Merge pull request #2000 from maelvls/merge-master-into-release-next-second-try

[release-next] Merge master into release-next

Author: cert-manager-prow[bot]

.github/renovate.json5

@@ -1,7 +1,7 @@
 {
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   extends: [
-    'github>cert-manager/renovate-config:default.json5',
+    'github>cert-manager/makefile-modules:renovate-config.json5',
   ],
   packageRules: [
     {

.github/workflows/check.yaml

@@ -8,8 +8,8 @@ jobs:
   pull-cert-manager-website-verify:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 24
           cache: npm

.github/workflows/make-self-upgrade.yaml

@@ -38,7 +38,7 @@ jobs:
           scope: 'cert-manager/website'
           identity: make-self-upgrade
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
@@ -50,7 +50,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.spelling

@@ -53,6 +53,8 @@ pinkfloydx33
 karlschriek
 cmcga1125
 OIDs
+Oleh
+Konko
 rfc4514
 SpectralHiss
 weisdd
@@ -592,11 +594,8 @@ v1.18.0.
 v1.19
 v1.19.0
 v1.19.1
-v1.20.0
 v1.19.2
-v1.20.0
 alpha.0
-beta.0
 v1.4.1
 v1.5
 v1.5.0
@@ -862,9 +861,6 @@ example.org
 experimental.cert
 http01-edit-in-place
 http01-ingress-class
-http01-ingress-ingressclassname
-http01-parentrefkind
-http01-parentrefname
 ingress.class
 ip-sans
 kubernetes.io

components/Footer.jsx

@@ -2,16 +2,17 @@ import Link from 'next/link'
 import FooterSepartor from './snippets/FooterSeparator'
 
 export default function Footer() {
+  const currentYear = new Date().getFullYear()
   return (
     <footer className="mt-[-117px]">
       <div className="relative w-screen h-[117px] overflow-x-hidden">
         <FooterSepartor className="absolute top-0 left-[-696px]" />
       </div>
       <div className="bg-dark-2 pb-10 pt-5">
         <div className="container text-sm text-white">
-          <p>&copy; 2025 The cert-manager Authors.</p>
+          <p>&copy; {currentYear} The cert-manager Authors.</p>
           <p className="mb-6">
-            &copy; 2025 The Linux Foundation. All rights reserved.
+            &copy; {currentYear} The Linux Foundation. All rights reserved.
           </p>
           <p>
             The Linux Foundation has registered trademarks and uses trademarks.

content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md

@@ -19,7 +19,7 @@ with certificates configured on cluster-operator-owned Gateways.
 
 The missing piece is Gateway API's experimental XListenerSet resource, which
 aims to restore per-team TLS configuration on a shared Gateway. cert-manager
-plans to add experimental XListenerSet support in 1.20, targeted for 10 February
+plans to add experimental XListenerSet support in 1.20, targeted for 24 February
 2026, with alpha builds in January 2026.
 
 [the announcement]: https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/
@@ -150,7 +150,7 @@ which act as the default issuer.
 
 - **January 2026:** Alpha builds with XListenerSet support. We will need your
   help to test it out!
-- **10 February 2026:** cert-manager 1.20 is expected to include XListenerSet
+- **24 February 2026:** cert-manager 1.20 is expected to include XListenerSet
   support as an experimental feature gated behind a feature flag.
 
 As Gateway API graduates ListenerSet to stable, we'll add support for the stable

content/docs/configuration/acme/README.md

@@ -54,8 +54,6 @@ metadata:
 spec:
   acme:
     # You must replace this email address with your own.
-    # Let's Encrypt will use this to contact you about expiring
-    # certificates, and issues related to your account.
     email: user@example.com
     # If the ACME server supports profiles, you can specify the profile name here.
     # See #acme-certificate-profiles below.

content/docs/configuration/acme/dns01/README.md

@@ -175,13 +175,14 @@ Links to these supported providers along with their documentation are below:
 - [`cert-manager-webhook-infomaniak`](https://github.com/Infomaniak/cert-manager-webhook-infomaniak)
 - [`cert-manager-webhook-inwx`](https://gitlab.com/smueller18/cert-manager-webhook-inwx)
 - [`cert-manager-webhook-ionos-cloud`](https://github.com/ionos-cloud/cert-manager-webhook-ionos-cloud)
-- [`cert-manager-webhook-linode`](https://github.com/slicen/cert-manager-webhook-linode)
+- [`cert-manager-webhook-linode`](https://github.com/linode/cert-manager-webhook-linode)
 - [`cert-manager-webhook-loopia`](https://github.com/Identitry/cert-manager-webhook-loopia)
 - [`cert-manager-webhook-netcup`](https://github.com/aellwein/cert-manager-webhook-netcup)
 - [`cert-manager-webhook-oci`](https://gitlab.com/dn13/cert-manager-webhook-oci) (Oracle Cloud Infrastructure)
 - [`cert-manager-webhook-ovh`](https://github.com/aureq/cert-manager-webhook-ovh)
 - [`cert-manager-webhook-opentelekomcloud`](https://github.com/akyriako/cert-manager-webhook-opentelekomcloud)
 - [`cert-manager-webhook-pdns`](https://github.com/zachomedia/cert-manager-webhook-pdns)
+- [`cert-manager-webhook-rackspace`](https://github.com/rackerlabs/cert-manager-webhook-rackspace)
 - [`cert-manager-webhook-regery`](https://github.com/darioackermann/cert-manager-webhook-regery)
 - [`cert-manager-webhook-scaleway`](https://github.com/scaleway/cert-manager-webhook-scaleway)
 - [`cert-manager-webhook-selectel`](https://github.com/selectel/cert-manager-webhook-selectel)

content/docs/configuration/acme/dns01/azuredns.md

@@ -29,7 +29,7 @@ If you have an Azure AKS cluster you can use the following command:
 az aks update \
     --name ${CLUSTER} \
     --enable-oidc-issuer \
-    --enable-workload-identity # ℹ️ This option is currently only available when using the aks-preview extension.
+    --enable-workload-identity
 ```
 
 > ℹ️ You can [install the Azure workload identity extension on other managed and self-managed clusters](https://azure.github.io/azure-workload-identity/docs/installation.html) if you are not using Azure AKS.
@@ -38,18 +38,15 @@ az aks update \
 >
 ### Reconfigure cert-manager
 
-Label the cert-manager controller Pod and ServiceAccount for the attention of the Azure Workload Identity webhook,
+Label the cert-manager controller Pod for the attention of the Azure Workload Identity webhook,
 which will result in the cert-manager controller Pod having an extra volume containing a Kubernetes ServiceAccount token which it will use to authenticate with Azure.
 
-If you installed cert-manager using Helm, the labels can be configured using Helm values:
+If you installed cert-manager using Helm, the label can be configured using Helm values:
 
 ```yaml
 # values.yaml
 podLabels:
   azure.workload.identity/use: "true"
-serviceAccount:
-  labels:
-    azure.workload.identity/use: "true"
 ```
 
 If successful, the cert-manager Pod will have some new environment variables set,
@@ -92,16 +89,17 @@ Choose a managed identity name and create the Managed Identity:
 
 ```bash
 export IDENTITY_NAME=cert-manager
-az identity create --name "${IDENTITY_NAME}"
+export IDENTITY_RESOURCE_GROUP=<your-resource-group> # ❗ Replace with your Azure resource group
+az identity create --name "${IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}"
 ```
 
 Grant it permission to modify the DNS zone records:
 
 ```bash
-export IDENTITY_CLIENT_ID=$(az identity show --name "${IDENTITY_NAME}" --query 'clientId' -o tsv)
+export IDENTITY_CLIENT_ID=$(az identity show --name "${IDENTITY_NAME}" --resource-group "${IDENTITY_RESOURCE_GROUP}" --query 'clientId' -o tsv)
 az role assignment create \
     --role "DNS Zone Contributor" \
-    --assignee IDENTITY_CLIENT_ID \
+    --assignee $IDENTITY_CLIENT_ID \
     --scope $(az network dns zone show --name $DOMAIN_NAME -o tsv --query id)
 ```
 
@@ -125,6 +123,7 @@ export SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group $AZURE_DEFAULTS_GRO
 az identity federated-credential create \
   --name "cert-manager" \
   --identity-name "${IDENTITY_NAME}" \
+  --resource-group "${IDENTITY_RESOURCE_GROUP}" \
   --issuer "${SERVICE_ACCOUNT_ISSUER}" \
   --subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}"
 ```
@@ -159,9 +158,14 @@ spec:
           subscriptionID: $AZURE_SUBSCRIPTION_ID
           environment: AzurePublicCloud
           managedIdentity:
+            # client ID of the managed identity; overrides AZURE_CLIENT_ID from the environment
             clientID: $IDENTITY_CLIENT_ID
+            # # optional: tenant ID of the managed identity; overrides AZURE_TENANT_ID from the environment.
+            # tenantID: $IDENTITY_TENANT_ID
 ```
 
+> ℹ️ `managedIdentity.clientID` and `managedIdentity.tenantID` override the values that the Azure Workload Identity webhook injects via environment variables (`AZURE_CLIENT_ID` and `AZURE_TENANT_ID`).
+
 The following variables need to be filled in.
 
 ```bash
@@ -186,7 +190,7 @@ ClusterIssuer resources are cluster scoped (not namespaced) and only platform ad
 If you are using this authentication mechanism and ambient credentials are not enabled, you will see this error:
 
 ```bash
-error instantiating azuredns challenge solver: ClientID is not set but neither --cluster-issuer-ambient-credentials nor --issuer-ambient-credentials are set.
+error instantiating azuredns challenge solver: ClientID was omitted without providing one of `--cluster-issuer-ambient-credentials` or `--issuer-ambient-credentials`. These are necessary to enable Azure Managed Identities
 ```
 
 > ⚠️ It is possible (but not recommended) to enable this authentication mechanism for `Issuer` resources, by setting the `--issuer-ambient-credentials` flag on the cert-manager controller to true.
@@ -322,12 +326,11 @@ spec:
 This authentication mechanism is what cert-manager considers 'ambient credentials'. Use of ambient credentials is disabled by default for cert-manager `Issuer`s. This to ensure unprivileged users who have permission to create issuers cannot issue certificates using any credentials cert-manager incidentally has access to. To enable this authentication mechanism for `Issuer`s, you will need to set `--issuer-ambient-credentials` flag on cert-manager controller to true. (There is a corresponding `--cluster-issuer-ambient-credentials` flag which is set to `true` by default).
 
 If you are using this authentication mechanism and ambient credentials are not enabled, you will see this error:
+
 ```bash
-error instantiating azuredns challenge solver: ClientID is not set but neither --cluster-issuer-ambient-credentials nor --issuer-ambient-credentials are set.
+error instantiating azuredns challenge solver: ClientID was omitted without providing one of `--cluster-issuer-ambient-credentials` or `--issuer-ambient-credentials`. These are necessary to enable Azure Managed Identities
 ```
 
-These are necessary to enable Azure Managed Identities.
-
 ## Managed Identity Using AKS Kubelet Identity
 
 When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory.
@@ -420,19 +423,18 @@ To create the service principal you can use the following script (requires
 `azure-cli` and `jq`):
 
 ```bash
-# Choose a name for the service principal that contacts azure DNS to present
-# the challenge.
-$ AZURE_CERT_MANAGER_NEW_SP_NAME=NEW_SERVICE_PRINCIPAL_NAME
+# Choose a name for the service principal that contacts azure DNS to present the challenge.
+AZURE_CERT_MANAGER_NEW_SP_NAME=NEW_SERVICE_PRINCIPAL_NAME
 # This is the name of the resource group that you have your dns zone in.
-$ AZURE_DNS_ZONE_RESOURCE_GROUP=AZURE_DNS_ZONE_RESOURCE_GROUP
+AZURE_DNS_ZONE_RESOURCE_GROUP=AZURE_DNS_ZONE_RESOURCE_GROUP
 # The DNS zone name. It should be something like domain.com or sub.domain.com.
-$ AZURE_DNS_ZONE=AZURE_DNS_ZONE
+AZURE_DNS_ZONE=AZURE_DNS_ZONE
 
-$ DNS_SP=$(az ad sp create-for-rbac --name $AZURE_CERT_MANAGER_NEW_SP_NAME --output json)
-$ AZURE_CERT_MANAGER_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
-$ AZURE_CERT_MANAGER_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
-$ AZURE_TENANT_ID=$(echo $DNS_SP | jq -r '.tenant')
-$ AZURE_SUBSCRIPTION_ID=$(az account show --output json | jq -r '.id')
+DNS_SP=$(az ad sp create-for-rbac --name $AZURE_CERT_MANAGER_NEW_SP_NAME --output json)
+AZURE_CERT_MANAGER_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
+AZURE_CERT_MANAGER_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
+AZURE_TENANT_ID=$(echo $DNS_SP | jq -r '.tenant')
+AZURE_SUBSCRIPTION_ID=$(az account show --output json | jq -r '.id')
 ```
 
 For security purposes, it is appropriate to utilize RBAC to ensure that you
@@ -444,37 +446,37 @@ so that it can read/write the \_acme\_challenge TXT records to the zone.
 Lower the Permissions of the service principal.
 
 ```bash
-$ az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor
+az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor
 ```
 
 Give Access to DNS Zone.
 
 ```bash
-$ DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
-$ az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role "DNS Zone Contributor" --scope $DNS_ID
+DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
+az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role "DNS Zone Contributor" --scope $DNS_ID
 ```
 
 Check Permissions. As the result of the following command, we would like to see just one object in the permissions array with "DNS Zone Contributor" role.
 
 ```bash
-$ az role assignment list --all --assignee $AZURE_CERT_MANAGER_SP_APP_ID
+az role assignment list --all --assignee $AZURE_CERT_MANAGER_SP_APP_ID
 ```
 
 A secret containing service principal password should be created on Kubernetes to facilitate presenting the challenge to Azure DNS. You can create the secret with the following command:
 
 ```bash
-$ kubectl create secret generic azuredns-config --from-literal=client-secret=$AZURE_CERT_MANAGER_SP_PASSWORD
+kubectl create secret generic azuredns-config --from-literal=client-secret=$AZURE_CERT_MANAGER_SP_PASSWORD
 ```
 
 Get the variables for configuring the issuer.
 
 ```bash
-$ echo "AZURE_CERT_MANAGER_SP_APP_ID: $AZURE_CERT_MANAGER_SP_APP_ID"
-$ echo "AZURE_CERT_MANAGER_SP_PASSWORD: $AZURE_CERT_MANAGER_SP_PASSWORD"
-$ echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"
-$ echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"
-$ echo "AZURE_DNS_ZONE: $AZURE_DNS_ZONE"
-$ echo "AZURE_DNS_ZONE_RESOURCE_GROUP: $AZURE_DNS_ZONE_RESOURCE_GROUP"
+echo "AZURE_CERT_MANAGER_SP_APP_ID: $AZURE_CERT_MANAGER_SP_APP_ID"
+echo "AZURE_CERT_MANAGER_SP_PASSWORD: $AZURE_CERT_MANAGER_SP_PASSWORD"
+echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"
+echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"
+echo "AZURE_DNS_ZONE: $AZURE_DNS_ZONE"
+echo "AZURE_DNS_ZONE_RESOURCE_GROUP: $AZURE_DNS_ZONE_RESOURCE_GROUP"
 ```
 
 To configure the issuer, substitute the capital cased variables with the values

content/docs/configuration/acme/http01/README.md

@@ -69,9 +69,6 @@ controllers support `ingressClassName`, with the notable exception of
 ingress-gce (as per the page [Configure Ingress for external load
 balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)).
 
-> You can override the `ingressClassName` on a per-Ingress basis using the
-[`acme.cert-manager.io/http01-ingress-ingressclassname`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-ingressclassname) annotation.
-
 ### `class`
 
 If the `class` field is specified, a new Ingress resource with a randomly
@@ -82,9 +79,6 @@ value set to the value of the `class` field.
 This field is only recommended with ingress-gce. ingress-gce [doesn't support the
 `ingressClassName` field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress).
 
-> You can override the `class` on a per-Ingress basis using the
-[`acme.cert-manager.io/http01-ingress-class`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-class) annotation.
-
 ### `name`
 
 If the `name` field is specified, cert-manager will edit the named
@@ -225,13 +219,13 @@ improvements over the Ingress API.
 
 :::info
 
-📌  This feature requires the installation of the [Gateway API bundle](https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller) and passing an
+📌  This feature requires the installation of the [Gateway API bundle](https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api) and passing an
 additional flag to the cert-manager controller.
 
-To install v1.5.1 Gateway API bundle (Gateway CRDs and webhook), run the following command:
+To install v1.4.1 Gateway API bundle (CRDs associated with a version of Gateway API), run the following command:
 
 ```sh
-kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml"
+kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml
 ```
 
 Since cert-manager 1.15, the Gateway API support is no longer gated behind a