feat: update secretTemplate documentation

.spelling

@@ -275,6 +275,8 @@ JoshVanL
 Kyverno
 hardcodes
 templated
+jonathansp
+benlangfeld
 
 # As per https://tools.ietf.org/html/rfc5280, the spelling "X.509" is the
 # correct spelling. The spelling "x509" and "X509" are incorrect.

content/en/docs/release-notes/release-notes-1.5.md

@@ -8,15 +8,42 @@ type: "docs"
 # Release `v1.5.0`
 
 Special thanks to the external contributors who contributed to this release:
-- TODO
+
+* [@jonathansp](https://github.com/jonathansp)
+* [@benlangfeld](https://github.com/benlangfeld)
 
 ## Deprecated Features and Breaking Changes
 
 ### TODO
 
 ## New Features
 
-### TODO
+### Secret Templates
+
+We introduce the concept of `SecretTemplate` for `Certificates`. When a certificate is issued, a new `Secret` is created to hold the certificate data. This secret is created by cert-manager. In order to use third-party solutions such as [kubed](https://github.com/kubeops/kubed) to copy this secret to multiple namespaces, this secret must be annotated.
+
+`SecretTemplate` is optional. Labels and annotations from the template will be synced to the `Secret` at the time when the certificate is created or renewed.
+
+```yaml
+# certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-com
+  namespace: sandbox
+spec:
+  secretName: example-com-tls
+  secretTemplate:
+    annotations:
+      my-secret-annotation: "foo"
+    labels:
+      my-secret-label: bar
+```
+*Note*: Currently labels and annotations can only be added or replaced, but not removed. Removing any labels or annotations from the template or removing the template itself will have no effect.
+
+Implemented in cert-manager PR [#3828][]
+
+[#3828]: https://github.com/jetstack/cert-manager/pull/3828 "feat: add support to secretTemplates"
 
 ## Bug Fixes
 

content/en/docs/usage/certificate.md

@@ -36,6 +36,21 @@ metadata:
 spec:
   # Secret names are always required.
   secretName: example-com-tls
+
+  # Secret template is optional. If set, these annotations
+  # and labels will be copied to the secret named example-com-tls.
+
+  # Note: Labels and annotations from the template are only synced to the Secret at the time when the certificate 
+  # is created or renewed. Currently labels and annotations can only be added, but not removed. Removing any 
+  # labels or annotations from the template or removing the template itself will have no effect.
+  # See https://github.com/jetstack/cert-manager/issues/4292.
+  secretTemplate:
+    annotations:
+      my-secret-annotation-1: "foo"
+      my-secret-annotation-2: "bar"
+    labels:
+      my-secret-label: foo
+
   duration: 2160h # 90d
   renewBefore: 360h # 15d
   subject:
@@ -75,6 +90,9 @@ The signed certificate will be stored in a `Secret` resource named
 `example-com-tls` in the same namespace as the `Certificate` once the issuer has
 successfully issued the requested certificate.
 
+If `secretTemplate` is present, annotations and labels set in this property
+will be copied over to `example-com-tls` secret. Both properties are optional.
+
 The `Certificate` will be issued using the issuer named `ca-issuer` in the
 `sandbox` namespace (the same namespace as the `Certificate` resource).