generic Quarterly Scrub :: Triage Party

Once every quarter, look for stale issues, reprioritize, and de-duplicate.

Issues nearing expiration (24)

Resolution: Close or label as frozen

Average age: 263.6d, Avg wait: 49.7d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
5650		provider rfc2136 send updates to top level zone Similar: #5630: provider rfc2136: updates are sent to wrong dns zone (open)			3mo	5d	3mo		kind/bug lifecycle/stale	collaborator-last recv similar
5630		provider rfc2136: updates are sent to wrong dns zone Similar: #5650: provider rfc2136 send updates to top level zone (open)			3mo	12d	3mo		lifecycle/stale	collaborator-last recv similar
5616		Allow Gateway API feature to be enabled in clusters that don't have GWAPI CRDs installed			3mo	7d	3mo		kind/feature lifecycle/stale	collaborator-last commented pr-closed
5615		Integrate cert-manager with DigitalOcean LBs			3mo	17d	3mo		kind/feature lifecycle/stale	collaborator-last recv
5608		Unable to inject linkerd sidecar proxy to Cert-Manager pods			3mo	3wk	3mo		lifecycle/stale	collaborator-last recv recv-q
5596		Current PSP is not sufficient to work with CSI volume			3mo	4wk	3mo		kind/bug lifecycle/stale	collaborator-last recv
5594		Graduate ExperimentalGatewayAPISupport feature to beta			4mo	17d			kind/feature lifecycle/stale	collaborator-last
5581		Best way to migrate a Nginx ingress to cert-manager without downtime			4mo	17d	3mo		lifecycle/stale	collaborator-last commented send
5566		upload Helm charts to OCI registry and sign them with cosign		4	4mo	4wk	3mo		kind/feature lifecycle/stale	collaborator-last commented send
5549		unknown field "enabled" in io.k8s.api.core.v1.PodSecurityContext		2	4mo	12h	4mo		lifecycle/stale	collaborator-last recv recv-q
5543		Using Azure workload identity instead of AAD Pod Identities to configure the AzureDNS DNS01 challenge.			4mo	16d	4mo		kind/feature lifecycle/stale	collaborator-last recv recv-q
5298		Complete the Migration Away From Jetstack Names			8mo	7d	3mo		kind/cleanup lifecycle/stale	collaborator-last commented
5220		Investigate improving resource consumption and performance in clusters with large amount of resources		10	9mo	3wk	5mo		kind/feature lifecycle/stale	collaborator-last commented pr-merged recv-q
5062		Cert-manager stops processing order request in "processing" status after several attempts			11mo	3wk	3mo		kind/bug lifecycle/stale area/acme	collaborator-last commented recv
4931		Enable Testing on ARM64			1y	1d	1y		kind/feature lifecycle/stale	collaborator-last commented recv recv-q
4979		Overhaul the DNS01 solver		5	1y	3h			kind/feature lifecycle/stale	collaborator-last pr-closed
3748		Cert-manager causes API server panic on clusters with more than 20000 secrets.		13	2y	16d	1y		kind/bug lifecycle/stale triage/needs-information	commented pr-merged send
3298		Let's encrypt certificate caching to mitigate rate limits problems		3 13	2y	2wk	1y		help wanted kind/feature priority/backlog lifecycle/stale	collaborator-last commented recv-q send
4570		`RevisionHistoryLimit` has a default value of 25			1y	3d	8mo		release-note area/api size/M lifecycle/stale dco-signoff: yes ok-to-test area/deploy needs-kind	assigned collaborator-last commented new-commits send
5094		WIP server-side apply in tests v2			10mo	3d			size/L release-note-none needs-rebase approved do-not-merge/work-in-progress kind/cleanup lifecycle/stale dco-signoff: yes area/testing	collaborator-last unreviewed
5126		WIP: Only remove the cleanup finalizer if the cleanup succeeds			10mo	3d	10mo		size/L release-note-none needs-rebase approved do-not-merge/work-in-progress kind/cleanup lifecycle/stale area/acme dco-signoff: yes area/testing	collaborator-last commented unreviewed
5447		Allow extra DNS-01 propagation time to be configured			6mo	3d	6mo		release-note size/S lifecycle/stale area/acme dco-signoff: yes ok-to-test area/acme/dns01 needs-kind	collaborator-last commented recv unreviewed
5436		Move CSR resource in design to GA			6mo	3d	6mo		release-note approved size/S kind/design lifecycle/stale dco-signoff: yes	collaborator-last commented reviewed-with-comment send
5378		Unify semver version generation			7mo	3d	6mo		size/L release-note-none needs-rebase approved do-not-merge/work-in-progress kind/cleanup lifecycle/stale dco-signoff: yes	changes-requested collaborator-last commented draft

Features that deserve a follow-up comment: No matching items

Features that have not been commented on within 90 days (3)

Resolution: Comment or close the issue

Average age: 984.0d, Avg wait: 0.0d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
4349		allowing greater configuration for the cloud provider tests			2y	11mo	11mo		lifecycle/frozen kind/feature	collaborator-last commented send
2178		Handling 'unregistering' certificates from Venafi TPP		11	3y	1y	2y		lifecycle/frozen kind/feature priority/important-longterm area/venafi	commented recv-q send
155		Add 'unreleased version' & 'old version' warning banner to non-latest versions of docs			3y	2y	2y		kind/feature priority/backlog	collaborator-last commented send

Bugs that deserve a follow-up comment (6)

Resolution: Comment or close the issue

Average age: 325.2d, Avg wait: 219.9d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
5708		Cert Manager working with only example.com not with svc.cluster.local			2mo	2mo	2mo		kind/bug	collaborator-last recv
5516		Forbidden: seccomp may not be set pod.metadata.annotations		2 10	5mo	2mo	5mo		kind/bug	author-last recv
5069		Error presenting challenge: the server could not find the requested resource even though resource exists			10mo	2mo	10mo		kind/bug	recv
4685		Unexpected EOF during watch stream event decoding: unexpected EOF		5	1y	3mo	1y		lifecycle/frozen kind/bug	recv recv-q
4423		Cert renewal loop		2	2y	2mo	1y		kind/bug	author-last commented recv recv-q
4956		cert-manager created multiple CertificateRequest objects with the same certificate-revision		2 2 3	1y	2mo	1y		kind/bug	commented pr-closed pr-merged pr-unreviewed recv recv-q

Bugs that have not been commented on within 60 days (8)

Resolution: Comment or close the issue

Average age: 382.1d, Avg wait: 164.9d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
5074		Race condition between issuers, certificates, and secrets			10mo	2mo	6mo		lifecycle/frozen kind/bug priority/important-soon	commented member-last pr-closed send
422		Page last modified date incorrect			2y	2y	2y		kind/bug	collaborator-last commented send
6 previously listed items omitted: #5708 #5516 #4423 #5069 #4685 #4956

Items that deserve a follow-up comment (83)

Resolution: Comment or close the issue

Average age: 428.1d, Avg wait: 404.5d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
5673		Error presenting challenge: init sdk: get token: extract secret: resource name may not be empty			2mo	2mo	2mo			author-last recv
3992		Add non-CRD yaml file		2	2y	2mo	2y		priority/important-soon area/deploy	author-last commented recv
1159		Why the sample issuer still uses kubebuilder version 2 ?			2mo	2mo	2mo			recv
1125		Describe cert-manager feature policy			3mo	2mo	3mo			contributor-last recv recv-q
1101		Feature request for updating documentation.			4mo	4mo	4mo			recv
1063		"Securing Ingresses with Venafi" tutorial contains link to missing manifest			6mo	6mo	6mo			author-last pr-merged recv
1062		Document process for offboarding maintainers Similar: #1061: Document onboarding process for new maintainers (open)			6mo	6mo	6mo			recv similar
1061		Document onboarding process for new maintainers Similar: #1062: Document process for offboarding maintainers (open)			6mo	6mo	6mo			recv similar
1054		Run spell checker in a pre-commit hook			7mo	7mo	7mo		good first issue kind/cleanup	recv
1006		Use descriptive text instead of alt for `feature icon`			9mo	9mo	9mo			recv
998		Documentation venafi configuration references venafi documentation page which returns 403			9mo	6mo	9mo			contributor-last recv
993		Document which resources do/do not get garbage collected			9mo	9mo	9mo		good first issue	contributor-last recv
944		Document how to install cert-manager in a different namespace		2	11mo	9mo	11mo		good first issue	assigned assignee-updated contributor-last recv recv-q
931		Improve upgrade instructions using helm			11mo	11mo	11mo			recv
899		Upgrading from v1.7 to v1.8 check command should exclude null.		2	11mo	10mo	11mo			recv recv-q
866		Securing NGINX-ingress Similar: #326: Securing Ingresses with Venafi (open)			1y	1y	1y			recv similar
868		Document RBAC Similar: #844: Document feature gates (open)			1y	1y	1y			contributor-last recv similar
847		missing documentation/information olm based installation metric prometheus			1y	1y	1y			contributor-last recv
841		remove dependency on golang from cmctl and kubectl-plugin installation documentation			1y	1y	1y			contributor-last pr-merged recv recv-q
836		Syncing Secrets Across Namespaces			1y	1y	1y			recv
758		API reference docs: enum values not documented with typedef			1y	1y	1y			recv
851		create Cilium ingress tls example		3	1y	9mo	1y			assigned assignee-updated recv
706		Default key usages			2y	2y	2y			recv
697		[IRSA] Needs `runAsUser: 1001`			2y	2y	2y			recv
672		List required Google CloudDNS permissions exhaustively			2y	2y	2y			recv
662		Using "azureDNS" for the DNS01 Solver results "Multiple user assigned identities exist, please specify the clientId / resourceId"			2y	2y	2y			recv
645		Investigate & add an FAQ/warning about images rolled back after GitOps upgrade			2y	1y	2y			recv recv-q
604		Make it so that it is easier to find the doc for fixing webhook issues			2y	11mo	2y			contributor-last recv
561		Certificate Resources Similar: #5875: Different Certificate resources referring same secret (closed) Similar: #5439: setting certificate attributes in certificate resources (closed)			2y	2y	2y			recv similar
554		HTTP Validation, privateKeySecretRef			2y	2y	2y			contributor-last recv
568		Add a diagram for LetsEncrypt cert issuance flow to the docs		4	2y	2y	2y			recv
484		Please add anchor tags to your subheadings			2y	2y	2y		priority/backlog kind/documentation	commented contributor-last pr-merged recv
469		DNS01: Delegated Domains for DNS01 example yaml solvers list items			2y	2y	2y			recv
466		installation/compatiblity			2y	2y	2y			recv
457		cainjector docs are missing the option to inject certs in apiservice resources			2y	2y	2y			recv
354		DigitalOcean access-token should not be base64-encoded			2y	2y	2y		priority/awaiting-more-evidence	author-last commented recv
76		Upgrading from v0.10 to v0.11 - missing cainjector annotation			3y	2y	3y		priority/backlog kind/documentation	contributor-last recv
176		certificateDuration is not used for the Istio CSR generated certificate requests Similar: #119: Certificate is re-requested when container restarts (open) Similar: #14: Annotation generates CertificatesRequests repeatedly until blocked by letsencrypt (open)			7mo	7mo	7mo			author-last commented recv recv-q similar
155		Invalid certificate chain when using Vault with Intermediate CA			10mo	7mo	10mo			recv
145		*Not able to use Istio-CSR in istio(1.13.)**			11mo	11mo	11mo			author-last commented pr-closed recv
144		add a support kubernetes client QPS and Burst config			11mo	11mo	11mo			recv
141		Istio-csr pods were hung unable to handle request causes entire cluster downtime for new pods/expired pods.			1y	7mo	1y			commented recv recv-q
138		istio-csr doesn't retry upon failed certificate requests			1y	4mo	1y			contributor-last recv
136		Document available metrics Similar: #850: Document available cert-manager Prometheus metrics (open)			1y	1y	1y			recv similar
132		Allow override of istiod-tls certificate common name in helm chert (for non-standard istiod deployments)			1y	1y	1y			recv
130		Document best-practices for minimal vault role configuration for istio-csr			1y	1y	1y			recv
117		public ca.crt aka caBundle is not being updated/propagated until the cert-manager and istiod components are restarted			1y	1y	1y			recv
153		It is possible to have several CAs within the same cluster.			10mo	9mo	10mo			contributor-last recv
108		[doc] confusion with `ca.pem` and Readiness probe failed on ingress and egress gateways			1y	1y	1y			author-last commented recv recv-q
94		Can't get aws pca to work			2y	2y	2y			recv
83		commonName required for AWS PCA			2y	2y	2y			commented recv recv-q
113		Integrating with istio helm chart installs		9	1y	8mo	1y			recv recv-q
179		group 'cert-manager.io' does not work Similar: #532: Rework of the landing page (cert-manager.io) (open)			3mo	3mo	3mo			recv similar
169		Webhook Custom CA			3mo	3mo	3mo			recv
149		Regex to disallow wildcard certificates		2	4mo	4mo	4mo			recv
100		Modifying Bundle target can result in CA certs not being available for a while			2mo	2mo	2mo			recv
99		Allow removing Bundles whilst keeping the synced CA certs			2mo	2mo	2mo			recv
58		Support injection pem into an existing configmap			5mo	5mo	5mo			recv
33		Support CRDs as target Similar: #10: Feature: support secret target (open)		3	9mo	9mo	9mo			recv similar
23		Way to add labels/annotations to target		6	10mo	10mo	10mo			recv
17		Support distribution of PKCS12/JKS truststores		9	11mo	5mo	11mo			recv recv-q
10		Feature: support secret target PR#108: Supporting a secret target commented Similar: #33: Support CRDs as target (open)		12	1y	10mo	1y			commented pr-reviewed-with-comment recv recv-q similar
136		SubPath support is broken or missing			2mo	2mo	2mo			recv
125		Is it too late to align cert-manager annotations?			3mo	3mo	3mo			recv
119		Certificate is re-requested when container restarts Similar: #176: certificateDuration is not used for the Istio CSR generated certificate requests (open)			5mo	5mo	5mo			recv similar
33		New key being used with old certificate			2y	2y	2y			recv
29		Deleting a pod with a cert-manager-csi volume mounted results in the pod termination hanging.			2y	2y	2y			recv
26		Cannot `chmod` a read only filesystem		14	2y	2y	2y			pr-closed recv recv-q
21		MountVolume.SetUp failed: cannot set blockOwnerDeletion: cannot find RESTMapping for APIVersion core/v1 Kind Pod			2y	2y	2y			recv
17		ability to specify pod IP in volume attributes		5	3y	2y	2y			commented recv
128		Support all subject attributes PR#129: Add attribute support for certificate subject commented			3mo	3mo	3mo			pr-reviewed-with-comment recv
19		Add support for certificate expiry configuration		3	5mo	5mo	5mo			recv
14		Annotation generates CertificatesRequests repeatedly until blocked by letsencrypt Similar: #176: certificateDuration is not used for the Istio CSR generated certificate requests (open)			7mo	7mo	7mo			recv similar
13		Can the plugin be configured to use a wildcard certificate?			7mo	3mo	7mo			recv recv-q
12		Does this plugin support DNS validation?			7mo	7mo	7mo			recv
4		Feature: Allow specification of privateKey.rotationPolicy			9mo	8mo	9mo			recv
15		Feature: Support for ECC certs Similar: #5433: Support certs that live for < 1h (open)			4mo	4mo	4mo			recv similar
46		Cert-manager operator fails to issue certificates Similar: #5873: cert-manager failing to generate certificate in kubernetes, how to fix that? (open) Similar: #3896: Cert Manager failing to renew certificate (open) Similar: #5827: Cert-manager fails to integration with Istio (closed)			1y	1y	1y			recv similar
22		Customize the deployment of cert-manager installed via OLM		5 6	2y	3mo	10mo			author-last commented recv recv-q
17		Operator prevents passing extraArgs helm value		7	2y	3mo	2y			recv recv-q
3		Restrict operator RBAC permissions			2y	2y	2y			recv
40		Optional auto rotating/renewing certificates			5mo	5mo	5mo			recv
33		Create e2e test to validate CertificateRequest garbage collection			6mo	6mo	6mo			assigned recv

Items that have not been commented on within 60 days (117)

Resolution: Comment or close the issue

Average age: 536.4d, Avg wait: 282.3d

ID	Au	Desc	As	Rea	Cr	Up	Re	Cmntrs	Labels	Tags
4950		General flakiness of our end-to-end suite		3	1y	8mo	8mo		lifecycle/frozen kind/flake	commented member-last pr-closed pr-merged send
1168		docs: Add info about client side certificate rotation best practices.		21	4y	2y	3y		help wanted lifecycle/frozen kind/documentation priority/backlog	collaborator-last commented pr-closed send
981		The `kubectl operator install` instructions are broken (after upgrading kubectl operator v0.3.0 -> v0.4.0)			10mo	10mo	10mo			commented member-last
776		Explain that you can pre-provision a Secret and Certificate.Spec.SecretName can refer to an existing Secret			1y	1y	1y			commented member-last send
753		Route53 - AWS IAM Account Setup is confusing			1y	10mo	10mo		priority/backlog	commented member-last send
693		Azure DNS pod identity incorrectly documents principal_id			2y	2y	2y			commented member-last send
583		cert-manager with ZeroSSL		44	2y	8mo	8mo			commented send
532		Rework of the landing page (cert-manager.io) Similar: #179: group 'cert-manager.io' does not work (open)		3	2y	1y	2y		help wanted good first issue	commented member-last send similar
543		Add getting started documentation for users who want to quickly use cert-manager to issue LetsEncrypt certificates		4	2y	2y	2y			commented member-last send
486		OpenShift - broken link			2y	2y	2y			commented member-last send
459		cert manager is no longer on the OpenShift operator list			2y	10mo	2y		priority/awaiting-more-evidence	assigned assignee-updated commented contributor-last recv-q send
425		Document ocspServers			2y	2y	2y		kind/documentation	commented member-last
426		Create a sequence diagram that shows how a certificate gets issued with let's encrypt		2	2y	2y	2y			commented member-last pr-merged
414		Explain cert-manager repo structure		2	2y	2y	2y		priority/backlog kind/documentation	assigned assignee-updated commented member-last pr-closed pr-merged send
330		Case for CertificatePrivateKey (encoding, algorithm) is wrong (v1)			2y	2y	2y			collaborator-last commented send
326		Securing Ingresses with Venafi Similar: #866: Securing NGINX-ingress (open)			2y	2y	2y			collaborator-last commented send similar
295		Route53			2y	2y	2y		kind/documentation	commented member-last send
237		docs for ACMEChallengeSolverHTTP01Ingress doesn't specify what `class` values are available			2y	2y	2y		priority/backlog kind/documentation	collaborator-last commented pr-closed send
234		Backup and Restore Resources		3	2y	2y	2y		priority/backlog kind/documentation	commented member-last pr-merged send
223		Document wildcard certificate tutorial			2y	2y	2y		priority/important-longterm kind/documentation	commented contributor-last send
197		Document ACME account mismatch			2y	2y	2y		good first issue priority/backlog kind/documentation	collaborator-last commented
386		Uninstalling on Kubernetes - How to delete all those user created resources?			2y	2y	2y			collaborator-last commented send
130		FAQ: How does cert-manager handle ingresses with valid TLS secrets?			3y	2y	2y		help wanted priority/backlog kind/documentation	commented contributor-last send
174		Add documentation for CRD conversion webhook ca injection			2y	2y	2y		help wanted priority/important-soon kind/documentation	commented member-last send
79		Design for partial automation of release process			9mo	9mo	9mo			commented member-last send
42		Publish latest release number as part of creating a final release			2y	2y	2y			commented member-last send
50		Move cert-manager-release infrastructure to CNCF's GCP account			2y	1y	1y			commented member-last
27		Create cert-manager specific testing infrastructure			2y	2y	2y			assigned assignee-updated commented member-last pr-merged send
19		Incorrect command line help: should include a --branch argument			2y	2y	2y		kind/cleanup	commented contributor-last
31		Move the manual steps of our release process to cmrel commands			2y	2y	2y			commented member-last pr-closed
161		updating ConfigMap data doesn't stop			9mo	9mo	9mo			collaborator-last commented send
106		Helm chart is failing with "certificate.spec.revisionHistoryLimit" issue			1y	1y	1y			collaborator-last commented send
84		csr readiness probe failed, istio ingress pod also failed		2	2y	2y	2y		support	collaborator-last commented send
64		Is there way to hot restart envoy proxy using istio-csr? I'm trying to renew root certificate by changing the istio-ca secret manually. The workload does not pick the new root certificate unless I delete the workload pods			2y	2y	2y			commented send
53		Generate workload certificates with DNS in the SAN			2y	2y	2y			commented recv-q send
133		latest supported cert-manager version with cert-manager-istio-csr?			1y	1y	1y			collaborator-last commented send
87		Failing to integrate with GCP CAS			2y	2y	2y			collaborator-last commented send
131		metrics to check certificate expiry for istio workloads ?			1y	1y	1y			collaborator-last commented send
116		Does csi-driver support Wìndows nodes?			6mo	5mo	5mo			collaborator-last commented send
70		OLM deployment with ArgoCD is OutOfSync			9mo	7mo	7mo			commented send
22		Question: figuring this out as I go, could use a little guidence on this step: add 'kubebuilder CRD Markers'			1y	1y	1y			commented send
76 previously listed items omitted