cert-manager · cert-manager-prow · Mar 10, 2026 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
diff --git a/.spelling b/.spelling
@@ -594,8 +594,11 @@ v1.18.0.
 v1.19
 v1.19.0
 v1.19.1
+v1.20.0
-v1.20.0
-v1.20.0
 v1.19.2
+v1.20.0
 alpha.0
+beta.0
 v1.4.1
 v1.5
 v1.5.0
@@ -861,6 +864,9 @@ example.org
 experimental.cert
 http01-edit-in-place
 http01-ingress-class
+http01-ingress-ingressclassname
+http01-parentrefkind
+http01-parentrefname
 ingress.class
 ip-sans
 kubernetes.io

diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md
@@ -69,6 +69,9 @@ controllers support `ingressClassName`, with the notable exception of
 ingress-gce (as per the page [Configure Ingress for external load
 balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)).
 
+> You can override the `ingressClassName` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-ingressclassname`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-ingressclassname) annotation.
+
 ### `class`
 
 If the `class` field is specified, a new Ingress resource with a randomly
@@ -79,6 +82,9 @@ value set to the value of the `class` field.
 This field is only recommended with ingress-gce. ingress-gce [doesn't support the
 `ingressClassName` field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress).
 
+> You can override the `class` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-class`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-class) annotation.
+
 ### `name`
 
 If the `name` field is specified, cert-manager will edit the named

diff --git a/content/docs/configuration/venafi.md b/content/docs/configuration/venafi.md
@@ -304,3 +304,45 @@ metadata:
       ]
 ...
 ```
+
+### Issuer Custom Fields
+
+Starting `v1.20`, you can use `venafi.cert-manager.io/custom-fields` annotation on an `Issuer` or `ClusterIssuer` resource.
+This configuration would be applied to all Certificate requests created from `Issuer`.
+
+It is possible to override or append custom configuration to `Certificate` resources via the `Issuer` assigned to it. 
+For example with an `Issuer` such as:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: corp-issuer
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Environemnt", "value": "Dev"},
+      ]
+```
+
+and a `Certificate` resource:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-com-certificate
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Team", "value": "amber"},
+      ]
+...
+```
+
+Final configuration will be:
+
+```json
+{"name": "Environemnt", "value": "Dev"},
+{"name": "Team", "value": "amber"}
+```
diff --git a/content/docs/installation/best-practice.md b/content/docs/installation/best-practice.md
@@ -47,6 +47,44 @@ Or you may prefer to use the custom resources provided by your CNI software.
 > 📖 Learn about the [Kubernetes builtin NetworkPolicy API](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 > and see [some example policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies).
 
+The cert-manager Helm chart allows you to create a `NetworkPolicy` resource for
+each `Deployment`.
+
+By default, it allows inbound traffic to all the listening ports of each component.
+And by default, it allows outbound traffic to:
+- TCP port 443: For connections to the Kubernetes API server and other
+  in-cluster and external HTTPS API servers.
+- TCP port 6443: For connections to the Kubernetes API server on OpenShift.
+- TCP and UDP port 53: To resolve DNS names using the in-cluster DNS and
+  external DNS servers when using DNS01.
+- TCP port 80: So that the controller can perform ACME HTTP01 self-checks before
+  accepting the ACME server challenge.
+
+These are over-permissive defaults to provide a good installation experience.
+
+You should customize the `ingress` and `egress` rules to restrict the inbound
+and outbound traffic to allow only those connections which are necessary for
+your cert-manager configuration.
+
+Example Helm values:
+
+```yaml
+# helm-values.yaml
+networkPolicy:
+  enabled: true
+
+webhook:
+  networkPolicy:
+    enabled: true
+
+cainjector:
+  networkPolicy:
+    enabled: true
+```
+
+There are examples of extended egress rules in the example Helm chart values
+file at the end of this document.
+
 ### Network Requirements
 
 Here is an overview of the network requirements:

diff --git a/content/docs/manifest.json b/content/docs/manifest.json
@@ -21,8 +21,16 @@
               "path": "/docs/releases/README.md"
             },
             {
-              "title": "1.19",
-              "path": "/docs/releases/release-notes/release-notes-1.19.md"
+              "title": "1.20",
+              "path": "/docs/releases/release-notes/release-notes-1.20.md"
+            },
+            {
+                "title": "Upgrade 1.19 to 1.20",
+                "path": "/docs/releases/upgrading/upgrading-1.19-1.20.md"
+            },
+            {
+                "title": "1.19",
+                "path": "/docs/releases/release-notes/release-notes-1.19.md"
             },
             {
                 "title": "Upgrade 1.18 to 1.19",

diff --git a/content/docs/reference/annotations.md b/content/docs/reference/annotations.md
@@ -27,12 +27,43 @@ This is useful for keeping compatibility with the `ingress-gce` component.
 ## acme.cert-manager.io/http01-ingress-class
 - [Ingress](../usage/ingress.md)
 
-this annotation allows you to configure the ingress class that will be used to
-solve challenges for this ingress. Customizing this is useful when you are
-trying to secure internal services, and need to solve challenges using a
-different ingress class to that of the ingress. If not specified and the
-`acme-http01-edit-in-place` annotation is not set, this defaults to the ingress
-class defined in the Issuer resource.
+Allows the `kubernetes.io/ingress.class` annotation to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.class` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-ingress-ingressclassname
+
+- [Ingress](../usage/ingress.md)
+
+Allows the Ingress's `spec.ingressClassName` to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.ingressClassName` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-parentrefkind
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the kind of
+the parent resource (either `Gateway` or `ListenerSet`) that triggered the
+creation of the Certificate. This is used internally by the ACME HTTP-01 solver
+to know where to attach the temporary HTTPRoute for the challenge.
+
+## acme.cert-manager.io/http01-parentrefname
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the name of
+the parent resource that triggered the creation of the Certificate. This is used
+internally by the ACME HTTP-01 solver to know where to attach the temporary
+HTTPRoute for the challenge.
 
 ## cert-manager.io/allow-direct-injection
 - `Secret`

diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md
@@ -332,7 +332,7 @@ NB: cert-manager 1.12 was a public Long Term Support (LTS) release sponsored by
 
 [s]: #kubernetes-supported-versions
 [test]: #supported-vs-tested
-[1.20]: https://github.com/cert-manager/cert-manager/milestone/42
+[1.20]: ./release-notes/release-notes-1.20.md
 [1.19]: ./release-notes/release-notes-1.19.md
 [1.18]: ./release-notes/release-notes-1.18.md
 [1.17]: ./release-notes/release-notes-1.17.md

diff --git a/content/docs/releases/release-notes/release-notes-1.20.md b/content/docs/releases/release-notes/release-notes-1.20.md
@@ -0,0 +1,80 @@
+---
+title: Release 1.20
+description: 'cert-manager release notes: cert-manager 1.20'
+---
+
+cert-manager is the easiest way to automatically manage certificates in
+Kubernetes and OpenShift clusters.
+
+TODO
+
+Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.
+
+## Major Themes
+
+### Network Policy
+
+The cert-manager Helm chart now allows you to create `NetworkPolicy` resources
+for all the cert-manager Deployments.
+This makes it easier to follow [best practices when deploying cert-manager in production](../../installation/best-practice.md#network-requirements-and-network-policy).
+
+### TODO ADD REMAINING THEMES
+
+TODO
+
+## Community
+
+As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.
+
+A special thanks to:
+
+{/* BEGIN contributors */}
+- [`@LiquidPL`](https://github.com/LiquidPL)
+- [`@Peac36`](https://github.com/Peac36)
+- [`@mathieu-clnk`](https://github.com/mathieu-clnk)
+- [`@mikeluttikhuis`](https://github.com/mikeluttikhuis)
+- [`@wallrj-cyberark`](https://github.com/wallrj-cyberark)
+{/* END contributors */}
+
+...for their contributions, comments and support!
+
+Also, thanks to the cert-manager maintainer team for their help in this release:
+
+{/* BEGIN maintainers */}
+- [`@SgtCoDFish`](https://github.com/SgtCoDFish)
+- [`@ThatsMrTalbot`](https://github.com/ThatsMrTalbot)
+- [`@erikgb`](https://github.com/erikgb)
+- [`@inteon`](https://github.com/inteon)
+- [`@maelvls`](https://github.com/maelvls)
+- [`@munnerz`](https://github.com/munnerz)
+- [`@wallrj`](https://github.com/wallrj)
+{/* END maintainers */}
+
+And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:
+
+{/* BEGIN steerers */}
+- [`@FlorianLiebhart`](https://github.com/FlorianLiebhart)
+- [`@TrilokGeer`](https://github.com/TrilokGeer)
+- [`@ianarsenault`](https://github.com/ianarsenault)
+- [`@ssyno`](https://github.com/ssyno)
+{/* END steerers */}
+
+{/* BEGIN changelog v1.20.0-alpha.0 */}
+## `v1.20.0-alpha.0`
+
+Changes since `v1.19.0`:
+
+### Feature
+
+- Add built-in "Ready" status metrics for ClusterIssuer and Issuer resources. ([`#8188`](https://github.com/cert-manager/cert-manager/pull/8188), [`@mikeluttikhuis`](https://github.com/mikeluttikhuis))
+- Add support for specifying `imagePullSecrets` in the `startupapicheck-job` Helm template to enable pulling images from private registries. ([`#8186`](https://github.com/cert-manager/cert-manager/pull/8186), [`@mathieu-clnk`](https://github.com/mathieu-clnk))
+
+### Bug or Regression
+
+- Adds logs for cases when acme server returns us a fatal error in the order controller ([`#8199`](https://github.com/cert-manager/cert-manager/pull/8199), [`@Peac36`](https://github.com/Peac36))
+- BUGFIX: in case kind or group in the `issuerRef` of a Certificate was omitted, upgrading to `1.19.x` incorrectly caused the certificate to be renewed ([`#8160`](https://github.com/cert-manager/cert-manager/pull/8160), [`@inteon`](https://github.com/inteon))
+- Fix unregulated retries with the DigitalOcean DNS-01 solver ([`#8221`](https://github.com/cert-manager/cert-manager/pull/8221), [`@wallrj-cyberark`](https://github.com/wallrj-cyberark))
+- Add full detailed DNS-01 errors to the events attached to the Challenge, for easier debugging ([`#8221`](https://github.com/cert-manager/cert-manager/pull/8221), [`@wallrj-cyberark`](https://github.com/wallrj-cyberark))
+- Revert API defaults for issuer reference kind and group introduced in `1.19.0` ([`#8173`](https://github.com/cert-manager/cert-manager/pull/8173), [`@erikgb`](https://github.com/erikgb))
+- When Prometheus monitoring is enabled, the metrics label is now set to the intended value of `cert-manager`. Previously, it was set depending on various factors (namespace cert-manager is installed in and/or Helm release name). ([`#8162`](https://github.com/cert-manager/cert-manager/pull/8162), [`@LiquidPL`](https://github.com/LiquidPL))
+{/* END changelog v1.20.0-alpha.0 */}
diff --git a/content/docs/releases/upgrading/upgrading-1.19-1.20.md b/content/docs/releases/upgrading/upgrading-1.19-1.20.md
@@ -0,0 +1,10 @@
+---
+title: Upgrading from v1.19 to v1.20
+description: 'cert-manager installation: Upgrading v1.19 to v1.20'
+---
+
+TODO
+
-TODO
+This page describes what to check when upgrading an existing cert-manager installation
+from v1.19 to v1.20.
+
+> Note: The information below is intentionally high-level. Always review the
+> detailed v1.20 release notes and changelog for the exact list of changes
+> that apply to your environment.
+
+## Breaking changes
+
+At the time of writing, there are no generally applicable breaking changes
+that require mandatory manual intervention for a standard upgrade from
+v1.19 to v1.20.
+
+However, you **must** verify the following before upgrading:
+
+- Review the v1.20 release notes for any API removals or behavioral changes
+  that affect the issuers, certificate types, or integrations you use.
+- Check for any flags, configuration fields, or Kubernetes API versions
+  that are marked as removed or no longer supported in v1.20.
+
+If any removed or changed features are in use in your cluster, plan the
+corresponding configuration updates before upgrading.
+
+## Required actions
+
+Before upgrading:
+
+- Ensure your cluster meets the minimum supported Kubernetes version for
+  cert-manager v1.20 as documented in the release notes.
+- Take a backup of:
+  - cert-manager custom resources (`Issuers`, `ClusterIssuers`, `Certificates`,
+    and related resources),
+  - the `cert-manager` namespace (or the namespace where cert-manager is
+    installed),
+  - and any custom configuration (Helm values, manifests, or operator config).
+- If you are using Helm or another package manager, update your repository
+  indices so that the v1.20 charts are available.
+- Test the upgrade in a non-production or staging environment that closely
+  matches your production configuration.
+
+During and after the upgrade:
+
+- Monitor the cert-manager controller, webhook, and cainjector pods for
+  readiness and error logs.
+- Verify that new Certificates can be issued and that existing Certificates
+  continue to renew as expected.
+
+## Known issues
+
+- Known issues and any late-breaking changes for v1.20 are tracked in the
+  v1.20 release notes and the project issue tracker.
+- Before upgrading production clusters, review the release notes and open
+  issues for items that match your environment (specific issuers, DNS
+  providers, ingress controllers, or custom integrations).
+
+If you encounter unexpected behavior after upgrading, consult the troubleshooting
+documentation and the project issue tracker, and consider rolling back to
+v1.19 while you investigate.
-TODO
+This page describes what to check when upgrading an existing cert-manager installation
+from v1.19 to v1.20.
+
+> Note: The information below is intentionally high-level. Always review the
+> detailed v1.20 release notes and changelog for the exact list of changes
+> that apply to your environment.
+
+## Breaking changes
+
+At the time of writing, there are no generally applicable breaking changes
+that require mandatory manual intervention for a standard upgrade from
+v1.19 to v1.20.
+
+However, you **must** verify the following before upgrading:
+
+- Review the v1.20 release notes for any API removals or behavioral changes
+  that affect the issuers, certificate types, or integrations you use.
+- Check for any flags, configuration fields, or Kubernetes API versions
+  that are marked as removed or no longer supported in v1.20.
+
+If any removed or changed features are in use in your cluster, plan the
+corresponding configuration updates before upgrading.
+
+## Required actions
+
+Before upgrading:
+
+- Ensure your cluster meets the minimum supported Kubernetes version for
+  cert-manager v1.20 as documented in the release notes.
+- Take a backup of:
+  - cert-manager custom resources (`Issuers`, `ClusterIssuers`, `Certificates`,
+    and related resources),
+  - the `cert-manager` namespace (or the namespace where cert-manager is
+    installed),
+  - and any custom configuration (Helm values, manifests, or operator config).
+- If you are using Helm or another package manager, update your repository
+  indices so that the v1.20 charts are available.
+- Test the upgrade in a non-production or staging environment that closely
+  matches your production configuration.
+
+During and after the upgrade:
+
+- Monitor the cert-manager controller, webhook, and cainjector pods for
+  readiness and error logs.
+- Verify that new Certificates can be issued and that existing Certificates
+  continue to renew as expected.
+
+## Known issues
+
+- Known issues and any late-breaking changes for v1.20 are tracked in the
+  v1.20 release notes and the project issue tracker.
+- Before upgrading production clusters, review the release notes and open
+  issues for items that match your environment (specific issuers, DNS
+  providers, ingress controllers, or custom integrations).
+
+If you encounter unexpected behavior after upgrading, consult the troubleshooting
+documentation and the project issue tracker, and consider rolling back to
+v1.19 while you investigate.
+## Next Steps
+
+From here on, you can follow the [regular upgrade process](../../installation/upgrade.md).