733 fixes #5864: cert-manager CA to issue certs after verify with CA Certs Validity cert-manager#7652 Helm chart: add ability to add appprotocol to port in service cert-manager#7439 helm: add checksum/config annotations cert-manager#7583 Support for ACME servers that don't finalize within the ACME client finalizer retry window cert-manager#8187 fix: add case for parsing key with ec parameters cert-manager#7614 Lower the minimum certificate duration from 1 hour to 5 minutes cert-manager#7764 Doc: Add leaderElection.namespace recommendation cert-manager#8141 fix(helm): Align targetPorts in metrics endpoints for webhook and cainjector services cert-manager#7906 fix: Venafi call GetRefreshToken only when access token invalid for password/username authentication cert-manager#7399 Add renew window to restrict when certificate renewal can happen cert-manager#7824 Add Azure Private DNS support to cert-manager website#1787 Update Slack links to include both invite and direct channel URLs website#1927 Update Hetzner webhook link in README.md website#1785 WIP: Add release-notes generator script and update release docs website#1447 Explain how to install cert-manager using ArgoCD website#1640 Update issuer.md website#1602 acme troubleshooting: how to fix errored challenges website#1197 doc about new option default-cleanup-policy website#1569 wip: update cert-manager logo svg website#1672 WIP: docs: Add an wrap-up announcement page website#1364 WIP: Patch release checklist website#1611 Update webhook troubleshooting documentation to including necessary curl command. website#1607 Document Log Level settings. Document DNS01 delegation using multiple providers. website#1587 Custom Certificate Support for cert-manager Webhook Endpoint website#1202 Add section about client cert authentication for vault website#1419 fix: TLSConfig secretName description website#1450 Docker testing and validation website#1213 Draft of tutorial for Google's Public CA website#790 Update route53.md website#1075 Move Issuer / ClusterIssuer and Certificate resource content to a sub-folder of configuration/ website#1259 Fixed Azure Workload identity doc website#859 Move the meetings and slack information to a separate page website#528 Update "Setting Nameservers for DNS01 Self Check" example release#36 Add the "cmrel update-release-branch" command release#43 No more requirement "be in the release folder" to run cmrel, remove the flag --cloudbuild istio-csr#637 Fix/chartadditional annotations for cli args approver-policy#628 Grant cert-manager RBAC to use all policies by default trust-manager#558 feat(helm-chart): add ability to set pod level security context trust-manager#395 WIP: feat: inject bundle data into configmap trust-manager#654 Add design for trust source plugins trust-manager#762 Add support for injecting CA from secret for trust manager Webhook trust-manager#689 Add build process for Debian Trixie trust-manager#683 feat: Add a very basic pre-commit configuration issuer-lib#324 [VC-35742] Handle canceled context to prevent extra retries issuer-lib#188 Remove SetCertificateRequestConditionError issuer-lib#186 Remove GetIssuerTypeIdentifier from Issuer API csi-driver#251 PoC: Generate SPIFFE identities in csi-driver csi-driver#502 Enable csi-lib metrics csi-driver#135 Added options to all containers csi-driver#129 Add attribute support for certificate subject csi-driver-spiffe#107 Remove csi-driver-spiffe approver openshift-routes#148 limit-namespaces for namespace-scope deployments openshift-routes#117 fill spec.tls.caCertificate in route with intermediate ca certificate… openshift-routes#303 feat: add support for setting private key encoding csi-lib#71 Refactor filesystem.go and adapt tests to use a real file system sample-external-issuer#120 Upgrade golangci-lint testing#1119 Disable DCO for Copilot-authored PRs testing#1114 Add the 'cybr' label makefile-modules#470 feat(helm): adding `helm-diff` target makefile-modules#293 Add Helm chart image baking makefile-modules#55 feat: add test module helm-tool#104 Add Chart image baking community#11 Governance: folks meaningfully contributing to the biweekly can become GitHub Members webhook-example#59 cleanup: remove unused NOTES.txt file webhook-example#64 Add imagePullSecrets to template org#1 Manage the cert-manager GitHub organisation from this repo boilersuite#4 Add support for custom license templates google-cas-issuer#345 chore: add existing securityContext settings to values google-cas-issuer#143 feat: allow creating or reusing an existing sa google-cas-issuer#159 Split certificate chain google-cas-issuer#141 re-adding required clusterrole permission google-cas-issuer#413 Add optional fetchCaBundle boolean flag to optionally return root CA certificates of all CAS CA Pool CAs	cert-manager#8476 Helm chart defaults leaderElection namespace to kube-system, blocking cert-manager controller and certificate creation cert-manager#8352 Add AWS, GCP, and Azure Authentication Methods for Vault Issuer 8422 cert-manager#8095 DNS-01 Delegated zone is not following CNAME and creating wrong records cert-manager#8094 HTTP-01 challenge returns 502 with App Gateway (works with NGINX ingress controller) cert-manager#8023 ACME issuer fails when CA includes Name Constraints with x509: unhandled critical extension cert-manager#7747 [suggestion] Add Kustomize install documentation cert-manager#7561 Feature Request RFC: Push notifications from cert-manager to <other service> when certificates are issued cert-manager#7388 Kid missing in the new order request 8262 cert-manager#6010 Support the ACME Renewal Information (ARI) extension cert-manager#5864 Certmgr allows creating certificates expiring after ca expiration. 7733 cert-manager#4749 rfc2136 seems to not work with deep subdomains website#944 Document how to install cert-manager in a different namespace website#354 DigitalOcean access-token should not be base64-encoded website#320 Document how to install cert-manager using gitops and known issues with particular gitops implementations 1338 website#197 Document ACME account mismatch istio-csr#137 Documentation on rotating the root certificate istio-csr#176 certificateDuration is not used for the Istio CSR generated certificate requests 453 469 istio-csr#130 Document best-practices for minimal vault role configuration for istio-csr istio-csr#84 csr readiness probe failed, istio ingress pod also failed istio-csr#113 Integrating with istio helm chart installs istio-csr#413 Panic: runtime error on new installation istio-csr#287 Getting Readiness probe failed when using cert-manager-istio-csr istio-csr#431 istio-csr pod healthz check fails for long time in v0.11.0 and v0.12.0 approver-policy#638 Approver cannot find applicable policy trust-manager#560 Support rotated certificate sources trust-manager#301 Add support for kubectl installation csi-driver#130 JKS support csi-driver#17 ability to specify pod IP in volume attributes openshift-routes#58 certificate cannot be renewed, error message: "key does not match certificate" cert-manager-olm#22 Customize the deployment of cert-manager installed via OLM cert-manager-olm#17 Operator prevents passing extraArgs helm value csi-lib#74 Consistency issues due to the use of mount binds google-cas-issuer#148 Certificate chain is not split correctly 159	cert-manager#8481 FYI: cert-manager-webhook-libdns cert-manager#8479 Subject Key Identifier (SKI) missing on issued certificates by self-signed CA 8480 cert-manager#8373 DNS-PERSIST-01 challenge support (planned for 2026) cert-manager#8372 HTTP-01 challenge: support stateless http-01 challenge cert-manager#8458 Vault approle configuration cert-manager#8235 Cert-manager support for Issuer-managed keys cert-manager#8201 Timeout contacting Cloudflare API during cert-manager DNS-01 challenge cert-manager#8086 ACME ClusterIssuer not recovering after Vault restart cert-manager#8082 EOF during self check with Pomerium cert-manager#7895 if certificate is already expired, it shown like a True cert-manager#7862 Requesting a certificate from ZeroSSL sometimes takes more than 10 minutes to complete cert-manager#7868 Metrics for webhook certificate cert-manager#7834 Provide race condition mitigation support cert-manager#7768 Stuck in a loop with `multiple challenge solver pods found for challenge` cert-manager#8209 Add revocation at certificate deletion cert-manager#7536 Digicert ACME order is failing due to invalid validity_years cert-manager#7531 punycode issue cert-manager#7438 certificate not updated after enabling SSA cert-manager#7422 Please provide standalone helm chart for CRDs cert-manager#6662 support overriding of ttl in cloudflare cert-manager#5540 Changelog annotations to chart website#1947 Add note for username and groups being usable for CEL validation website#1926 Change the Cert Manager Webhook DNS01 of Hetzner Cloud 1927 website#1625 Configuration issue potentially leading to a memory leak website#1623 Claim about v1beta1/v1alpha2 support for gateway api is misleading website#1620 Cert Manager allows the creation of Illegal wilcard SANs website#1609 Azure DNS Documentation Update website#1806 Tutorial depends on no longer available image of kuard website#1608 Renaming Securing NGINX-ingress to ingress-nginx website#1596 Wrong key for cloudflare secret ref in DNS Validation tutorial page website#1585 Broken install instructions due wrong cert_manager_latest_version - v1.16.1 website#1549 Brand guideline page website#1802 Invalid certificate website#1490 GKE tutorial falsely claims it's possible to create LE certificate without domain (only IP) website#1473 Add ArtifactHub packages to website website#1935 add third party cert-manager-webhook-infomaniak website#1643 Let's Encrypt Ending Support for Notification Emails istio-csr#501 Error logs not very helpful istio-csr#244 Populate Subject Fields in Certificate approver-policy#788 Request for cryptographic mechanisms used in cert-manager-approver-policy approver-policy#466 Document How to Configure Common Scenarios approver-policy#452 CRDs in the Release files trust-manager#848 Request for cryptographic mechanisms used in cert-manager-trust-manager trust-manager#835 Helm Chart cannot set securityContext trust-manager#800 When creating a trust bundle with additionalFormats/pkcs12, no pkcs12 is produced trust-manager#778 Add option to use a specific issuer in the helm chart trust-manager#742 Add option to disable webhook in Helm chart csi-driver#385 Helm Install of cert-manager-csi-driver Fails on Minikube with /dev/bus/usb Errors csi-driver#267 Does cert-manager-csi-driver support AWS EKS with AWS Fargate nodes? csi-driver#521 RFC: Cert-Manager CSI Driver as Secret Store Provider csi-driver#383 [Feature Request] Adding attributes that available in Certificate CRD to CSI Driver csi-driver#353 mismatch between the key and the certificate signature algorithm csi-driver#264 Certificate renewal doesn't change file 'modified date' csi-driver#241 Missing cert-manager.io/revision-history-limit volume attributes for CSI-Driver openshift-routes#204 Support for creating certificate for wildcard route openshift-routes#174 Standby Replicas without lease use lots of CPU openshift-routes#306 [FEATURE]Enable setting private key encoding via annotation 303 openshift-routes#56 Support for destinationCaCertificate / Reencrypt Routes openshift-routes#116 Release static manifests (no helm) for v0.6.0-alpha.0+ openshift-routes#54 Same certificate in path based Routes 55 cert-manager-olm#46 Cert-manager operator fails to issue certificates cert-manager-olm#3 Restrict operator RBAC permissions 1 sample-external-issuer#63 Is it possible to only create Issuer and remove the CluserIssuer sample-external-issuer#62 Limit the controller-manager to access secrets only from specific namespace cmctl#122 asdf cmctl installer issues testing#594 Document infra image bumps and versioning testing#690 Clean up Presets 689 webhook-example#80 How to deal with K8s timelimit in 30s ? webhook-example#37 Add logging example 76 77 webhook-example#72 readyz and healthz api webhook-example#81 How to enable leader election in the webhook? webhook-example#74 Why cert-manager looks for a CNAME record instead of a TXT record? klone#22 Dependency Dashboard google-cas-issuer#412 Provide root CA certs of all CAS CA Pool CAs in ca.crt to support and simplify root CA migration process google-cas-issuer#361 [Helm] allow `enabled` as key in values schema google-cas-issuer#162 Issue: Broken config when using commonLabels google-cas-issuer#102 certificate renewal does not work in due to auth issue to privatecaapi end point google-cas-issuer#133 Allow to use a custom Service Account 143
		website#1186 Document that/why we don't use Helm's CRD installation mechanism 🌊
									website#948 add note to ingress class definition 🌊
										cert-manager#5917 Waiting for DNS-01 challenge propagation: DNS record for mydomain.com not yet propagated 🌊
		cert-manager#2820 Add ability to set `pathlen:0` for CA certs in `X509v3 Basic Constraints` 🌊 4232 4241 4277 4301 4302
		makefile-modules#98 Document new release process for all repos 🌊
									cert-manager#4835 Making sure per fixture only 1 setup is active at the same time 🌊
									website#1686 docs: harmonize `<p>` formatting by dropping internal spaces 🌊 issuer-lib#24 Add conformance tests 🌊
											cert-manager#7879 Remove no-op certificate metrics controller 🌊
	cert-manager#3381 Setup separate package for cert-manager API 🌊
	cert-manager#7234 AWS Route53: Stale/Stuck Challenges should be deleted after a given timeout 🌊 7252 7286 7897 8221									cert-manager#7826 If issuer is incorrect, it is still shown as READY 🌊 8255
		trust-manager#58 Support injection pem into an existing configmap 🌊 378 395 442 648
					cert-manager#7846 ClusterIssuer.Status.Acme.URI disappeared 🌊
	cert-manager#2930 Mirror to gcr.io or dockerhub 🌊
		cert-manager#7598 More fine-grained control of powerful RBAC permission granted via Helm chart 🌊 7666 7836