generic Quarterly Scrub :: Triage Party

Once every quarter, look for stale issues, reprioritize, and de-duplicate.

Issues nearing expiration (25)

Resolution: Close or label as frozen

Average age: 237.8d, Avg wait: 67.9d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
6194		Certificates stayed in False not change its state			3mo	3h	3mo		kind/bug lifecycle/stale	collaborator-last recv
6175		`region` should be optional in a Route53 dns solver			3mo	7d	3mo		kind/bug lifecycle/stale	collaborator-last recv
6161		certificate lost Subject Key Identifier			3mo	11d	3mo		kind/bug lifecycle/stale	collaborator-last recv
6158		Had to apply static installation file twice			3mo	14d	3mo		kind/bug lifecycle/stale	collaborator-last recv
6141		Consider exposing previous certificates/keys in the kubernetes secret so that workloads can implement a grace period when a certificate rotates		2	3mo	14d	3mo		kind/feature lifecycle/stale	collaborator-last commented recv
6139		Include 3rd party CA's in generated certificate			3mo	2wk	3mo		kind/feature lifecycle/stale	collaborator-last recv
6134		cert-manager-cainjector process is stopped by leader election lost, but not start again			3mo	3wk	3mo		kind/bug lifecycle/stale	collaborator-last recv
6133		The `spec.duration` in `Certificate` resource seems to be ignored and default to 31 days			3mo	15d	3mo		kind/bug lifecycle/stale	collaborator-last commented send
6117		Vault Issuer Read caBundle from ConfigMap Similar: #5514: Venafi Issuer Read `caBundle` from Configmap or Secret (open)		3	4mo	15d	15d		area/api kind/feature lifecycle/stale area/vault	commented member-last send similar
6071		[helm] Allow usage of initContainers for cert-manager Similar: #1255: helm install cert-manager with errors (open)			4mo	14d	3mo		kind/feature lifecycle/stale	collaborator-last commented send similar
6051		Detecting Gateway hostnames based on attached HTTPRoutes PR#6124: Add design/20230601.gateway-route-hostnames. new-commits			4mo	4wk	4mo		kind/feature lifecycle/stale	author-last pr-new-commits recv recv-q
5998		Failed post-install: timed out waiting for the condition Similar: #4646: Failed to install " failed post-install: timed out waiting for the condition" (closed)			5mo	7d	5mo		kind/bug lifecycle/stale	collaborator-last recv similar
5982		Conflict errors on certificaterequest updates with kubernetes 1.25		3	5mo	1d	4mo		triage/support lifecycle/stale	collaborator-last commented recv recv-q
5942		ClusterIssuer with auth kubernetes not working			5mo	16d	3mo		kind/bug lifecycle/stale	collaborator-last commented pr-unreviewed send
5926		OwnerReference be added to the privateKeySecretRef secret created by the ACME ClusterIssuer and Issuer PR#6186: feat: Add OwnerReference to the secrets created by ACME ClusterIssuer and Issuer unreviewed			5mo	10d	3mo		good first issue help wanted kind/feature lifecycle/stale triage/needs-information	collaborator-last commented pr-unreviewed send
5917		Waiting for DNS-01 challenge propagation: DNS record for mydomain.com not yet propagated Similar: #5515: stuck on propagation check failed DNS record not yet propagated (open) Similar: #5042: propagation check failed: DNS record for xxx not yet propagated (closed)		3	5mo	57min	5mo		kind/bug lifecycle/stale	assigned assignee-updated collaborator-last commented recv recv-q similar
5897		"cert-manager.io/alt-names" annotation under Ingress resources PR#6190: Adds ingress annotation support for alt-names unreviewed			6mo	14d	5mo		triage/support lifecycle/stale	collaborator-last commented pr-unreviewed recv recv-q
5590		Configure cluster resource namespace in ClusterIssuer spec		2	10mo	3d	10mo		triage/support lifecycle/stale	collaborator-last recv
5566		upload Helm charts to OCI registry and sign them with cosign		7	10mo	7d	6mo		kind/feature lifecycle/stale	collaborator-last commented send
5516		Forbidden: seccomp may not be set pod.metadata.annotations		3 13	11mo	12h	11mo		kind/bug lifecycle/stale	collaborator-last recv
5031		ValidateCAA test function is flaky			1y	6d	4mo		kind/bug lifecycle/stale kind/flake flake/test-logic	collaborator-last commented send
4594		TLS handshake error: EOF		20	2y	4wk	1y		kind/bug lifecycle/stale	collaborator-last commented recv-q send
5220		Investigate improving resource consumption and performance in clusters with large amount of resources		11	1y	22h	11mo		kind/feature lifecycle/stale	collaborator-last commented pr-merged recv-q
3958		Sane defaults for Certificate revision history limit		12	2y	9d	10mo		kind/feature lifecycle/stale	collaborator-last commented recv-q send
6028		Fix runtime.Scheme errors in tests			4mo	6d			size/L release-note-none kind/cleanup lifecycle/stale area/acme dco-signoff: yes area/testing	collaborator-last open-milestone unreviewed

Features that deserve a follow-up comment: No matching items

Features that have not been commented on within 90 days (4)

Resolution: Comment or close the issue

Average age: 848.3d, Avg wait: 0.0d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
4349		allowing greater configuration for the cloud provider tests			2y	1y	1y		lifecycle/frozen kind/feature	collaborator-last commented send
3521		Integration with ExternalDNS		4 31	2y	7mo	1y		help wanted lifecycle/frozen kind/feature priority/important-longterm	commented recv-q send
155		Add 'unreleased version' & 'old version' warning banner to non-latest versions of docs			3y	3y	3y		kind/feature priority/backlog	collaborator-last commented send
72		Add the configmap on all pod via mutatingWebhookConfiguration		2	10mo	8mo	8mo		kind/feature	commented member-last send

Bugs that deserve a follow-up comment (5)

Resolution: Comment or close the issue

Average age: 334.5d, Avg wait: 173.7d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
6197		Securing Gateway resources with non HTTPS listeners generate BadConfig events PR#6347: Do not process non-HTTPS listeners on Gateways unreviewed		6	2mo	2mo	2mo		kind/bug	pr-unreviewed recv
6195		logLevel information in logs			2mo	2mo	2mo		kind/bug	recv
6174		Certificates Ready : False Similar: #561: Certificate Resources (open)			3mo	2mo	3mo		kind/bug	recv recv-q similar
4685		Unexpected EOF during watch stream event decoding: unexpected EOF		8	2y	9mo	2y		lifecycle/frozen kind/bug	recv recv-q
4423		Cert renewal loop		2	2y	2mo	2y		kind/bug	author-last commented recv recv-q

Bugs that have not been commented on within 60 days (11)

Resolution: Comment or close the issue

Average age: 460.3d, Avg wait: 79.0d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
6213		Unable to install cert-manager with argo-cd because helm chart is v1			2mo	2mo	2mo		kind/bug	commented member-last send
4620		Vault Issuer does not retry signing CertificateRequests if the status is pending Similar: #6313: ClusterIssuer CA does not sign certificates (closed)		9	2y	2mo	7mo		kind/bug priority/important-longterm area/vault	commented send similar
3640		Challenge Records Not Always Cleaned Up			2y	2mo	8mo		kind/bug priority/important-longterm area/acme	commented pr-closed pr-merged
5074		Race condition between issuers, certificates, and secrets			1y	8mo	1y		lifecycle/frozen kind/bug priority/important-soon	commented member-last pr-closed send
5867		Controller can't handle hitting request rate limits of zerossl ACME API Similar: #6106: Controller can't handle hitting request rate limits when is registering the issuer (open)		2 10 19	6mo	2mo	5mo		kind/bug	commented pr-closed pr-merged recv-q send similar
422		Page last modified date incorrect			2y	2y	2y		kind/bug	collaborator-last commented send
5 previously listed items omitted: #6197 #6195 #6174 #4685 #4423

Items that deserve a follow-up comment (91)

Resolution: Comment or close the issue

Average age: 539.0d, Avg wait: 517.7d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
6201		Configure retry strategy			2mo	2mo	2mo			recv
1257		ErrRegisterACMEAccount			3mo	3mo	3mo			recv
1241		Remove Bitnami kubeprod as installation method			3mo	3mo	3mo			recv
1159		Why the sample issuer still uses kubebuilder version 2 ?			8mo	8mo	8mo			recv
1125		Describe cert-manager feature policy			9mo	8mo	9mo			contributor-last recv recv-q
1101		Feature request for updating documentation.			10mo	10mo	10mo			recv
1063		"Securing Ingresses with Venafi" tutorial contains link to missing manifest			1y	1y	1y			author-last pr-merged recv
1062		Document process for offboarding maintainers Similar: #1061: Document onboarding process for new maintainers (open)			1y	1y	1y			recv similar
1061		Document onboarding process for new maintainers Similar: #1062: Document process for offboarding maintainers (open)			1y	1y	1y			recv similar
1054		Run spell checker in a pre-commit hook			1y	1y	1y		good first issue kind/cleanup	recv
998		Documentation venafi configuration references venafi documentation page which returns 403			1y	1y	1y			contributor-last recv
993		Document which resources do/do not get garbage collected			1y	1y	1y		good first issue	contributor-last recv
931		Improve upgrade instructions using helm			1y	1y	1y			recv
899		Upgrading from v1.7 to v1.8 check command should exclude null.		2	1y	1y	1y			recv recv-q
868		Document RBAC Similar: #844: Document feature gates (open)			2y	2y	2y			contributor-last recv similar
866		Securing NGINX-ingress Similar: #326: Securing Ingresses with Venafi (open)			2y	2y	2y			recv similar
851		create Cilium ingress tls example		3	2y	1y	2y			assigned assignee-updated recv
850		Document available cert-manager Prometheus metrics Similar: #136: Document available metrics (open)			2y	7mo	2y		documentation good first issue priority/important-longterm	recv recv-q similar
847		missing documentation/information olm based installation metric prometheus			2y	2y	2y			contributor-last recv
841		remove dependency on golang from cmctl and kubectl-plugin installation documentation			2y	2y	2y			contributor-last pr-merged recv recv-q
836		Syncing Secrets Across Namespaces			2y	2y	2y			recv
758		API reference docs: enum values not documented with typedef			2y	2y	2y			recv
706		Default key usages			2y	2y	2y			recv
697		[IRSA] Needs `runAsUser: 1001`			2y	2y	2y			recv
672		List required Google CloudDNS permissions exhaustively			2y	2y	2y			recv
662		Using "azureDNS" for the DNS01 Solver results "Multiple user assigned identities exist, please specify the clientId / resourceId"			2y	2y	2y			recv
645		Investigate & add an FAQ/warning about images rolled back after GitOps upgrade			2y	2y	2y			recv recv-q
604		Make it so that it is easier to find the doc for fixing webhook issues			2y	1y	2y			contributor-last recv
568		Add a diagram for LetsEncrypt cert issuance flow to the docs		4	2y	2y	2y			recv
561		Certificate Resources Similar: #6174: Certificates Ready : False (open) Similar: #144: Add CertificateRequest as a source (open)			2y	2y	2y			recv similar
554		HTTP Validation, privateKeySecretRef			2y	2y	2y			contributor-last recv
469		DNS01: Delegated Domains for DNS01 example yaml solvers list items			2y	2y	2y			recv
484		Please add anchor tags to your subheadings			2y	2y	2y		priority/backlog kind/documentation	commented contributor-last pr-merged recv
354		DigitalOcean access-token should not be base64-encoded			2y	2y	2y		priority/awaiting-more-evidence	author-last commented recv
466		installation/compatiblity			2y	2y	2y			recv
76		Upgrading from v0.10 to v0.11 - missing cainjector annotation			3y	3y	3y		priority/backlog kind/documentation	contributor-last recv
457		cainjector docs are missing the option to inject certs in apiservice resources			2y	2y	2y			recv
213		charts.jetstack.io beding cluster presents a challenge and breaks deployment			3mo	3mo	3mo			recv
197		add the compatibility matrix for Kubernetes versions to README			7mo	7mo	7mo			recv
176		certificateDuration is not used for the Istio CSR generated certificate requests Similar: #119: Certificate is re-requested when container restarts (open) Similar: #14: Annotation generates CertificatesRequests repeatedly until blocked by letsencrypt (open)			1y	1y	1y			author-last commented recv recv-q similar
145		*Not able to use Istio-CSR in istio(1.13.)**			1y	1y	1y			author-last commented pr-closed recv
144		add a support kubernetes client QPS and Burst config			2y	2y	2y			recv
141		Istio-csr pods were hung unable to handle request causes entire cluster downtime for new pods/expired pods.			2y	1y	2y			commented recv recv-q
138		istio-csr doesn't retry upon failed certificate requests			2y	10mo	2y			contributor-last recv
137		Documentation on rotating the root certificate			2y	7mo	2y			recv recv-q
132		Allow override of istiod-tls certificate common name in helm chert (for non-standard istiod deployments)			2y	5mo	2y			recv
130		Document best-practices for minimal vault role configuration for istio-csr			2y	2y	2y			recv
108		[doc] confusion with `ca.pem` and Readiness probe failed on ingress and egress gateways			2y	2y	2y			author-last commented recv recv-q
117		public ca.crt aka caBundle is not being updated/propagated until the cert-manager and istiod components are restarted			2y	2y	2y			recv
94		Can't get aws pca to work			2y	2y	2y			recv
83		commonName required for AWS PCA			2y	2y	2y			commented recv recv-q
136		Document available metrics Similar: #850: Document available cert-manager Prometheus metrics (open)			2y	2y	2y			recv similar
207		Setting .Values.nameOverride makes the pod not have rights to update secret cert-manager-approver-policy-tls			6mo	6mo	6mo			author-last recv
169		Webhook Custom CA			9mo	9mo	9mo			recv
62		CertificateRequestPolicy based on which namespace the certificate request belongs to PR#256: CEL expressions approver design new-commits		7	1y	3mo	6mo			author-last commented pr-closed pr-merged pr-new-commits recv
142		expose bundles CRD as release artifact		3	3mo	3mo	3mo			recv
135		Automatic CA rotation support			4mo	4mo	4mo			contributor-last recv
132		Unable to run Trust Manager without cert manager PR#157: Add support for generating certificates with helm unreviewed			4mo	4mo	4mo			contributor-last pr-unreviewed recv recv-q
99		Allow removing Bundles whilst keeping the synced CA certs		2	8mo	8mo	8mo			pr-unreviewed recv
58		Support injection pem into an existing configmap		3	1y	2mo	1y			contributor-last recv
33		Support CRDs as target Similar: #10: Feature: support secret target (open)		3	1y	1y	1y			recv similar
144		Push new tag for chart fixes			3mo	3mo	3mo			recv
140		Update images to not utilize k8s.gcr.io			5mo	5mo	5mo			recv
136		SubPath support is broken or missing			8mo	8mo	8mo			recv
134		Volume empty		3	9mo	5mo	9mo			recv
130		JKS support Similar: #159: No support for EKS in helm (open) Similar: #6283: JWK(S) support (open)		3	9mo	7mo	9mo			recv similar
128		Support all subject attributes PR#129: Add attribute support for certificate subject commented			9mo	9mo	9mo			pr-reviewed-with-comment recv
119		Certificate is re-requested when container restarts Similar: #144: Add CertificateRequest as a source (open) Similar: #6282: The certificate request has failed... order is in "invalid" state (open) Similar: #176: certificateDuration is not used for the Istio CSR generated certificate requests (open)			11mo	11mo	11mo			recv similar
125		Is it too late to align cert-manager annotations? Similar: #38: Route with cert-manager annotations is not created (open)			9mo	9mo	9mo			recv similar
33		New key being used with old certificate			2y	2y	2y			recv
29		Deleting a pod with a cert-manager-csi volume mounted results in the pod termination hanging.			3y	3y	3y			recv
21		MountVolume.SetUp failed: cannot set blockOwnerDeletion: cannot find RESTMapping for APIVersion core/v1 Kind Pod			3y	3y	3y			recv
17		ability to specify pod IP in volume attributes		5	3y	3y	3y			commented recv
26		Cannot `chmod` a read only filesystem		14	3y	2y	3y			pr-closed recv recv-q
38		Add Envoy Secret discovery service (SDS) support			4mo	4mo	4mo			recv
19		Add support for certificate expiry configuration		6	11mo	4mo	11mo			recv
30		Installation is only possible in the default `cert-manager` NS PR#32: Allow installation in a custom namespace unreviewed			3mo	2mo	3mo			author-last pr-closed pr-unreviewed recv recv-q
26		Missing CONTRIBUTING.md			5mo	5mo	5mo			recv
15		Feature: Support for ECC certs Similar: #5433: Support certs that live for < 1h (closed)			11mo	11mo	11mo			recv similar
14		Annotation generates CertificatesRequests repeatedly until blocked by letsencrypt Similar: #176: certificateDuration is not used for the Istio CSR generated certificate requests (open)			1y	1y	1y			recv similar
13		Can the plugin be configured to use a wildcard certificate?			1y	10mo	1y			recv recv-q
12		Does this plugin support DNS validation?			1y	1y	1y			recv
46		Cert-manager operator fails to issue certificates Similar: #3896: Cert Manager failing to renew certificate (open)			2y	2y	2y			recv similar
22		Customize the deployment of cert-manager installed via OLM		5 6	2y	9mo	1y			author-last commented recv recv-q
17		Operator prevents passing extraArgs helm value		7	3y	9mo	3y			recv recv-q
3		Restrict operator RBAC permissions			3y	3y	3y			recv
47		Race condition: CertificateRequests may never be fulfilled if the issuer was overwhelmed			7mo	7mo	7mo			recv
45		Exponential backoff handling does not apply to certificate renewal in pending phase			7mo	7mo	7mo			recv
40		Optional auto rotating/renewing certificates			11mo	11mo	11mo			recv
33		Create e2e test to validate CertificateRequest garbage collection Similar: #6342: CertificateRequest name collisions in v1.13.0 (closed)			1y	1y	1y			assigned recv similar
41		Question: enable Server-Side Apply (SSA)			2mo	2mo	2mo			recv

Items that have not been commented on within 60 days (136)

Resolution: Comment or close the issue

Average age: 664.5d, Avg wait: 342.0d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
4950		General flakiness of our end-to-end suite		3	2y	1y	1y		lifecycle/frozen kind/flake	commented member-last pr-closed pr-merged send
1168		docs: Add info about client side certificate rotation best practices.		23	4y	3y	3y		help wanted lifecycle/frozen kind/documentation priority/backlog	collaborator-last commented pr-closed send
1174		Document the docker images and how to find them			8mo	7mo	7mo		good first issue priority/important-soon kind/documentation	commented member-last send
1168		Rendering issues for generated API docs			8mo	8mo	8mo			commented member-last pr-merged
1132		New version of adcs-issuer			9mo	7mo	8mo		priority/backlog	commented member-last send
981		The `kubectl operator install` instructions are broken (after upgrading kubectl operator v0.3.0 -> v0.4.0) PR#1249: Correct `kubectl operator install` for latest version of operator-sdk changes-requested		2	1y	1y	1y			commented member-last pr-changes-requested
776		Explain that you can pre-provision a Secret and Certificate.Spec.SecretName can refer to an existing Secret			2y	2y	2y			commented member-last send
753		Route53 - AWS IAM Account Setup is confusing			2y	1y	1y		priority/backlog	commented member-last send
693		Azure DNS pod identity incorrectly documents principal_id			2y	2y	2y			commented member-last send
583		cert-manager with ZeroSSL Similar: #5921: cert-manager issue.. SSL is on and off (closed)		44	2y	1y	1y			commented send similar
551		Documentation on how to handle large-scale certificate management & best practices		2	2y	7mo	7mo		help wanted priority/important-longterm kind/documentation	commented member-last send
532		Rework of the landing page (cert-manager.io)		3	2y	2y	2y		help wanted good first issue	commented member-last send
486		OpenShift - broken link			2y	2y	2y			commented member-last send
459		cert manager is no longer on the OpenShift operator list Similar: #168: Install in openshift with existing cert-manager operator install (open) Similar: #39: Support latest cert-manager operator for openshift (open)			2y	1y	2y		priority/awaiting-more-evidence	assigned assignee-updated commented contributor-last recv-q send similar
425		Document ocspServers			2y	2y	2y		kind/documentation	commented member-last
414		Explain cert-manager repo structure		2	2y	2y	2y		priority/backlog kind/documentation	assigned assignee-updated commented member-last pr-closed pr-merged send
386		Uninstalling on Kubernetes - How to delete all those user created resources?			2y	2y	2y			collaborator-last commented send
330		Case for CertificatePrivateKey (encoding, algorithm) is wrong (v1)			3y	3y	3y			collaborator-last commented send
326		Securing Ingresses with Venafi Similar: #866: Securing NGINX-ingress (open)			3y	3y	3y			collaborator-last commented send similar
320		Document how to install cert-manager using gitops and known issues with particular gitops implementations		3	3y	7mo	3y		documentation help wanted priority/backlog	commented contributor-last
295		Route53			3y	2y	2y		kind/documentation	commented member-last send
237		docs for ACMEChallengeSolverHTTP01Ingress doesn't specify what `class` values are available			3y	3y	3y		priority/backlog kind/documentation	collaborator-last commented pr-closed send
234		Backup and Restore Resources		3	3y	2y	2y		priority/backlog kind/documentation	commented member-last pr-merged send
223		Document wildcard certificate tutorial			3y	3y	3y		priority/important-longterm kind/documentation	commented contributor-last send
197		Document ACME account mismatch			3y	3y	3y		good first issue priority/backlog kind/documentation	collaborator-last commented
195		Document keystores			3y	7mo	3y		priority/important-soon kind/documentation	commented contributor-last send
174		Add documentation for CRD conversion webhook ca injection			3y	3y	3y		help wanted priority/important-soon kind/documentation	commented member-last send
130		FAQ: How does cert-manager handle ingresses with valid TLS secrets?			3y	3y	3y		help wanted priority/backlog kind/documentation	commented contributor-last send
56		Route53: document use of "region" field			3y	7mo	7mo		documentation priority/important-longterm	commented contributor-last send
401		Bring tutorials up to date			2y	7mo	7mo		priority/important-longterm	commented member-last send
543		Add getting started documentation for users who want to quickly use cert-manager to issue LetsEncrypt certificates		4	2y	2y	2y			commented member-last send
79		Design for partial automation of release process			1y	1y	1y			commented member-last send
42		Publish latest release number as part of creating a final release			2y	2y	2y			commented member-last send
31		Move the manual steps of our release process to cmrel commands			2y	2y	2y			commented member-last pr-closed
50		Move cert-manager-release infrastructure to CNCF's GCP account			2y	2y	2y			commented member-last
19		Incorrect command line help: should include a --branch argument			3y	2y	2y		kind/cleanup	commented contributor-last
27		Create cert-manager specific testing infrastructure			2y	2y	2y			assigned assignee-updated commented member-last pr-merged send
161		updating ConfigMap data doesn't stop			1y	1y	1y			collaborator-last commented send
133		latest supported cert-manager version with cert-manager-istio-csr?			2y	2y	2y			collaborator-last commented send
131		metrics to check certificate expiry for istio workloads ?			2y	2y	2y			collaborator-last commented send
106		Helm chart is failing with "certificate.spec.revisionHistoryLimit" issue			2y	2y	2y			collaborator-last commented send
87		Failing to integrate with GCP CAS			2y	2y	2y			collaborator-last commented send
84		csr readiness probe failed, istio ingress pod also failed		2	2y	2y	2y		support	collaborator-last commented send
64		Is there way to hot restart envoy proxy using istio-csr? I'm trying to renew root certificate by changing the istio-ca secret manually. The workload does not pick the new root certificate unless I delete the workload pods			2y	2y	2y			commented send
53		Generate workload certificates with DNS in the SAN			2y	2y	2y			commented recv-q send
60		overriding trusted namespace Similar: #145: Override namespace installation (open)		4 5	11mo	5mo	8mo			commented recv-q send similar
45		Unable to mount and read only file error		4	2y	8mo	1y			commented recv-q send
116		Does csi-driver support Wìndows nodes?			1y	11mo	11mo			collaborator-last commented send
70		OLM deployment with ArgoCD is OutOfSync			1y	1y	1y			commented send
87 previously listed items omitted