[master] Freeze 1.19 and bump versions before merging release-next

content/docs/cli/webhook.md

@@ -15,27 +15,21 @@ Usage:
 
 Flags:
       --api-server-host string                               Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+      --client-ca-path string                                The client cert CA used to verify clients contacting webhooks.
+      --client-subject-names strings                         One or more client certificate subject names (CN or DNS SAN) that the apiserver may present when contacting the webhook. Should be a comma-separated list.
       --config string                                        Path to a file containing a WebhookConfiguration object used to configure the webhook
       --dynamic-serving-ca-secret-name string                name of the secret used to store the CA that signs serving certificates
       --dynamic-serving-ca-secret-namespace string           namespace of the secret used to store the CA that signs serving certificates
       --dynamic-serving-dns-names strings                    DNS names that should be present on certificates generated by the dynamic serving CA
       --dynamic-serving-leaf-duration duration               leaf duration of serving certificates (default 168h0m0s)
+      --enable-client-verification                           Enable client cert authenticate of apiserver to webhooks.
       --enable-profiling                                     Enable profiling for webhook.
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
-                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
-                                                             ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
-                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
                                                              NameConstraints=true|false (BETA - default=true)
-                                                             OtherNames=true|false (ALPHA - default=false)
-                                                             SecretsFilteredCaching=true|false (BETA - default=true)
-                                                             ServerSideApply=true|false (ALPHA - default=false)
-                                                             StableCertificateRequestName=true|false (BETA - default=true)
-                                                             UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             ValidateCAA=true|false (ALPHA - default=false)
+                                                             OtherNames=true|false (BETA - default=true)
       --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                                 help for webhook
       --kubeconfig string                                    optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used

content/docs/releases/README.md

@@ -21,14 +21,14 @@ should be stable enough to run.
 
 | Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:--------:|:------------:|:---------------:|:----------------------------------------------:|:----------------------------------:|
+| [1.20][] | Mar 10, 2026 | Release of 1.22 | 1.32 → 1.35 / 4.19 → 4.21                      | 1.32 → 1.35                        |
 | [1.19][] | Oct 07, 2025 | Release of 1.21 | 1.31 → 1.35 / 4.18 → 4.20                      | 1.31 → 1.35                        |
-| [1.18][] | Jun 10, 2025 | Release of 1.20 | 1.29 → 1.33 / 4.16 → 4.20                      | 1.29 → 1.33                        |
 
 ## Upcoming releases
 
 | Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:--------:|:------------:|:---------------:|:----------------------------------------------:|:----------------------------------:|
-| [1.20][] | Feb 24, 2026 | Release of 1.22 | 1.32 → 1.35 / 4.19 → 4.21                      | 1.32 → 1.35                        |
+| 1.21     | Jun 24, 2026 | Release of 1.23 | 1.33 → 1.36 / 4.20 → 4.22                      | 1.33 → 1.36                        |
 
 Dates in the future are not firm commitments and are subject to change.
 
@@ -222,7 +222,7 @@ newer Kubernetes features.
 The table below lists the major Kubernetes distributions we check. In parentheses next to each release is the <abbr title="End-of-life">EOL</abbr>
 for that release. EOL dates often change throughout the lifecycle of a release.
 
-The "Oldest Kubernetes Release" is the oldest release we deemed relevant to the next cert-manager release, as of 2025-11-07
+The "Oldest Kubernetes Release" is the oldest release we deemed relevant to the next cert-manager release, as of 2026-03-10
 
 | Vendor                | Oldest K8s Release  | Other Kubernetes Releases                                     |
 |:---------------------:|:-------------------:|---------------------------------------------------------------|
@@ -302,6 +302,7 @@ are no longer supported.
 
 | Release      | Release Date | EOL          | Compatible Kubernetes versions | Compatible OpenShift versions |
 |--------------|:------------:|:------------:|:------------------------------:|:-----------------------------:|
+| [1.18][]     | Jun 10, 2025 | Mar 10, 2026 | 1.29 → 1.33                    | 4.16 → 4.20                   |
 | [1.17][]     | Feb 03, 2025 | Oct 07, 2025 | 1.29 → 1.33                    | 4.16 → 4.20                   |
 | [1.16][]     | Oct 03, 2024 | Jun 10, 2025 | 1.25 → 1.32                    | 4.14 → 4.17                   |
 | [1.15][]     | Jun 05, 2024 | Feb 03, 2025 | 1.25 → 1.32                    | 4.12 → 4.16                   |

content/docs/variables.json

@@ -1,3 +1,3 @@
 {
-  "cert_manager_latest_version": "v1.19.4"
+  "cert_manager_latest_version": "v1.20.0"
 }

content/v1.19-docs/README.md

@@ -0,0 +1,24 @@
+---
+title: cert-manager
+description: |
+    cert-manager creates TLS certificates for workloads in your Kubernetes or OpenShift cluster and renews the certificates before they expire.
+---
+
+cert-manager creates TLS certificates for workloads in your Kubernetes or OpenShift cluster
+and renews the certificates before they expire.
+
+cert-manager can obtain certificates from a [variety of certificate authorities](configuration/issuers.md), including:
+[Let's Encrypt](configuration/acme/README.md), [HashiCorp Vault](configuration/vault.md),
+[CyberArk Certificate Manager](configuration/venafi.md) and [private PKI](configuration/ca.md).
+
+With cert-manager's [Certificate resource](usage/certificate.md), the private key and certificate are stored in a Kubernetes Secret
+which is mounted by an application Pod or used by an Ingress controller.
+With [csi-driver](usage/csi-driver/README.md), [csi-driver-spiffe](usage/csi-driver-spiffe/README.md), or [istio-csr](usage/istio-csr/README.md) ,
+the private key is generated on-demand, before the application starts up;
+the private key never leaves the node and it is not stored in a Kubernetes Secret.
+
+![High level overview diagram explaining cert-manager architecture](/images/high-level-overview.svg)
+
+This website provides the full technical documentation for the project, and can be
+used as a reference; if you feel that there's anything missing, please let us know
+or [raise a PR](https://github.com/cert-manager/website/pulls) to add it.

content/v1.19-docs/cli/README.md

@@ -0,0 +1,7 @@
+---
+title: CLI reference
+description: cert-manager CLI documentation
+---
+
+View the `--help` output from our various CLI tools, including those which run in containers in your cluster.
+This might help if you need to tweak an option or if you need to check which values are valid!

content/v1.19-docs/cli/acmesolver.md

@@ -0,0 +1,17 @@
+---
+title: acmesolver CLI reference
+description: "cert-manager acmesolver CLI documentation"
+---
+```
+HTTP server used to solve ACME challenges.
+
+Usage:
+  acmesolver [flags]
+
+Flags:
+      --domain string     the domain name to verify
+  -h, --help              help for acmesolver
+      --key string        the challenge key to respond with
+      --listen-port int   the port number to listen on for connections (default 8089)
+      --token string      the challenge token to verify against
+```

content/v1.19-docs/cli/cainjector.md

@@ -0,0 +1,52 @@
+---
+title: cainjector CLI reference
+description: "cert-manager cainjector CLI documentation"
+---
+```
+
+cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into
+webhooks and APIServices from cert-manager certificates.
+
+It will ensure that annotated webhooks and API services always have the correct
+CA data from the referenced certificates, which can then be used to serve API
+servers and webhook servers.
+
+Usage:
+  cainjector [flags]
+
+Flags:
+      --config string                                        Path to a file containing a CAInjectorConfiguration object used to configure the controller
+      --enable-apiservices-injectable                        Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
+      --enable-certificates-data-source                      Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
+      --enable-customresourcedefinitions-injectable          Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
+      --enable-mutatingwebhookconfigurations-injectable      Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
+      --enable-profiling                                     Enable profiling for controller.
+      --enable-validatingwebhookconfigurations-injectable    Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)
+      --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                                             AllAlpha=true|false (ALPHA - default=false)
+                                                             AllBeta=true|false (BETA - default=false)
+                                                             CAInjectorMerging=true|false (BETA - default=true)
+                                                             ServerSideApply=true|false (ALPHA - default=false)
+  -h, --help                                                 help for cainjector
+      --kubeconfig string                                    Paths to a kubeconfig. Only required if out-of-cluster.
+      --leader-elect                                         If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true)
+      --leader-election-lease-duration duration              The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
+      --leader-election-namespace string                     Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
+      --leader-election-renew-deadline duration              The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
+      --leader-election-retry-period duration                The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
+      --log-flush-frequency duration                         Maximum number of seconds between log flushes (default 5s)
+      --logging-format string                                Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
+      --metrics-dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs metrics serving certificates
+      --metrics-dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the metrics dynamic serving CA
+      --metrics-dynamic-serving-leaf-duration duration       leaf duration of metrics serving certificates (default 168h0m0s)
+      --metrics-listen-address string                        The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
+      --metrics-tls-cert-file string                         path to the file containing the TLS certificate to serve metrics with
+      --metrics-tls-cipher-suites strings                    Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+      --metrics-tls-min-version string                       Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+      --metrics-tls-private-key-file string                  path to the file containing the TLS private key to serve metrics with
+      --namespace string                                     If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.
+      --profiler-address string                              The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
+  -v, --v Level                                              number for the log level verbosity
+      --vmodule pattern=N,...                                comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+```

content/v1.19-docs/cli/cmctl.md

@@ -0,0 +1,33 @@
+---
+title: cmctl CLI reference
+description: "cert-manager cmctl CLI documentation"
+---
+```
+
+cmctl is a CLI tool manage and configure cert-manager resources for Kubernetes
+
+Usage: cmctl [command]
+
+Available Commands:
+  approve      Approve a CertificateRequest
+  check        Check cert-manager components
+  convert      Convert cert-manager config files between different API versions
+  create       Create cert-manager resources
+  deny         Deny a CertificateRequest
+  experimental Interact with experimental features
+  help         Help about any command
+  inspect      Get details on certificate related resources
+  renew        Mark a Certificate for manual renewal
+  status       Get details on current status of cert-manager resources
+  upgrade      Tools that assist in upgrading cert-manager
+  version      Print the cert-manager CLI version and the deployed cert-manager version
+
+Flags:
+  -h, --help                           help for cmctl
+      --log-flush-frequency duration   Maximum number of seconds between log flushes (default 5s)
+      --logging-format string          Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+  -v, --v Level[=2]                    number for the log level verbosity
+      --vmodule pattern=N,...          comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+
+Use "cmctl [command] --help" for more information about a command.
+```