Merge pull request #1709 from cert-manager/master

cert-manager-prow[bot] · web-flow · commit fa700986c9c3 · 2025-06-10T08:23:05.000Z
Sync the release-next branch with master
diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml
@@ -42,7 +42,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
diff --git a/.spelling b/.spelling
@@ -440,6 +440,7 @@ jsoref
 justinkillen
 keystore
 keystores
+keyvault-issuer
 kit837
 kms-issuer
 kube-cert-manager
diff --git a/README.md b/README.md
@@ -90,7 +90,7 @@ For example, the [manifest for the docs section](https://github.com/cert-manager
 contains the expected path for every file.
 
 If you're adding a top-level page which should only appear in the `docs/` section (such as the existing "contributing" section)
-then add `"x-only-docs": true` underneath the title in `manifest.json`. This will cause that section to be removed when a new versioned docs section.
+then add `"x-only-docs": true` underneath the title in `manifest.json`. This will cause that section to be removed when a new versioned docs section is added.
 
 Likewise, if a folder shouldn't be copied from `docs/` to a versioned section, add a file called `.x-only-docs` to that folder, and it will be removed from any newly created versioned documentation.
 
diff --git a/content/docs/configuration/acme/README.md b/content/docs/configuration/acme/README.md
@@ -60,13 +60,13 @@ spec:
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
       # Secret resource that will be used to store the account's private key.
-      # This is your identity with your ACME provider. Any secret name
-      # may be chosen. It will be populated with data automatically,
-      # so generally nothing further needs to be done with
-      # the secret. If you lose this identity/secret, you will be able to
-      # generate a new one and generate certificates for any/all domains
-      # managed using your previous account, but you will be unable to revoke
-      # any certificates generated using that previous account.
+      # This is your identity with your ACME provider. Any secret name may be
+      # chosen. It will be populated with data automatically, so generally
+      # nothing further needs to be done with the secret. If you lose this
+      # identity/secret, you will be able to generate a new one and generate
+      # certificates for any/all domains managed using your previous account,
+      # but you will be unable to revoke any certificates generated using that
+      # previous account.
       name: example-issuer-account-key
     # Add a single challenge solver, HTTP01 using nginx
     solvers:
diff --git a/content/docs/configuration/acme/dns01/README.md b/content/docs/configuration/acme/dns01/README.md
@@ -187,6 +187,7 @@ Links to these supported providers along with their documentation are below:
 - [`cert-manager-webhook-vercel`](https://github.com/rhythmbhiwani/cert-manager-webhook-vercel)
 - [`cert-manager-webhook-opentelekomcloud`](https://github.com/akyriako/cert-manager-webhook-opentelekomcloud)
 - [`cert-manager-webhook-abion`](https://github.com/abiondevelopment/cert-manager-webhook-abion)
+- [`cert-manager-webhook-glesys`](https://github.com/sthlmio/cert-manager-webhook-glesys)
 
 You can find more information on how to configure webhook providers [here](./webhook.md).
 
diff --git a/content/docs/configuration/ca.md b/content/docs/configuration/ca.md
@@ -112,7 +112,7 @@ You should bear the following in mind:
    - You'll need to track the expiry of _all_ certificates in the chain
 - Updating the secret used for the CA certificate won't trigger re-issuance of leaf certificates
    - If your CA was near expiry and your leaf certs weren't, you'll need to manually trigger re-issuance of the leaf certs
-   - `cmctl renew` may be helpful for this (see the [docs](../reference/cmctl.md#renew) for `cmctl`)
+   - `cmctl renew` may be helpful for this (see the [`cmctl` docs](../reference/cmctl.md#renew))
 - CA issuers don't validate that the CA you configure is a "valid" CA
    - At a minimum, CA certs should have the basic constraints extension present with `isCA` set to true
    - The basic constraints extension with `isCA` set to true is required, but other requirements are not checked
diff --git a/content/docs/configuration/issuers.md b/content/docs/configuration/issuers.md
@@ -32,6 +32,7 @@ The following list contains all known cert-manager issuer integrations.
 | 🥉   | tcs-issuer                  | [📄][config:tcs-issuer]             | [Intel's SGX technology][ca:tcs-issuer]                                | -                                                 | [❌][release:tcs-issuer]              | ✔️             |
 | 🥉   | freeipa-issuer              | [📄][config:freeipa-issuer]         | [FreeIPA][ca:freeipa-issuer]                                           | -                                                 | [❌][release:freeipa-issuer]          | ✔️             |
 | 🥉   | kms-issuer                  | [📄][config:kms-issuer]             | [AWS KMS][ca:kms-issuer]                                               | -                                                 | [❌][release:kms-issuer]              | ✔️             |
+| 🥉   | keyvault-issuer | [📄][config:keyvault-issuer]        | [Azure Key Vault][ca:keyvault-issuer] | -                                                 | [❌][release:keyvault-issuer]         | ✔️             |
 
 </div>
 
@@ -65,6 +66,7 @@ The following list contains all known cert-manager issuer integrations.
 [config:cfmtls-issuer]: https://github.com/k8stooling/cfmtls-issuer
 [config:cview-issuer]: https://secure-ly.github.io/cview-issuer-chart
 [config:czertainly-issuer]: https://docs.czertainly.com/docs/certificate-key/integration-guides/cert-manager-issuer/create-czertainly-issuer
+[config:keyvault-issuer]: https://github.com/gonicus/azure-keyvault-issuer
 
 [//]: # (CA docs)
 
@@ -89,6 +91,7 @@ The following list contains all known cert-manager issuer integrations.
 [ca:origin-ca-issuer]: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca
 [ca:cview-issuer]: https://secure-ly.github.io/cview-issuer-chart
 [ca:czertainly-issuer]: https://www.czertainly.com
+[ca:keyvault-issuer]: https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys
 
 [//]: # (Release pages)
 
@@ -111,6 +114,7 @@ The following list contains all known cert-manager issuer integrations.
 [release:cfmtls-issuer]: https://github.com/k8stooling/cfmtls-issuer/releases/
 [release:cview-issuer]: https://github.com/secure-ly/cview-issuer-chart/releases
 [release:czertainly-issuer]: https://github.com/CZERTAINLY/CZERTAINLY-Cert-Manager-Issuer/releases
+[release:keyvault-issuer]: https://github.com/gonicus/azure-keyvault-issuer/releases
 
 - The issuers are sorted by their tier and then alphabetically.
 - "in-tree" issuers are issuers that are shipped with cert-manager itself.
@@ -130,7 +134,6 @@ of tiers at any time.
 
 ### 🥇 Tier (Production-ready)
 
-- 🥈 Tier criteria.
 - The issuer has an end-to-end tutorial on how to set it up with cert-manager for use in production.
 At the time of checking[^1], the used cert-manager version has to be still supported (see [Supported Releases](../releases/README.md)).
 An end-to-end tutorial must include:
diff --git a/content/docs/installation/helm.md b/content/docs/installation/helm.md
@@ -93,7 +93,7 @@ dependencies:
 
 You can then override the namespace in 2 ways:
 
-1. In `Values.yaml` file
+1. In `values.yaml` file
 ```yaml
 cert-manager: #defined by either the name or alias of your dependency in Chart.yaml
   namespace: security
diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md
@@ -6,8 +6,8 @@ description: Supported releases, Kubernetes versions, OpenShift versions and upc
 This page lists the status, timeline and policy for currently supported releases of cert-manager.
 
 All cert-manager releases are supported at least until the release of a second subsequent version.
-That means there are always at least two supported versions of cert-manager at any given time,
-and possibly more if there's also a current Long Term Support version.
+That means there are always at least two supported versions of cert-manager. The open source cert-manager project
+doesn't maintain long term support (LTS) releases, but some [vendors](#long-term-support-releases) do provide LTS releases commercially.
 
 We aim to do regular releases roughly every 4 months but release dates can vary when accounting for holidays,
 conferences (such as KubeCon), maintainer commitments and other world events.
@@ -23,15 +23,12 @@ should be stable enough to run.
 |:------------:|:------------:|:----------------------:|:----------------------------------------------:|:----------------------------------:|
 | [1.17][]     | Feb 03, 2025 | Release of 1.19        |       1.29 → 1.32   /   4.16 → 4.17            |  1.29 → 1.32                       |
 | [1.16][]     | Oct 03, 2024 | Release of 1.18        |       1.25 → 1.32   /   4.14 → 4.17            |  1.27 → 1.31                       |
-| [1.12 LTS][] | May 19, 2023 | May 19, 2025           |       1.22 → 1.32   /   4.9  → 4.16            |  1.22 → 1.29                       |
-
-cert-manager 1.12 is a Long Term Support (LTS) release sponsored by [Venafi](https://www.venafi.com/). It will be supported for 2 years from release.
 
 ## Upcoming releases
 
 | Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:--------:|:------------:|:---------------:|:----------------------------------------------:|:----------------------------------:|
-| [1.18][] | Jun 04, 2025 | Release of 1.20 | 1.29 → 1.33 / 4.16 → 4.17                      | 1.30 → 1.33                        |
+| [1.18][] | Jun 10, 2025 | Release of 1.20 | 1.29 → 1.33 / 4.16 → 4.17                      | 1.30 → 1.33                        |
 
 Dates in the future are not firm commitments and are subject to change.
 
@@ -40,6 +37,23 @@ and release notes on [cert-manager.io](https://cert-manager.io/docs/release-note
 
 We also maintain detailed [upgrade instructions](https://cert-manager.io/docs/releases/upgrading/).
 
+<a id="long-term-support-releases"></a>
+## Long Term Support Releases
+
+The cert-manager maintainers do not provide long term support (LTS) releases.
+
+Once a version reaches end of life, there are no updates provided for that version and no further releases made.
+
+Some vendors provide long term support releases commercially; the following LTS releases are available:
+
+| Release      | Vendor       | End of Life    |
+|:------------:|:------------:|:--------------:|
+| 1.17 LTS     | [CyberArk][] | Feb 03 2027    |
+
+[CyberArk]: https://docs.venafi.cloud/vaas/k8s-components/c-cm-releases/#cert-manager-long-term-support-lts-releases
+
+(To add a release to this list, raise a PR and reach out on Slack)
+
 ## Support policy
 
 <a id="supported-vs-tested"></a>
@@ -290,29 +304,33 @@ small change relative to the `<minor>` release.
 These cert-manager releases have reached their <abbr title="end-of-life">EOL</abbr> date and
 are no longer supported.
 
-| Release  | Release Date |     EOL      | Compatible Kubernetes versions | Compatible OpenShift versions |
-|----------|:------------:|:------------:|:------------------------------:|:-----------------------------:|
-| [1.15][] | Jun 05, 2024 | Feb 03, 2025 |          1.25 → 1.32           |          4.12 → 4.16          |
-| [1.14][] | Feb 03, 2024 | Oct 03, 2024 |          1.24 → 1.31           |          4.11 → 4.16          |
-| [1.13][] | Sep 12, 2023 | Jun 05, 2024 |          1.21 → 1.27           |          4.8 → 4.14           |
-| [1.11][] | Jan 11, 2023 | Sep 12, 2023 |          1.21 → 1.27           |          4.8 → 4.14           |
-| [1.10][] | Oct 17, 2022 | May 19, 2023 |          1.20 → 1.26           |          4.7 → 4.13           |
-| [1.9][]  | Jul 22, 2022 | Jan 11, 2023 |          1.20 → 1.24           |          4.7 → 4.11           |
-| [1.8][]  | Apr 05, 2022 | Oct 17, 2022 |          1.19 → 1.24           |          4.6 → 4.11           |
-| [1.7][]  | Jan 26, 2021 | Jul 22, 2022 |          1.18 → 1.23           |          4.5 → 4.9            |
-| [1.6][]  | Oct 26, 2021 | Apr 05, 2022 |          1.17 → 1.22           |          4.4 → 4.9            |
-| [1.5][]  | Aug 11, 2021 | Jan 26, 2022 |          1.16 → 1.22           |          4.3 → 4.8            |
-| [1.4][]  | Jun 15, 2021 | Oct 26, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
-| [1.3][]  | Apr 08, 2021 | Aug 11, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
-| [1.2][]  | Feb 10, 2021 | Jun 15, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
-| [1.1][]  | Nov 24, 2020 | Apr 08, 2021 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [1.0][]  | Sep 02, 2020 | Feb 10, 2021 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.16][] | Jul 23, 2020 | Nov 24, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.15][] | May 06, 2020 | Sep 02, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.14][] | Mar 11, 2020 | Jul 23, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.13][] | Jan 21, 2020 | May 06, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.12][] | Nov 27, 2019 | Mar 11, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
-| [0.11][] | Oct 10, 2019 | Jan 21, 2020 |           1.9 → 1.21           |          3.09 → 4.7           |
+| Release      | Release Date |     EOL      | Compatible Kubernetes versions | Compatible OpenShift versions |
+|--------------|:------------:|:------------:|:------------------------------:|:-----------------------------:|
+| [1.15][]     | Jun 05, 2024 | Feb 03, 2025 |          1.25 → 1.32           |          4.12 → 4.16          |
+| [1.14][]     | Feb 03, 2024 | Oct 03, 2024 |          1.24 → 1.31           |          4.11 → 4.16          |
+| [1.13][]     | Sep 12, 2023 | Jun 05, 2024 |          1.21 → 1.27           |          4.8 → 4.14           |
+| [1.12 LTS][] | May 19, 2023 | May 19, 2025 |          1.22 → 1.32           |          4.9 → 4.16           |
+| [1.11][]     | Jan 11, 2023 | Sep 12, 2023 |          1.21 → 1.27           |          4.8 → 4.14           |
+| [1.10][]     | Oct 17, 2022 | May 19, 2023 |          1.20 → 1.26           |          4.7 → 4.13           |
+| [1.9][]      | Jul 22, 2022 | Jan 11, 2023 |          1.20 → 1.24           |          4.7 → 4.11           |
+| [1.8][]      | Apr 05, 2022 | Oct 17, 2022 |          1.19 → 1.24           |          4.6 → 4.11           |
+| [1.7][]      | Jan 26, 2021 | Jul 22, 2022 |          1.18 → 1.23           |          4.5 → 4.9            |
+| [1.6][]      | Oct 26, 2021 | Apr 05, 2022 |          1.17 → 1.22           |          4.4 → 4.9            |
+| [1.5][]      | Aug 11, 2021 | Jan 26, 2022 |          1.16 → 1.22           |          4.3 → 4.8            |
+| [1.4][]      | Jun 15, 2021 | Oct 26, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
+| [1.3][]      | Apr 08, 2021 | Aug 11, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
+| [1.2][]      | Feb 10, 2021 | Jun 15, 2021 |          1.16 → 1.21           |          4.3 → 4.7            |
+| [1.1][]      | Nov 24, 2020 | Apr 08, 2021 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [1.0][]      | Sep 02, 2020 | Feb 10, 2021 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.16][]     | Jul 23, 2020 | Nov 24, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.15][]     | May 06, 2020 | Sep 02, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.14][]     | Mar 11, 2020 | Jul 23, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.13][]     | Jan 21, 2020 | May 06, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.12][]     | Nov 27, 2019 | Mar 11, 2020 |          1.11 → 1.21           |          3.11 → 4.7           |
+| [0.11][]     | Oct 10, 2019 | Jan 21, 2020 |           1.9 → 1.21           |          3.09 → 4.7           |
+
+
+NB: cert-manager 1.12 was a public Long Term Support (LTS) release sponsored by [Venafi](https://www.venafi.com/). It was supported for 2 years from release.
 
 [s]: #kubernetes-supported-versions
 [test]: #supported-vs-tested
diff --git a/content/docs/releases/release-notes/release-notes-1.15.md b/content/docs/releases/release-notes/release-notes-1.15.md
@@ -112,7 +112,7 @@ In addition, the version of Go used to build cert-manager 1.15 was updated along
 - Venafi Issuer now sends a cert-manager HTTP User-Agent header in all Venafi Rest API requests.
   For example: `cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200`. ([#6865](https://github.com/cert-manager/cert-manager/pull/6865), [@wallrj](https://github.com/wallrj))
 - Add hint to validation error message to help users of external issuers more easily fix the issue if they specify a Kind but forget the Group ([#6913](https://github.com/cert-manager/cert-manager/pull/6913), [@SgtCoDFish](https://github.com/SgtCoDFish))
-- Add support for numeric OID types in LiteralSubject. Eg. "1.2.3.4=String Value" ([#6775](https://github.com/cert-manager/cert-manager/pull/6775), [@inteon](https://github.com/inteon))
+- Add support for numeric OID types in LiteralSubject. E.g., "1.2.3.4=String Value" ([#6775](https://github.com/cert-manager/cert-manager/pull/6775), [@inteon](https://github.com/inteon))
 - Promote the `LiteralCertificateSubject` feature to Beta. ([#7030](https://github.com/cert-manager/cert-manager/pull/7030), [@inteon](https://github.com/inteon))
 - Promoted the `AdditionalCertificateOutputFormats` feature gate to Beta (enabled by default). ([#6970](https://github.com/cert-manager/cert-manager/pull/6970), [@erikgb](https://github.com/erikgb))
 - The Helm chart now allows you to supply `extraObjects`; a list of YAML manifests which will helm will install and uninstall with the cert-manager manifests. ([#6424](https://github.com/cert-manager/cert-manager/pull/6424), [@gplessis](https://github.com/gplessis))
diff --git a/content/docs/releases/release-notes/release-notes-1.17.md b/content/docs/releases/release-notes/release-notes-1.17.md
@@ -14,7 +14,7 @@ cert-manager v1.17 includes:
 
 ### RSA Certificate Compliance
 
-The United States Department of Defense published [a memo](https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/unclass-memo_dodcryptoalgorithms.pdf) in 2022 which introduced some requirements on the kinds of cryptography they require to be supported in software they use.
+The United States Department of Defense published a [memo: Department of Defense Transition to Stronger Public Key Infrastructure Algorithms](https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/unclass-memo_dodcryptoalgorithms.pdf) in 2022 which introduced some requirements on the kinds of cryptography they require to be supported in software they use.
 
 In effect, the memo requires that software be able to support larger RSA keys (3072-bit and 4096-bit) and hashing algorithms (SHA-384 at a minimum).
 
diff --git a/content/v1.14-docs/reference/api-docs.md b/content/v1.14-docs/reference/api-docs.md
@@ -5283,7 +5283,7 @@ description: >-
         <p> Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is <code>LegacyRC2</code> for backward compatibility. </p>
         <p>
           If provided, allowed values are:
-          <code>LegacyRC2</code>: Deprecated. Not supported by default in OpenSSL 3 or Java 20. <code>LegacyDES</code>: Less secure algorithm. Use this option for maximal compatibility. <code>Modern2023</code>: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret.
+          <code>LegacyRC2</code>: Deprecated. Not supported by default in OpenSSL 3 or Java 20. <code>LegacyDES</code>: Less secure algorithm. Use this option for maximal compatibility. <code>Modern2023</code>: Secure algorithm. Use this option in case you have to always use secure algorithms (e.g., because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret.
         </p>
       </td>
     </tr>
diff --git a/content/v1.15-docs/reference/api-docs.md b/content/v1.15-docs/reference/api-docs.md
diff --git a/content/v1.15-docs/releases/release-notes/release-notes-1.15.md b/content/v1.15-docs/releases/release-notes/release-notes-1.15.md
diff --git a/klone.yaml b/klone.yaml
diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
