Merge release-next into master for the 1.4 release

.spelling

@@ -31,12 +31,16 @@ boolean
 CAs
 CertificateRequest
 CertificateRequests
+CertificateSigningRequest
+CertificateSigningRequests
 Changelog
 ChartMuseum
 CloudDNS
 Cloudflare
 CloudFlare
 ClusterRole
+ClusterIssuer
+ClusterIssuers
 CNAME
 CNAMEs
 CNI
@@ -162,6 +166,7 @@ stdout
 subdomain
 (sub)domains
 subdomains
+SubjectAccessReview
 subresource
 templating
 Tiller
@@ -248,6 +253,20 @@ retweets
 upstream
 JetstackHQ
 acme-dns
+Ramlot
+andreas-p
+renewBefore
+erikgb
+eddiehoffman
+inteon
+anton-johansson
+edglynes
+jandersen-plaid
+foosinn
+clatour
+tamalsaha
+JoshVanL
+Kyverno
 hardcodes
 
 # As per https://tools.ietf.org/html/rfc5280, the spelling "X.509" is the

content/en/docs/contributing/crds.md

@@ -20,11 +20,15 @@ This will also update the version conversion code if needed.
 
 ## Versions
 
-cert-manager at time of writing has 4 CRD versions in use.
+cert-manager currently has 4 CRD versions in use:
 
-These versions are defined in [`//pkg/apis/certmanager`](https://github.com/jetstack/cert-manager/tree/master/pkg/apis/certmanager). ACME related resources are in `//pkg/apis/acme`.
+- `v1`
+- `v1beta1` (deprecated in cert-manager `v1.4.0`, removed `v1.6.0`)
+- `v1alpha3` (deprecated in cert-manager `v1.4.0`, removed `v1.6.0`)
+- `v1alpha2` (deprecated in cert-manager `v1.4.0`, removed `v1.6.0`)
+
+These versions are defined in [`//pkg/apis/certmanager`](https://github.com/jetstack/cert-manager/tree/master/pkg/apis/certmanager). ACME related resources are in [`//pkg/apis/acme`](https://github.com/jetstack/cert-manager/tree/master/pkg/apis/certmanager).
 
-This has the versions `v1alpha2`, `v1alpha3`, `v1beta1` and `v1`.
 If you need to introduce a new field in any of them it **must** be present in all 4 versions so conversion can be used.
 
 Code comments on these fields are being converted into documentation on our website and text of `kubectl explain`.
@@ -34,6 +38,8 @@ We also have an internal API version, it lives at [`//pkg/internal/apis`](https:
 This is a version that is only used for validation and conversion, controllers should not use it as it is not meant to be user-friendly and not stable.
 However all new fields also have to be added here for the conversion logic to work.
 
+See the [official Kubernetes docs for CRD versioning](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/) to understand conversion, which versions are stored and served etc.
+
 
 ## Kubebuilder
 

content/en/docs/faq/_index.md

@@ -52,7 +52,7 @@ spec:
 
 ### If `renewBefore` or `duration` is not defined, what will be the default value?
 cert-manager will default to a `duration` of [90 days](https://github.com/jetstack/cert-manager/blob/v1.2.0/pkg/apis/certmanager/v1/const.go#L26) with a `renewBefore` of [30 days](https://github.com/jetstack/cert-manager/blob/v1.2.0/pkg/apis/certmanager/v1/const.go#L32).
-If `renewBefore` is not set and the duration of the signed certificate is shorter or equal to 30 days, the `renewBefore` time will be set to 2/3 of the signed certificate validity duration.
+The renewal time of the certificate will be calculated using the formula `min(duration / 3, renewBefore)`, see [renewal](../usage/certificate/#renewal) for more detail.
 When setting `duration` it is recommended to also set `renewBefore`, if `renewBefore` is longer than `duration` you will receive an error.
 
 ## Miscellaneous
@@ -70,8 +70,10 @@ because such certificates increase the opportunity for attacks on the Kubernetes
 
 In Kubernetes 1.19 the [Certificate Signing Requests API] has reached V1
 and it can be used more generally by following (or automating) the [Request Signing Process].
-There are plans for cert-manager make greater use of this API now that it is stable.
+
+cert-manager currently has some [limited experimental support] for this resource.
 
 [Certificate Signing Requests API]: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#certificatesigningrequest-v1-certificates-k8s-io
 [`kubectl certificates` command]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#certificate
 [Request signing process]: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process
+[limited experimental support]: ../usage/kube-csr/

content/en/docs/installation/supported-releases.md

@@ -17,24 +17,27 @@ release every two months.
 
 ## Supported releases {#supported-releases}
 
-| Release | Release Date |        EOL        | [Supported Kubernetes versions][s] |
-| ------- | :----------: | :---------------: | :--------------------------------: |
-| [1.3][] | Apr 08, 2021 |   [~][]Aug 2021   | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
-| [1.2][] | Feb 10, 2021 | [~][]Jun 11, 2021 | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
+| Release | Release Date |     EOL      | [Supported Kubernetes versions][s] |
+|---------|:------------:|:------------:|:----------------------------------:|
+| [1.4][] | Jun 15, 2021 | Oct 13, 2021 | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
+| [1.3][] | Apr 08, 2021 | Aug 11, 2021 | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
 
 ## Upcoming releases
 
-| Release |   Release Date    |      EOL      | [Supported Kubernetes versions][s] |
-| ------- | :---------------: | :-----------: | :--------------------------------: |
-| [1.4][] | [~][]Jun 11, 2021 | [~][]Oct 2021 | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21 |
+| Release | Release Date |     EOL      |    [Supported Kubernetes versions][s]    |
+|---------|:------------:|:------------:|:----------------------------------------:|
+| [1.5][] | Aug 11, 2021 | Dec 15, 2021 | 1.16, 1.17, 1.18, 1.19, 1.20, 1.21, 1.22 |
+| 1.6     | Oct 13, 2021 | Feb 16, 2022 |              to be defined               |
+| 1.7     | Dec 15, 2021 | Apr 13, 2022 |              to be defined               |
 
-> The `~` sign is used when the date is uncertain and might change; the
-> "EOL" abbreviation stands for End Of Life.
+> Note that dates in the future are uncertain and might change. The "EOL"
+> abbreviation stands for End Of Life.
 
 ## Old releases
 
 | Release  | Release Date |     EOL      | Compatible Kubernetes versions |
-| -------- | :----------: | :----------: | :----------------------------: |
+|----------|:------------:|:------------:|:------------------------------:|
+| [1.2][]  | Feb 10, 2021 | Jun 15, 2021 |          1.16 → 1.21           |
 | [1.1][]  | Nov 24, 2021 | Apr 08, 2021 |          1.11 → 1.21           |
 | [1.0][]  | Sep 02, 2020 | Feb 10, 2021 |          1.11 → 1.21           |
 | [0.16][] | Jul 23, 2020 | Nov 24, 2020 |          1.11 → 1.21           |
@@ -45,8 +48,8 @@ release every two months.
 | [0.11][] | Oct 10, 2019 | Jan 21, 2020 |           1.9 → 1.21           |
 
 [s]: #kubernetes-supported-versions
-[~]: https://docs.google.com/document/d/1Tc5t6ylY9dhXAan1OjOoldeaoys1Yh4Ir710ATfBa5U/edit?pli=1#bookmark=id.jzi02xg0ngn "Project timeline"
-[1.4]: https://github.com/jetstack/cert-manager/milestone/25
+[1.5]: https://github.com/jetstack/cert-manager/milestone/26
+[1.4]: https://cert-manager.io/docs/release-notes/release-notes-1.4
 [1.3]: https://cert-manager.io/docs/release-notes/release-notes-1.3
 [1.2]: https://cert-manager.io/docs/release-notes/release-notes-1.2
 [1.1]: https://cert-manager.io/docs/release-notes/release-notes-1.1
@@ -210,10 +213,10 @@ Our testing coverage is:
 | Release branch | Prow configuration            | Dashboard                 | Kubernetes versions tested   |  Periodicity  |
 | :------------: | :---------------------------- | :------------------------ | :--------------------------- | :-----------: |
 |      PRs       | [`presubmits.yaml`][]         | [`presubmits-blocking`][] | 1.21                         |  On each PR   |
-|     master     | [`periodics.yaml`][]          | [`master`][]              | 1.16, 1.17, 1.18, 1.19, 1.20 | Every 2 hours |
-|  release-1.4   | [`next-periodics.yaml`][]     | [`next`][]                | 1.16, 1.17, 1.18, 1.19, 1.20 | Every 2 hours |
-|  release-1.3   | [`previous-periodics.yaml`][] | [`previous`][]            | 1.16, 1.17, 1.18, 1.19, 1.20 | Every 2 hours |
-|  release-1.2   | N/A                           |                           | N/A                          |      N/A      |
+|     master     | [`periodics.yaml`][]          | [`master`][]              | 1.16, 1.17, 1.18, 1.19, 1.21 | Every 2 hours |
+|  release-1.5   | [`next-periodics.yaml`][]     | [`next`][]                | 1.16, 1.17, 1.18, 1.19, 1.21 | Every 2 hours |
+|  release-1.4   | [`previous-periodics.yaml`][] | [`previous`][]            | 1.16, 1.17, 1.18, 1.19, 1.21 | Every 2 hours |
+|  release-1.3   | N/A                           |                           | N/A                          |      N/A      |
 
 [`presubmits.yaml`]: https://github.com/jetstack/testing/blob/master/config/jobs/cert-manager/cert-manager-presubmits.yaml
 [`periodics.yaml`]: https://github.com/jetstack/testing/blob/master/config/jobs/cert-manager/cert-manager-periodics.yaml
@@ -227,15 +230,15 @@ Our testing coverage is:
 The oldest Kubernetes release supported by cert-manager is 1.16, as we want
 to be supporting most commercial Kubernetes offerings.
 
-|   Vendor   | Oldest Kubernetes Release\* | End of Life |
-| :--------: | :-------------------------: | :---------: |
-| [EKS][eks] |            1.16             | 25 Jul 2021 |
-| [GKE][gke] |            1.17             |  Nov 2021   |
-| [AKS][aks] |            1.18             |  Jun 2021   |
+|   Vendor   | Oldest Kubernetes Release\* |                Other Old Kubernetes Releases                 |
+|:----------:|:---------------------------:|--------------------------------------------------------------|
+| [EKS][eks] |     1.16 (EOL Jul 2021)     | 1.17 (EOL Sep 2021), 1.18 (EOL Nov 2021), 1.9 (EOF Apr 2022) |
+| [GKE][gke] |     1.17 (EOL Nov 2021)     | 1.18 (EOL Dec 2021), 1.19 (EOL Feb 2022)                     |
+| [AKS][aks] |     1.18 (EOL Jul 2021)     | 1.19 (EOL Aug 2021)                                          |
 
-\*As of 2021-05-25.
+\*As of June 15, 2021.
 
-[eks]: https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html
+[eks]: https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar
 [gke]: https://cloud.google.com/kubernetes-engine/docs/release-schedule
 [aks]: https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions#aks-kubernetes-release-calendar
 

content/en/docs/installation/upgrading/remove-deprecated-apis.md

@@ -0,0 +1,52 @@
+---
+title: "Removing Deprecated API Resources"
+linkTitle: "Removing Deprecated API Resources"
+weight: 20
+type: "docs"
+---
+
+We have deprecated the following cert-manager APIs: 
+
+- `cert-manager.io/v1alpha2`
+- `cert-manager.io/v1alpha3`
+- `cert-manager.io/v1beta1`
+- `acme.cert-manager.io/v1alpha2`
+- `acme.cert-manager.io/v1alpha3`
+- `acme.cert-manager.io/v1beta1`
+
+These APIs will be removed in cert-manager `v1.6.0`.
+If you have a cert-manager installation that is using or has previously used these deprecated APIs you may need to upgrade your cert-manager custom resources and CRDs. This needs to be done before upgrading to cert-manager `v1.6.0`. 
+
+
+## Upgrading existing cert-manager resources
+
+1. Familiarize yourself with the [official Kubernetes documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#writing-reading-and-updating-versioned-customresourcedefinition-objects) on CRD versioning.
+2. Make sure your installed cert-manager deployment is `v1.0.0` or later.
+
+3. Make sure any version-controlled cert-manager custom resource config files that still use the deprecated APIs are updated to use the `cert-manager.io/v1` API and re-applied. This should update stored versions of the given resources.
+
+After that, follow the official Kubernetes documentation [here](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#upgrade-existing-objects-to-a-new-stored-version):
+
+1. If there are other resources (e.g. `Certificate`s created by ingress-shim, `CertificateRequest`s, etc.) that are not version controlled and may have been created using the deprecated APIs, run
+   ```bash
+   kubectl get <resource_name> -oyaml | kubectl apply -f -
+   ```
+   to force the resources to be stored in `etcd` at the current storage version.
+
+2. To remove legacy API versions from cert-manager CRDs run the following `curl` commands:
+
+```bash
+kubectl proxy &
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/certificates.cert-manager.io/status
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/certificaterequests.cert-manager.io/status
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/issuers.cert-manager.io/status
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/clusterissuers.cert-manager.io/status
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/orders.acme.cert-manager.io/status
+
+curl -d '[{ "op": "replace", "path":"/status/storedVersions", "value": ["v1"] }]' -H "Content-Type: application/json-patch+json"  -X PATCH http://localhost:8001/apis/apiextensions.k8s.io/v1/customresourcedefinitions/challenges.acme.cert-manager.io/status
+```

content/en/docs/installation/upgrading/upgrading-1.3-1.4.md

@@ -0,0 +1,9 @@
+---
+title: "Upgrading from v1.3 to v1.4"
+linkTitle: "v1.3 to v1.4"
+weight: 820
+type: "docs"
+---
+
+When upgrading from `v1.3` to `v1.4`, no special upgrade steps are required 🎉.
+From here on you can follow the [regular upgrade process](../).

content/en/docs/release-notes/_index.md

@@ -9,6 +9,7 @@ no_list: true
 Here you will find a link to all release notes for each version release of
 cert-manager:
 
+- [`v1.4`](./release-notes-1.4/)
 - [`v1.3`](./release-notes-1.3/)
 - [`v1.2`](./release-notes-1.2/)
 - [`v1.1`](./release-notes-1.1/)

content/en/docs/release-notes/release-notes-1.3.md

@@ -5,7 +5,20 @@ weight: 800
 type: "docs"
 ---
 
-This release prepares for the implementation of certificate issuance policies and adoption of the upstream [Kubernetes CSR](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) API. It also improves interoperability with HashiCorp [Vault Enterprise](https://www.vaultproject.io/docs/enterprise).
+# Patch Release `v1.3.1`
+
+## Bug and Security Fixes
+
+- A Helm upgrade bug was
+  [fixed](https://github.com/jetstack/cert-manager/pull/3882), you should now
+  able to upgrade from cert-manager 1.2 to 1.3 when `--set installCRDs=true` is
+  used. This issue was due to [a Helm
+  bug](https://github.com/helm/helm/issues/5806#issuecomment-788116838) with the
+  `minimum` field on the CRDs.
+
+# Final Release `v1.3.0`
+
+The 1.3 release prepares for the implementation of certificate issuance policies and adoption of the upstream [Kubernetes CSR](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) API. It also improves interoperability with HashiCorp [Vault Enterprise](https://www.vaultproject.io/docs/enterprise).
 A slew of bugs have also been squashed.
 
 Special thanks to the external contributors who contributed to this release:
@@ -28,9 +41,9 @@ Please read the [upgrade notes](/docs/installation/upgrading/upgrading-1.2-1.3/)
 
 As always, the full change log is available on the [GitHub release](https://github.com/jetstack/cert-manager/releases/tag/v1.3.0).
 
-# Deprecated Features and Breaking Changes
+## Deprecated Features and Breaking Changes
 
-## Venafi Cloud Issuer
+### Venafi Cloud Issuer
 
 This release updates the [Venafi Cloud Issuer][] to use `OutagePREDICT` instead of `DevOpsACCELERATE`.
 
@@ -40,17 +53,17 @@ The zone is now `<Application Name>\<Issuing Template Alias>`
 
 [Venafi Cloud Issuer]: https://cert-manager.io/docs/configuration/venafi/
 
-## cert-manager controller
+### cert-manager controller
 
 The `--renew-before-expiration-duration` flag has been removed from the cert-manager controller, having been deprecated in the previous release.
 
-## cert-manager CRDs
+### cert-manager CRDs
 
 `CertificateRequests` are now immutable - the `spec` and `metadata.annotations` fields cannot be changed after creation. They were always designed to be immutable but this behavior is now *enforced* by the cert-manager webhook.
 
-# New Features
+## New Features
 
-## Policy Support Preparation
+### Policy Support Preparation
 
 * The [design documentation](https://github.com/jetstack/cert-manager/blob/v1.3.0/design/20210203.certificate-request-identity.md) for Certificate Identity is now available.
 * `CertificateRequests` now have identity fields mirroring the upstream [Kubernetes CSR](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) object.
@@ -59,38 +72,38 @@ The `--renew-before-expiration-duration` flag has been removed from the cert-man
 * The cert-manager controller currently always approves any `CertificateRequest`.
 * Added `kubectl cert-manager [approve|deny]` commands to the kubectl plugin.
 
-## cert-manager CRDs
+### cert-manager CRDs
 
 * `CertificateRequests` now support the `revisionHistoryLimit` field to limit the amount of retained history. The default is unlimited (`nil`).
 
-## Vault Enterprise
+### Vault Enterprise
 
 * cert-manager now sends the `X-VAULT-NAMESPACE` header for the `requestTokenWithAppRoleRef` API call.
 
-# Bug Fixes
+## Bug Fixes
 
-## cert-manager Controller
+### cert-manager Controller
 
 * Fixed an issue which could cause multiple `CertificateRequests` to be created in a short time for a single `Certificate` resource.
 * Certificate Readiness controller only updates a certificate's status if something has changed.
 
-## SelfSigned Issuer
+### SelfSigned Issuer
 
 * The issuer now warns if you request a certificate with an empty subject DN - creating a certificate that is in violation of RFC 5280. Some applications will reject such certificates as invalid, such as Java's `keytool`.
 
-## Helm Chart
+### Helm Chart
 
 * The `targetPort` used by the Prometheus service monitor is now correctly set from helm values.
 * The correct permissions are added to the aggregate `edit` role.
 
-# Other Changes
+## Other Changes
 
 ## Repository Hygiene
 
 * `SECURITY.md` now contains information on how to report security issues.
 * The language of `CONTRIBUTING.md` has been updated to match existing copyright notices.
 
-## Tooling
+### Tooling
 
 * cert-manager now can be built with go 1.16 on Apple Silicon.
 * Docker images targets have been added to the Makefile.