cert-manager · cert-manager-prow · Mar 11, 2026 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
diff --git a/.spelling b/.spelling
@@ -594,8 +594,17 @@ v1.18.0.
 v1.19
 v1.19.0
 v1.19.1
+v1.20.0
 v1.19.2
+v1.20.0
+v1.19.x
+v1.20.0
+v1.20.
+v1.19.2
+v1.20.0
+Rebranding
 alpha.0
+beta.0
 v1.4.1
 v1.5
 v1.5.0
@@ -861,6 +870,9 @@ example.org
 experimental.cert
 http01-edit-in-place
 http01-ingress-class
+http01-ingress-ingressclassname
+http01-parentrefkind
+http01-parentrefname
 ingress.class
 ip-sans
 kubernetes.io

diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md
@@ -69,6 +69,9 @@ controllers support `ingressClassName`, with the notable exception of
 ingress-gce (as per the page [Configure Ingress for external load
 balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)).
 
+> You can override the `ingressClassName` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-ingressclassname`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-ingressclassname) annotation.
+
 ### `class`
 
 If the `class` field is specified, a new Ingress resource with a randomly
@@ -79,6 +82,9 @@ value set to the value of the `class` field.
 This field is only recommended with ingress-gce. ingress-gce [doesn't support the
 `ingressClassName` field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress).
 
+> You can override the `class` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-class`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-class) annotation.
+
 ### `name`
 
 If the `name` field is specified, cert-manager will edit the named

diff --git a/content/docs/configuration/venafi.md b/content/docs/configuration/venafi.md
@@ -304,3 +304,45 @@ metadata:
       ]
 ...
 ```
+
+### Issuer Custom Fields
+
+Starting `v1.20`, you can use `venafi.cert-manager.io/custom-fields` annotation on an `Issuer` or `ClusterIssuer` resource.
+This configuration would be applied to all Certificate requests created from `Issuer`.
+
+It is possible to override or append custom configuration to `Certificate` resources via the `Issuer` assigned to it. 
+For example with an `Issuer` such as:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: corp-issuer
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Environemnt", "value": "Dev"},
+      ]
+```
+
+and a `Certificate` resource:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-com-certificate
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Team", "value": "amber"},
+      ]
+...
+```
+
+Final configuration will be:
+
+```json
+{"name": "Environemnt", "value": "Dev"},
+{"name": "Team", "value": "amber"}
-{"name": "Environemnt", "value": "Dev"},
-{"name": "Team", "value": "amber"}
+[
+  {"name": "Environemnt", "value": "Dev"},
+  {"name": "Team", "value": "amber"}
+]
-{"name": "Environemnt", "value": "Dev"},
-{"name": "Team", "value": "amber"}
+[
+  {"name": "Environemnt", "value": "Dev"},
+  {"name": "Team", "value": "amber"}
+]
+```
diff --git a/content/docs/installation/best-practice.md b/content/docs/installation/best-practice.md
@@ -47,6 +47,44 @@ Or you may prefer to use the custom resources provided by your CNI software.
 > 📖 Learn about the [Kubernetes builtin NetworkPolicy API](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 > and see [some example policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies).
 
+The cert-manager Helm chart allows you to create a `NetworkPolicy` resource for
+each `Deployment`.
+
+By default, it allows inbound traffic to all the listening ports of each component.
+And by default, it allows outbound traffic to:
+- TCP port 443: For connections to the Kubernetes API server and other
+  in-cluster and external HTTPS API servers.
+- TCP port 6443: For connections to the Kubernetes API server on OpenShift.
+- TCP and UDP port 53: To resolve DNS names using the in-cluster DNS and
+  external DNS servers when using DNS01.
+- TCP port 80: So that the controller can perform ACME HTTP01 self-checks before
+  accepting the ACME server challenge.
+
+These are over-permissive defaults to provide a good installation experience.
+
+You should customize the `ingress` and `egress` rules to restrict the inbound
+and outbound traffic to allow only those connections which are necessary for
+your cert-manager configuration.
+
+Example Helm values:
+
+```yaml
+# helm-values.yaml
+networkPolicy:
+  enabled: true
+
+webhook:
+  networkPolicy:
+    enabled: true
+
+cainjector:
+  networkPolicy:
+    enabled: true
+```
+
+There are examples of extended egress rules in the example Helm chart values
+file at the end of this document.
+
 ### Network Requirements
 
 Here is an overview of the network requirements:

diff --git a/content/docs/manifest.json b/content/docs/manifest.json
@@ -21,8 +21,16 @@
               "path": "/docs/releases/README.md"
             },
             {
-              "title": "1.19",
-              "path": "/docs/releases/release-notes/release-notes-1.19.md"
+              "title": "1.20",
+              "path": "/docs/releases/release-notes/release-notes-1.20.md"
+            },
+            {
+                "title": "Upgrade 1.19 to 1.20",
+                "path": "/docs/releases/upgrading/upgrading-1.19-1.20.md"
+            },
+            {
+                "title": "1.19",
+                "path": "/docs/releases/release-notes/release-notes-1.19.md"
             },
             {
                 "title": "Upgrade 1.18 to 1.19",

diff --git a/content/docs/reference/annotations.md b/content/docs/reference/annotations.md
@@ -27,12 +27,43 @@ This is useful for keeping compatibility with the `ingress-gce` component.
 ## acme.cert-manager.io/http01-ingress-class
 - [Ingress](../usage/ingress.md)
 
-this annotation allows you to configure the ingress class that will be used to
-solve challenges for this ingress. Customizing this is useful when you are
-trying to secure internal services, and need to solve challenges using a
-different ingress class to that of the ingress. If not specified and the
-`acme-http01-edit-in-place` annotation is not set, this defaults to the ingress
-class defined in the Issuer resource.
+Allows the `kubernetes.io/ingress.class` annotation to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.class` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-ingress-ingressclassname
+
+- [Ingress](../usage/ingress.md)
+
+Allows the Ingress's `spec.ingressClassName` to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.ingressClassName` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-parentrefkind
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the kind of
+the parent resource (either `Gateway` or `ListenerSet`) that triggered the
+creation of the Certificate. This is used internally by the ACME HTTP-01 solver
+to know where to attach the temporary HTTPRoute for the challenge.
+
+## acme.cert-manager.io/http01-parentrefname
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the name of
+the parent resource that triggered the creation of the Certificate. This is used
+internally by the ACME HTTP-01 solver to know where to attach the temporary
+HTTPRoute for the challenge.
 
 ## cert-manager.io/allow-direct-injection
 - `Secret`

diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md
@@ -332,7 +332,7 @@ NB: cert-manager 1.12 was a public Long Term Support (LTS) release sponsored by
 
 [s]: #kubernetes-supported-versions
 [test]: #supported-vs-tested
-[1.20]: https://github.com/cert-manager/cert-manager/milestone/42
+[1.20]: ./release-notes/release-notes-1.20.md
 [1.19]: ./release-notes/release-notes-1.19.md
 [1.18]: ./release-notes/release-notes-1.18.md
 [1.17]: ./release-notes/release-notes-1.17.md