diff --git a/.spelling b/.spelling
index ee9ccea2f23..dac3c06a191 100644
--- a/.spelling
+++ b/.spelling
@@ -443,6 +443,7 @@ namespaced
 namespaces
 ndegory
 oauth2
+OAuth
 onwards
 openshift-supported-versions
 plaintext
diff --git a/content/docs/cli/cainjector.md b/content/docs/cli/cainjector.md
index fc8c598ad4c..dbbb17fd862 100644
--- a/content/docs/cli/cainjector.md
+++ b/content/docs/cli/cainjector.md
@@ -15,28 +15,37 @@ Usage:
   cainjector [flags]
 
 Flags:
-      --config string                                       Path to a file containing a CAInjectorConfiguration object used to configure the controller
-      --enable-apiservices-injectable                       Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
-      --enable-certificates-data-source                     Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
-      --enable-customresourcedefinitions-injectable         Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
-      --enable-mutatingwebhookconfigurations-injectable     Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
-      --enable-profiling                                    Enable profiling for controller.
-      --enable-validatingwebhookconfigurations-injectable   Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)
-      --feature-gates mapStringBool                         A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                            AllAlpha=true|false (ALPHA - default=false)
-                                                            AllBeta=true|false (BETA - default=false)
-                                                            ServerSideApply=true|false (ALPHA - default=false)
-  -h, --help                                                help for cainjector
-      --kubeconfig string                                   Paths to a kubeconfig. Only required if out-of-cluster.
-      --leader-elect                                        If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true)
-      --leader-election-lease-duration duration             The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
-      --leader-election-namespace string                    Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
-      --leader-election-renew-deadline duration             The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
-      --leader-election-retry-period duration               The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
-      --log-flush-frequency duration                        Maximum number of seconds between log flushes (default 5s)
-      --logging-format string                               Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
-      --namespace string                                    If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.
-      --profiler-address string                             The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
-  -v, --v Level                                             number for the log level verbosity
-      --vmodule pattern=N,...                               comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+      --config string                                        Path to a file containing a CAInjectorConfiguration object used to configure the controller
+      --enable-apiservices-injectable                        Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
+      --enable-certificates-data-source                      Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
+      --enable-customresourcedefinitions-injectable          Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
+      --enable-mutatingwebhookconfigurations-injectable      Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
+      --enable-profiling                                     Enable profiling for controller.
+      --enable-validatingwebhookconfigurations-injectable    Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)
+      --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                                             AllAlpha=true|false (ALPHA - default=false)
+                                                             AllBeta=true|false (BETA - default=false)
+                                                             ServerSideApply=true|false (ALPHA - default=false)
+  -h, --help                                                 help for cainjector
+      --kubeconfig string                                    Paths to a kubeconfig. Only required if out-of-cluster.
+      --leader-elect                                         If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true)
+      --leader-election-lease-duration duration              The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
+      --leader-election-namespace string                     Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
+      --leader-election-renew-deadline duration              The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
+      --leader-election-retry-period duration                The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
+      --log-flush-frequency duration                         Maximum number of seconds between log flushes (default 5s)
+      --logging-format string                                Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
+      --metrics-dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs metrics serving certificates
+      --metrics-dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the metrics dynamic serving CA
+      --metrics-dynamic-serving-leaf-duration duration       leaf duration of metrics serving certificates (default 168h0m0s)
+      --metrics-listen-address string                        The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
+      --metrics-tls-cert-file string                         path to the file containing the TLS certificate to serve metrics with
+      --metrics-tls-cipher-suites strings                    Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+      --metrics-tls-min-version string                       Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+      --metrics-tls-private-key-file string                  path to the file containing the TLS private key to serve metrics with
+      --namespace string                                     If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.
+      --profiler-address string                              The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
+  -v, --v Level                                              number for the log level verbosity
+      --vmodule pattern=N,...                                comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
 ```
diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
index 343cff2f13c..7943f2833fe 100644
--- a/content/docs/cli/controller.md
+++ b/content/docs/cli/controller.md
@@ -21,7 +21,7 @@ Flags:
       --acme-http01-solver-resource-request-cpu string       Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
       --acme-http01-solver-resource-request-memory string    Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
       --acme-http01-solver-run-as-non-root                   Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
-      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])
+      --auto-certificate-annotations strings                 The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate (default [kubernetes.io/tls-acme])
       --cluster-issuer-ambient-credentials                   Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true)
       --cluster-resource-namespace string                    Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system")
       --concurrent-workers int                               The number of concurrent workers for each controller. (default 5)
@@ -51,6 +51,7 @@ Flags:
                                                              ServerSideApply=true|false (ALPHA - default=false)
                                                              StableCertificateRequestName=true|false (BETA - default=true)
                                                              UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
+                                                             UseDomainQualifiedFinalizer=true|false (ALPHA - default=false)
                                                              ValidateCAA=true|false (ALPHA - default=false)
   -h, --help                                                 help for controller
       --issuer-ambient-credentials                           Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
index 64b4d08e932..b4ef77b6313 100644
--- a/content/docs/cli/webhook.md
+++ b/content/docs/cli/webhook.md
@@ -14,31 +14,40 @@ Usage:
   webhook [flags]
 
 Flags:
-      --api-server-host string                       Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
-      --config string                                Path to a file containing a WebhookConfiguration object used to configure the webhook
-      --dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
-      --dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs serving certificates
-      --dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the dynamic serving CA
-      --dynamic-serving-leaf-duration duration       leaf duration of serving certificates (default 168h0m0s)
-      --enable-profiling                             Enable profiling for webhook.
-      --feature-gates mapStringBool                  A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                     AdditionalCertificateOutputFormats=true|false (BETA - default=true)
-                                                     AllAlpha=true|false (ALPHA - default=false)
-                                                     AllBeta=true|false (BETA - default=false)
-                                                     LiteralCertificateSubject=true|false (BETA - default=true)
-                                                     NameConstraints=true|false (ALPHA - default=false)
-                                                     OtherNames=true|false (ALPHA - default=false)
-      --healthz-port int32                           port number to listen on for insecure healthz connections (default 6080)
-  -h, --help                                         help for webhook
-      --kubeconfig string                            optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
-      --log-flush-frequency duration                 Maximum number of seconds between log flushes (default 5s)
-      --logging-format string                        Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
-      --profiler-address string                      Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060")
-      --secure-port int32                            port number to listen on for secure TLS connections (default 6443)
-      --tls-cert-file string                         path to the file containing the TLS certificate to serve with
-      --tls-cipher-suites strings                    Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
-      --tls-min-version string                       Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
-      --tls-private-key-file string                  path to the file containing the TLS private key to serve with
-  -v, --v Level                                      number for the log level verbosity
-      --vmodule pattern=N,...                        comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+      --api-server-host string                               Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+      --config string                                        Path to a file containing a WebhookConfiguration object used to configure the webhook
+      --dynamic-serving-ca-secret-name string                name of the secret used to store the CA that signs serving certificates
+      --dynamic-serving-ca-secret-namespace string           namespace of the secret used to store the CA that signs serving certificates
+      --dynamic-serving-dns-names strings                    DNS names that should be present on certificates generated by the dynamic serving CA
+      --dynamic-serving-leaf-duration duration               leaf duration of serving certificates (default 168h0m0s)
+      --enable-profiling                                     Enable profiling for webhook.
+      --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                                             AdditionalCertificateOutputFormats=true|false (BETA - default=true)
+                                                             AllAlpha=true|false (ALPHA - default=false)
+                                                             AllBeta=true|false (BETA - default=false)
+                                                             LiteralCertificateSubject=true|false (BETA - default=true)
+                                                             NameConstraints=true|false (ALPHA - default=false)
+                                                             OtherNames=true|false (ALPHA - default=false)
+      --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
+  -h, --help                                                 help for webhook
+      --kubeconfig string                                    optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
+      --log-flush-frequency duration                         Maximum number of seconds between log flushes (default 5s)
+      --logging-format string                                Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
+      --metrics-dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs metrics serving certificates
+      --metrics-dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the metrics dynamic serving CA
+      --metrics-dynamic-serving-leaf-duration duration       leaf duration of metrics serving certificates (default 168h0m0s)
+      --metrics-listen-address string                        The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
+      --metrics-tls-cert-file string                         path to the file containing the TLS certificate to serve metrics with
+      --metrics-tls-cipher-suites strings                    Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+      --metrics-tls-min-version string                       Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+      --metrics-tls-private-key-file string                  path to the file containing the TLS private key to serve metrics with
+      --profiler-address string                              Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060")
+      --secure-port int32                                    port number to listen on for secure TLS connections (default 6443)
+      --tls-cert-file string                                 path to the file containing the TLS certificate to serve with
+      --tls-cipher-suites strings                            Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+      --tls-min-version string                               Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+      --tls-private-key-file string                          path to the file containing the TLS private key to serve with
+  -v, --v Level                                              number for the log level verbosity
+      --vmodule pattern=N,...                                comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
 ```
diff --git a/content/docs/configuration/venafi.md b/content/docs/configuration/venafi.md
index 17e77a29fcd..a1a9e564d40 100644
--- a/content/docs/configuration/venafi.md
+++ b/content/docs/configuration/venafi.md
@@ -239,6 +239,11 @@ spec:
     tpp:
       url: https://tpp.venafi.example/vedsdk # Change this to the URL of your TPP instance
       caBundle: <base64 encoded string of caBundle PEM file, or empty to use system root CAs>
+      ## Use only caBundle above or the caBundleSecretRef below. Secret can be created from a ca.crt file by running below command
+      ## kubectl create secret generic custom-tpp-ca --from-file=/my/certs/ca.crt -n <cert-manager-namespace>
+      # caBundleSecretRef:
+      #  name: custom-tpp-ca
+      #  key: ca.crt
       credentialsRef:
         name: tpp-secret
 ```
diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md
index d3d897798e1..1ca58e06ced 100644
--- a/content/docs/devops-tips/prometheus-metrics.md
+++ b/content/docs/devops-tips/prometheus-metrics.md
@@ -3,7 +3,7 @@ title: Prometheus Metrics
 description: 'cert-manager usage: Prometheus metrics'
 ---
 
-To help with operations and insights into cert-manager activities, cert-manager exposes metrics in the [Prometheus](https://prometheus.io/) format from the controller component. These are available at the standard `/metrics` path of the controller component's configured HTTP port.
+To help with operations and insights into cert-manager activities, cert-manager exposes metrics in the [Prometheus](https://prometheus.io/) format from the controller, webhook and cainjector components. These are available at the standard `/metrics` endpoint on port `9402` of each component Pod.
 
 ## Scraping Metrics
 
@@ -11,34 +11,18 @@ How metrics are scraped will depend how you're operating your Prometheus server(
 
 ### Helm
 
-If you're deploying cert-manager with helm, a `ServiceMonitor` resource can be configured. This configuration should enable metric scraping, and the configuration can be further tweaked as described in the [Helm configuration documentation](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/README.template.md#configuration).
+If you're deploying cert-manager with helm, a `PodMonitor` resource can be configured. This configuration should enable metric scraping, and the configuration can be further tweaked as described in the [Helm configuration documentation](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/README.template.md#configuration).
 
 ```yaml
 prometheus:
   enabled: true
-  servicemonitor:
+  podmonitor:
     enabled: true
 ```
 
 ### Regular Manifests
 
-If you're not using helm to deploy cert-manager and instead using the provided regular YAML manifests, this example `PodMonitor` and deployment patch should be all you need to start ingesting cert-manager metrics.
-
-1. [Apply the following patch](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment) to your cert-manager deployment
-
-```yaml
-spec:
-  template:
-    spec:
-      containers:
-        - name: cert-manager-controller
-          ports:
-            - containerPort: 9402
-              name: http
-              protocol: TCP
-```
-
-2. Create the following `PodMonitor`
+If you're not using helm to deploy cert-manager and instead using the provided regular YAML manifests, this example `PodMonitor` should be all you need to start ingesting cert-manager metrics.
 
 ```yaml
 apiVersion: monitoring.coreos.com/v1
@@ -50,18 +34,28 @@ metadata:
     app: cert-manager
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
 spec:
   jobLabel: app.kubernetes.io/name
   selector:
-    matchLabels:
-      app: cert-manager
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: "controller"
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - cainjector
+        - cert-manager
+        - webhook
+      - key: app.kubernetes.io/instance
+        operator: In
+        values:
+        - release-name
+      - key: app.kubernetes.io/component
+        operator: In
+        values:
+        - cainjector
+        - controller
+        - webhook
   podMetricsEndpoints:
     - port: http-metrics
-      honorLabels: true
 ```
 
 ### TLS
@@ -70,78 +64,121 @@ TLS can be enabled on the metrics endpoint for end-to-end encryption. This is ac
 
 #### Static certificates
 
-Static certificates can be provided to the cert-manager controller to use when listening on the metric endpoint. If the certificate files are changed then cert-manager will reload the certificates for zero-downtime rotation.
+Static certificates can be provided to the cert-manager to use when listening on the metric endpoint. If the certificate files are changed then cert-manager will reload the certificates for zero-downtime rotation.
 
 Static certificates can be specified via the flags `--metrics-tls-cert-file` and `--metrics-tls-private-key-file` or the corresponding config file parameters `metricsTLSConfig.filesystem.certFile` and `metricsTLSConfig.filesystem.keyFile`.
 
 The certificate and private key must be mounted into the controller pod for this to work, if cert-manager is deployed using helm the `.volumes[]` and `.mounts[]` properties can facilitate this.
 
-An example config file would be:
+An example Helm values file would be:
 
 ```yaml
-apiVersion: controller.config.cert-manager.io/v1alpha1
-kind: ControllerConfiguration
-metricsTLSConfig:
-  filesystem:
-    certFile: "/path/to/cert.pem"
-    keyFile: "/path/to/key.pem"
+# values.yaml
+prometheus:
+  enabled: true
+config:
+  metricsTLSConfig:
+    filesystem:
+      certFile: "/path/to/cert.pem"
+      keyFile: "/path/to/key.pem"
+webhook:
+  config:
+    metricsTLSConfig:
+      filesystem:
+        certFile: "/path/to/cert.pem"
+        keyFile: "/path/to/key.pem"
+cainjector:
+  config:
+    metricsTLSConfig:
+      filesystem:
+        certFile: "/path/to/cert.pem"
+        keyFile: "/path/to/key.pem"
 ```
 
 #### Dynamic certificates
 
-In this mode cert-manager will create a CA in a named secret, then use this CA to sign the metrics endpoint certificate. This mode will also take care of rotation, auto rotating the certificate as required.
+In this mode cert-manager will create a CA in a named Secret, then use this CA to sign the metrics endpoint certificates. This mode will also take care of rotation, auto rotating the certificate as required.
 
-Dynamic certificates can be specified via the flags `--metrics-dynamic-serving-ca-secret-namespace`, `--metrics-dynamic-serving-ca-secret-name` and `--metrics-dynamic-serving-dns-names` or the corresponding config file parameters `metricsTLSConfig.dynamic.secretNamespace`, `metricsTLSConfig.dynamic.secretName` and `metricsTLSConfig.dynamic.dnsNames`. 
+Dynamic certificates can be specified via the flags `--metrics-dynamic-serving-ca-secret-namespace`, `--metrics-dynamic-serving-ca-secret-name` and `--metrics-dynamic-serving-dns-names` or the corresponding config file parameters `metricsTLSConfig.dynamic.secretNamespace`, `metricsTLSConfig.dynamic.secretName` and `metricsTLSConfig.dynamic.dnsNames`.
 
-An example config file would be:
+An example Helm values file would be:
 
 ```yaml
-apiVersion: controller.config.cert-manager.io/v1alpha1
-kind: ControllerConfiguration
-metricsTLSConfig:
-  dynamic:
-    secretNamespace: "cert-manager"
-    secretName: "cert-manager-metrics-ca"
-    dnsNames:
-    - cert-manager-metrics
-    - cert-manager-metrics.cert-manager
-    - cert-manager-metrics.cert-manager.svc
-```
-
-When using Prometheus the CA generated by the generated certificate authority can be trusted as part of the `PodMonitor` or `ServiceMonitor` spec:
-
-```yaml
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-  labels:
-    app: cert-manager
-    app.kubernetes.io/name: cert-manager
-    app.kubernetes.io/instance: cert-manager
-    app.kubernetes.io/component: "controller"
-spec:
-  jobLabel: app.kubernetes.io/name
-  selector:
-    matchLabels:
-      app: cert-manager
-      app.kubernetes.io/name: cert-manager
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: "controller"
-  podMetricsEndpoints:
-    - port: http-metrics
+# values.yaml
+prometheus:
+  enabled: true
+  podmonitor:
+    enabled: true
+    endpointAdditionalProperties:
       scheme: https
-      honorLabels: true
-      # TLS config trusting the CA and specifying the server name
       tlsConfig:
         serverName: cert-manager-metrics
         ca:
           secret:
             name: cert-manager-metrics-ca
             key: "tls.crt"
+config:
+  metricsTLSConfig:
+    dynamic:
+      secretNamespace: "cert-manager"
+      secretName: "cert-manager-metrics-ca"
+      dnsNames:
+      - cert-manager-metrics
+webhook:
+  config:
+    metricsTLSConfig:
+      dynamic:
+        secretNamespace: "cert-manager"
+        secretName: "cert-manager-metrics-ca"
+        dnsNames:
+        - cert-manager-metrics
+cainjector:
+  config:
+    metricsTLSConfig:
+      dynamic:
+        secretNamespace: "cert-manager"
+        secretName: "cert-manager-metrics-ca"
+        dnsNames:
+        - cert-manager-metrics
 ```
 
+> ℹ️ This configuration will result in a single new Secret `cert-manager/cert-manager-metrics-ca` containing a CA.
+> The first `controller`, `webook`, or `cainjector` Pod will create the CA Secret and the others will then use it.
+>
+> All the controller, webhook, and cainjector Pods will generate their own unique metrics serving certificates
+> and sign them with the CA private key.
+>
+> The `PodMonitor` is configured to read the public certificate from the CA Secret
+> and Prometheus will use that CA when it connects to the metrics servers of each of the matching Pods.
+>
+> All the serving certificates share the same DNS name.
+> That same name must be added to the `PodMonitor`
+> and Prometheus will use that hostname when it connects to the metrics servers of each of the matching Pods.
+
+##### Troubleshooting
+
+Check the controller, webhook and cainjector logs to see the CA certificate and serving certificates being created and updated:
+
+```sh
+kubectl  -n cert-manager logs -l app.kubernetes.io/instance=cert-manager --prefix
+```
+
+```console
+I0719 15:21:28.113411       1 dynamic_source.go:172] "Detected root CA rotation - regenerating serving certificates" logger="cert-manager"
+I0719 15:21:28.115018       1 dynamic_source.go:290] "Updated cert-manager TLS certificate" logger="cert-manager" DNSNames=["cert-manager-metrics"]
+```
+
+Check the connection to the metrics endpoint using `kubectl port-forward` and  `curl`:
+
+```sh
+kubectl port-forward -n cert-manager deployment/cert-manager-webhook 9402
+curl --insecure -v https://localhost:9402/metrics
+```
+
+Check the health of the cert-manager scrape targets on the Prometheus status page:
+
+![](/docs/devops-tips/prometheus-metrics/prometheus-status-targets.png)
+
 ## Monitoring Mixin
 
 Monitoring mixins are a way to bundle common alerts, rules, and dashboards for an application in a configurable and extensible way, using the Jsonnet data templating language. A cert-manager monitoring mixin can be found here https://gitlab.com/uneeq-oss/cert-manager-mixin. Documentation on usage can be found with the `cert-manager-mixin` project.
diff --git a/content/docs/installation/configuring-components.md b/content/docs/installation/configuring-components.md
index 20f90436f01..6e6f53476ba 100644
--- a/content/docs/installation/configuring-components.md
+++ b/content/docs/installation/configuring-components.md
@@ -55,6 +55,7 @@ featureGates:
   UseCertificateRequestBasicConstraints: true
   OtherNames: true
   NameConstraints: true
+  UseDomainQualifiedFinalizer: true
 ```
 
 > **Note:** This is included as an example only and not intended to be used as default settings.
diff --git a/content/docs/manifest.json b/content/docs/manifest.json
index a9a340d8d54..58442bb795d 100644
--- a/content/docs/manifest.json
+++ b/content/docs/manifest.json
@@ -19,6 +19,14 @@
               "title": "Supported Releases",
               "path": "/docs/releases/README.md"
             },
+            {
+              "title": "1.16",
+              "path": "/docs/releases/release-notes/release-notes-1.16.md"
+            },
+            {
+              "title": "Upgrade 1.15 to 1.16",
+              "path": "/docs/releases/upgrading/upgrading-1.15-1.16.md"
+            },
             {
               "title": "1.15",
               "path": "/docs/releases/release-notes/release-notes-1.15.md"
diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
index eb030dfcc2a..e9e7eddb1d0 100644
--- a/content/docs/reference/api-docs.md
+++ b/content/docs/reference/api-docs.md
@@ -765,6 +765,19 @@ description: >-
         </p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>podTemplate</code>
+        <br />
+        <em>
+          <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodTemplate">ACMEChallengeSolverHTTP01IngressPodTemplate</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress">ACMEChallengeSolverHTTP01Ingress</h3>
@@ -906,7 +919,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>Annotations that should be added to the create ACME HTTP01 solver pods.</p>
+        <p>Annotations that should be added to the created ACME HTTP01 solver pods.</p>
       </td>
     </tr>
     <tr>
@@ -922,6 +935,132 @@ description: >-
     </tr>
   </tbody>
 </table>
+<h3 id="acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodSecurityContext">ACMEChallengeSolverHTTP01IngressPodSecurityContext</h3>
+<p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodSpec">ACMEChallengeSolverHTTP01IngressPodSpec</a>) </p>
+<div></div>
+<table>
+  <thead>
+    <tr>
+      <th>Field</th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <code>seLinuxOptions</code>
+        <br />
+        <em>
+          <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#selinuxoptions-v1-core">Kubernetes core/v1.SELinuxOptions</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>runAsUser</code>
+        <br />
+        <em>int64</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>runAsGroup</code>
+        <br />
+        <em>int64</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>runAsNonRoot</code>
+        <br />
+        <em>bool</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>supplementalGroups</code>
+        <br />
+        <em>[]int64</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>A list of groups applied to the first process run in each container, in addition to the container&rsquo;s primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>fsGroup</code>
+        <br />
+        <em>int64</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:</p>
+        <ol>
+          <li>The owning GID will be the FSGroup</li>
+          <li>The setgid bit is set (new files created in the volume will be owned by FSGroup)</li>
+          <li>The permission bits are OR&rsquo;d with rw-rw&mdash;-</li>
+        </ol>
+        <p>If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>sysctls</code>
+        <br />
+        <em>
+          <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#sysctl-v1-core">[]Kubernetes core/v1.Sysctl</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>fsGroupChangePolicy</code>
+        <br />
+        <em>
+          <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podfsgroupchangepolicy-v1-core">Kubernetes core/v1.PodFSGroupChangePolicy</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are &ldquo;OnRootMismatch&rdquo; and &ldquo;Always&rdquo;. If not specified, &ldquo;Always&rdquo; is used. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>seccompProfile</code>
+        <br />
+        <em>
+          <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#seccompprofile-v1-core">Kubernetes core/v1.SeccompProfile</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
 <h3 id="acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodSpec">ACMEChallengeSolverHTTP01IngressPodSpec</h3>
 <p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodTemplate">ACMEChallengeSolverHTTP01IngressPodTemplate</a>) </p>
 <div></div>
@@ -1005,10 +1144,23 @@ description: >-
         <p>If specified, the pod&rsquo;s imagePullSecrets</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>securityContext</code>
+        <br />
+        <em>
+          <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodSecurityContext">ACMEChallengeSolverHTTP01IngressPodSecurityContext</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>If specified, the pod&rsquo;s security context</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodTemplate">ACMEChallengeSolverHTTP01IngressPodTemplate</h3>
-<p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress">ACMEChallengeSolverHTTP01Ingress</a>) </p>
+<p> (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01GatewayHTTPRoute">ACMEChallengeSolverHTTP01GatewayHTTPRoute</a>, <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress">ACMEChallengeSolverHTTP01Ingress</a>) </p>
 <div></div>
 <table>
   <thead>
@@ -1117,6 +1269,19 @@ description: >-
               <p>If specified, the pod&rsquo;s imagePullSecrets</p>
             </td>
           </tr>
+          <tr>
+            <td>
+              <code>securityContext</code>
+              <br />
+              <em>
+                <a href="#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodSecurityContext">ACMEChallengeSolverHTTP01IngressPodSecurityContext</a>
+              </em>
+            </td>
+            <td>
+              <em>(Optional)</em>
+              <p>If specified, the pod&rsquo;s security context</p>
+            </td>
+          </tr>
         </table>
       </td>
     </tr>
@@ -1816,7 +1981,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.</p>
+        <p>If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.</p>
       </td>
     </tr>
     <tr>
@@ -1826,7 +1991,12 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p>Always set the region when using AccessKeyID and SecretAccessKey</p>
+        <em>(Optional)</em>
+        <p>Override the AWS region.</p>
+        <p> Route53 is a global service and does not have regional endpoints but the region specified here (or via environment variables) is used as a hint to help compute the correct AWS credential scope and partition when it connects to Route53. See: - <a href="https://docs.aws.amazon.com/general/latest/gr/r53.html">Amazon Route 53 endpoints and quotas</a>- <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html">Global services</a> </p>
+        <p>If you omit this region field, cert-manager will use the region from AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set in the cert-manager controller Pod.</p>
+        <p> The <code>region</code> field is not needed if you use <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">IAM Roles for Service Accounts (IRSA)</a>. Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: <a href="https://github.com/aws/amazon-eks-pod-identity-webhook">Amazon EKS Pod Identity Webhook</a>. In this case this <code>region</code> field value is ignored. </p>
+        <p> The <code>region</code> field is not needed if you use <a href="https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html">EKS Pod Identities</a>. Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: <a href="https://github.com/aws/eks-pod-identity-agent">Amazon EKS Pod Identity Agent</a>, In this case this <code>region</code> field value is ignored. </p>
       </td>
     </tr>
   </tbody>
@@ -2563,7 +2733,7 @@ description: >-
         <p>&#34;invalid&#34;</p>
       </td>
       <td>
-        <p>Invalid signifies that an ACME resource is invalid for some reason. If an Order is marked &lsquo;invalid&rsquo;, one of its validations be have invalid for some reason. This is a final state.</p>
+        <p>Invalid signifies that an ACME resource is invalid for some reason. If an Order is marked &lsquo;invalid&rsquo;, one of its validations must be invalid for some reason. This is a final state.</p>
       </td>
     </tr>
     <tr>
@@ -2723,6 +2893,26 @@ description: >-
         <p>featureGates is a map of feature names to bools that enable or disable experimental features.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>metricsListenAddress</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <p>The host and port that the metrics endpoint should listen on. The value &ldquo;0&rdquo; disables the metrics server. Defaults to &lsquo;0.0.0.0:9402&rsquo;.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>metricsTLSConfig</code>
+        <br />
+        <em>github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.TLSConfig</em>
+      </td>
+      <td>
+        <p>metricsTLSConfig is used to configure the metrics server TLS settings.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="cainjector.config.cert-manager.io/v1alpha1.EnableDataSourceConfig">EnableDataSourceConfig</h3>
@@ -2743,7 +2933,7 @@ description: >-
         <em>bool</em>
       </td>
       <td>
-        <p>Certificates detemines whether cainjector&rsquo;s control loops will watch cert-manager Certificate resources as potential sources of CA data. If not set, defaults to true.</p>
+        <p>Certificates determines whether cainjector&rsquo;s control loops will watch cert-manager Certificate resources as potential sources of CA data. If not set, defaults to true.</p>
       </td>
     </tr>
   </tbody>
@@ -2950,7 +3140,23 @@ description: >-
               <em>(Optional)</em>
               <p> How long before the currently issued certificate&rsquo;s expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and <code>renewBefore=10m</code>, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). </p>
               <p>NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.</p>
-              <p> If unset, this defaults to <sup>1</sup>&frasl;<sub>3</sub> of the issued certificate&rsquo;s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration <a href="https://golang.org/pkg/time/#ParseDuration">https://golang.org/pkg/time/#ParseDuration</a>. </p>
+              <p> If unset, this defaults to <sup>1</sup>&frasl;<sub>3</sub> of the issued certificate&rsquo;s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration <a href="https://golang.org/pkg/time/#ParseDuration">https://golang.org/pkg/time/#ParseDuration</a>. Cannot be set if the <code>renewBeforePercentage</code> field is set. </p>
+            </td>
+          </tr>
+          <tr>
+            <td>
+              <code>renewBeforePercentage</code>
+              <br />
+              <em>int32</em>
+            </td>
+            <td>
+              <em>(Optional)</em>
+              <p> <code>renewBeforePercentage</code> is like <code>renewBefore</code>, except it is a relative percentage rather than an absolute duration. For example, if a certificate is valid for 60 minutes, and <code>renewBeforePercentage=25</code>, cert-manager will begin to attempt to renew the certificate 45 minutes after it was issued (i.e. when there are 15 minutes (25%) remaining until the certificate is no longer valid). </p>
+              <p>NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.</p>
+              <p>
+                Value must be an integer in the range (0,100). The minimum effective
+                <code>renewBefore</code> derived from the <code>renewBeforePercentage</code> and <code>duration</code> fields is 5 minutes. Cannot be set if the <code>renewBefore</code> field is set.
+              </p>
             </td>
           </tr>
           <tr>
@@ -3632,7 +3838,7 @@ description: >-
 <h3 id="cert-manager.io/v1.CertificateCondition">CertificateCondition</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateStatus">CertificateStatus</a>) </p>
 <div>
-  <p>CertificateCondition contains condition information for an Certificate.</p>
+  <p>CertificateCondition contains condition information for a Certificate.</p>
 </div>
 <table>
   <thead>
@@ -3717,7 +3923,7 @@ description: >-
 <h3 id="cert-manager.io/v1.CertificateConditionType"> CertificateConditionType (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateCondition">CertificateCondition</a>) </p>
 <div>
-  <p>CertificateConditionType represents an Certificate condition value.</p>
+  <p>CertificateConditionType represents a Certificate condition value.</p>
 </div>
 <table>
   <thead>
@@ -3857,7 +4063,7 @@ description: >-
       <td>
         <em>(Optional)</em>
         <p>RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed.</p>
-        <p> If set to <code>Never</code>, a private key will only be generated if one does not already exist in the target <code>spec.secretName</code>. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to <code>Always</code>, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is <code>Never</code> for backward compatibility. </p>
+        <p> If set to <code>Never</code>, a private key will only be generated if one does not already exist in the target <code>spec.secretName</code>. If one does exist but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to <code>Always</code>, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is <code>Never</code> for backward compatibility. </p>
       </td>
     </tr>
     <tr>
@@ -3979,7 +4185,7 @@ description: >-
 <h3 id="cert-manager.io/v1.CertificateRequestConditionType"> CertificateRequestConditionType (<code>string</code> alias) </h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.CertificateRequestCondition">CertificateRequestCondition</a>) </p>
 <div>
-  <p>CertificateRequestConditionType represents an Certificate condition value.</p>
+  <p>CertificateRequestConditionType represents a Certificate condition value.</p>
 </div>
 <table>
   <thead>
@@ -4336,7 +4542,23 @@ description: >-
         <em>(Optional)</em>
         <p> How long before the currently issued certificate&rsquo;s expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and <code>renewBefore=10m</code>, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). </p>
         <p>NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.</p>
-        <p> If unset, this defaults to <sup>1</sup>&frasl;<sub>3</sub> of the issued certificate&rsquo;s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration <a href="https://golang.org/pkg/time/#ParseDuration">https://golang.org/pkg/time/#ParseDuration</a>. </p>
+        <p> If unset, this defaults to <sup>1</sup>&frasl;<sub>3</sub> of the issued certificate&rsquo;s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration <a href="https://golang.org/pkg/time/#ParseDuration">https://golang.org/pkg/time/#ParseDuration</a>. Cannot be set if the <code>renewBeforePercentage</code> field is set. </p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>renewBeforePercentage</code>
+        <br />
+        <em>int32</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p> <code>renewBeforePercentage</code> is like <code>renewBefore</code>, except it is a relative percentage rather than an absolute duration. For example, if a certificate is valid for 60 minutes, and <code>renewBeforePercentage=25</code>, cert-manager will begin to attempt to renew the certificate 45 minutes after it was issued (i.e. when there are 15 minutes (25%) remaining until the certificate is no longer valid). </p>
+        <p>NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.</p>
+        <p>
+          Value must be an integer in the range (0,100). The minimum effective
+          <code>renewBefore</code> derived from the <code>renewBeforePercentage</code> and <code>duration</code> fields is 5 minutes. Cannot be set if the <code>renewBefore</code> field is set.
+        </p>
       </td>
     </tr>
     <tr>
@@ -4583,7 +4805,7 @@ description: >-
       </td>
       <td>
         <em>(Optional)</em>
-        <p>LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.</p>
+        <p>LastFailureTime is set only if the latest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.</p>
       </td>
     </tr>
     <tr>
@@ -5558,7 +5780,7 @@ description: >-
 <h3 id="cert-manager.io/v1.VaultAuth">VaultAuth</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VaultIssuer">VaultIssuer</a>) </p>
 <div>
-  <p> VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [<code>tokenSecretRef</code>, <code>appRole</code> or <code>kubernetes</code>]. </p>
+  <p> VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [<code>tokenSecretRef</code>, <code>appRole</code>, <code>clientCertificate</code> or <code>kubernetes</code>]. </p>
 </div>
 <table>
   <thead>
@@ -5594,6 +5816,19 @@ description: >-
         <p>AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>clientCertificate</code>
+        <br />
+        <em>
+          <a href="#cert-manager.io/v1.VaultClientCertificateAuth">VaultClientCertificateAuth</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>ClientCertificate authenticates with Vault by presenting a client certificate during the request&rsquo;s TLS handshake. Works only when using HTTPS protocol.</p>
+      </td>
+    </tr>
     <tr>
       <td>
         <code>kubernetes</code>
@@ -5609,6 +5844,54 @@ description: >-
     </tr>
   </tbody>
 </table>
+<h3 id="cert-manager.io/v1.VaultClientCertificateAuth">VaultClientCertificateAuth</h3>
+<p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.VaultAuth">VaultAuth</a>) </p>
+<div>
+  <p>VaultKubernetesAuth is used to authenticate against Vault using a client certificate stored in a Secret.</p>
+</div>
+<table>
+  <thead>
+    <tr>
+      <th>Field</th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>
+        <code>mountPath</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p> The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to <code>/v1/auth/foo</code>, will use the path <code>/v1/auth/foo/login</code> to authenticate with Vault. If unspecified, the default value &ldquo;/v1/auth/cert&rdquo; will be used. </p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>secretName</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Reference to Kubernetes Secret of type &ldquo;kubernetes.io/tls&rdquo; (hence containing tls.crt and tls.key) used to authenticate to Vault using TLS client authentication.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>name</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Name of the certificate role to authenticate against. If not set, matching any certificate role, if available.</p>
+      </td>
+    </tr>
+  </tbody>
+</table>
 <h3 id="cert-manager.io/v1.VaultIssuer">VaultIssuer</h3>
 <p> (<em>Appears on:</em> <a href="#cert-manager.io/v1.IssuerConfig">IssuerConfig</a>) </p>
 <div>
@@ -5900,7 +6183,7 @@ description: >-
         </em>
       </td>
       <td>
-        <p>CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, &lsquo;username&rsquo; and &lsquo;password&rsquo;.</p>
+        <p>CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. The secret must contain the key &lsquo;access-token&rsquo; for the Access Token Authentication, or two keys, &lsquo;username&rsquo; and &lsquo;password&rsquo; for the API Keys Authentication.</p>
       </td>
     </tr>
     <tr>
@@ -5914,6 +6197,19 @@ description: >-
         <p>Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>caBundleSecretRef</code>
+        <br />
+        <em>
+          <a href="#meta.cert-manager.io/v1.SecretKeySelector">SecretKeySelector</a>
+        </em>
+      </td>
+      <td>
+        <em>(Optional)</em>
+        <p>Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <h3 id="cert-manager.io/v1.X509Subject">X509Subject</h3>
@@ -6209,7 +6505,7 @@ description: >-
         <em>string</em>
       </td>
       <td>
-        <p>If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched&rdquo;</p>
+        <p>If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched</p>
       </td>
     </tr>
     <tr>
@@ -6291,7 +6587,7 @@ description: >-
         <em>[]string</em>
       </td>
       <td>
-        <p>Specify which annotations should/shouldn&rsquo;t be copied from Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes. A prefix starting with a dash(-) specifies an annotation that shouldn&rsquo;t be copied. Example: &lsquo;*,-kubectl.kuberenetes.io/&rsquo;- all annotations will be copied apart from the ones where the key is prefixed with &lsquo;kubectl.kubernetes.io/&rsquo;.</p>
+        <p>Specify which annotations should/shouldn&rsquo;t be copied from Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes. A prefix starting with a dash(-) specifies an annotation that shouldn&rsquo;t be copied. Example: &lsquo;*,-kubectl.kubernetes.io/&rsquo;- all annotations will be copied apart from the ones where the key is prefixed with &lsquo;kubectl.kubernetes.io/&rsquo;.</p>
       </td>
     </tr>
     <tr>
@@ -6474,7 +6770,7 @@ description: >-
         <em>[]string</em>
       </td>
       <td>
-        <p>The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate</p>
+        <p>The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate</p>
       </td>
     </tr>
   </tbody>
@@ -6633,7 +6929,7 @@ description: >-
 <h3 id="meta.cert-manager.io/v1.SecretKeySelector">SecretKeySelector</h3>
 <p>
   (<em>Appears on:</em> <a href="#acme.cert-manager.io/v1.ACMEExternalAccountBinding">ACMEExternalAccountBinding</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuer">ACMEIssuer</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderAcmeDNS">ACMEIssuerDNS01ProviderAcmeDNS</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderAkamai">ACMEIssuerDNS01ProviderAkamai</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderAzureDNS">ACMEIssuerDNS01ProviderAzureDNS</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderCloudDNS">ACMEIssuerDNS01ProviderCloudDNS</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderCloudflare">ACMEIssuerDNS01ProviderCloudflare</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderDigitalOcean">ACMEIssuerDNS01ProviderDigitalOcean</a>, <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderRFC2136">ACMEIssuerDNS01ProviderRFC2136</a>,
-  <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderRoute53">ACMEIssuerDNS01ProviderRoute53</a>, <a href="#cert-manager.io/v1.JKSKeystore">JKSKeystore</a>, <a href="#cert-manager.io/v1.PKCS12Keystore">PKCS12Keystore</a>, <a href="#cert-manager.io/v1.VaultAppRole">VaultAppRole</a>, <a href="#cert-manager.io/v1.VaultAuth">VaultAuth</a>, <a href="#cert-manager.io/v1.VaultIssuer">VaultIssuer</a>, <a href="#cert-manager.io/v1.VaultKubernetesAuth">VaultKubernetesAuth</a>, <a href="#cert-manager.io/v1.VenafiCloud">VenafiCloud</a>)
+  <a href="#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderRoute53">ACMEIssuerDNS01ProviderRoute53</a>, <a href="#cert-manager.io/v1.JKSKeystore">JKSKeystore</a>, <a href="#cert-manager.io/v1.PKCS12Keystore">PKCS12Keystore</a>, <a href="#cert-manager.io/v1.VaultAppRole">VaultAppRole</a>, <a href="#cert-manager.io/v1.VaultAuth">VaultAuth</a>, <a href="#cert-manager.io/v1.VaultIssuer">VaultIssuer</a>, <a href="#cert-manager.io/v1.VaultKubernetesAuth">VaultKubernetesAuth</a>, <a href="#cert-manager.io/v1.VenafiCloud">VenafiCloud</a>, <a href="#cert-manager.io/v1.VenafiTPP">VenafiTPP</a>)
 </p>
 <div>
   <p> A reference to a specific &lsquo;key&rsquo; within a Secret resource. In some instances, <code>key</code> is a required field. </p>
@@ -6783,9 +7079,29 @@ description: >-
         <p>featureGates is a map of feature names to bools that enable or disable experimental features.</p>
       </td>
     </tr>
+    <tr>
+      <td>
+        <code>metricsListenAddress</code>
+        <br />
+        <em>string</em>
+      </td>
+      <td>
+        <p>The host and port that the metrics endpoint should listen on. The value &ldquo;0&rdquo; disables the metrics server. Defaults to &lsquo;0.0.0.0:9402&rsquo;.</p>
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <code>metricsTLSConfig</code>
+        <br />
+        <em>github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.TLSConfig</em>
+      </td>
+      <td>
+        <p>metricsTLSConfig is used to configure the metrics server TLS settings.</p>
+      </td>
+    </tr>
   </tbody>
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>35e27b7</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>67c897d</code>. </em>
 </p>
diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md
index e8694fa0f75..d08dec98214 100644
--- a/content/docs/releases/README.md
+++ b/content/docs/releases/README.md
@@ -25,17 +25,17 @@ should be stable enough to run.
 
 | Release      | Release Date | End of Life            | [Supported Kubernetes / OpenShift Versions][s] | [Tested Kubernetes Versions][test] |
 |:------------:|:------------:|:----------------------:|:----------------------------------------------:|:----------------------------------:|
+| [1.16][]     | Oct 03, 2024 | Release of 1.18        |       1.25 → 1.31   /   4.14 → 4.16            |  1.27 → 1.31                       |
 | [1.15][]     | Jun 05, 2024 | Release of 1.17        |       1.25 → 1.31   /   4.12 → 4.16            |  1.25 → 1.31                       |
-| [1.14][]     | Feb 03, 2024 | Release of 1.16        |       1.24 → 1.31   /   4.11 → 4.16            |  1.24 → 1.29                       |
 | [1.12 LTS][] | May 19, 2023 | May 19, 2025           |       1.22 → 1.31   /   4.9  → 4.16            |  1.22 → 1.29                       |
 
 cert-manager 1.12 is a Long Term Support (LTS) release sponsored by [Venafi](https://www.venafi.com/). It will continue to be supported for at least 2 years from release.
 
 ## Upcoming releases
 
-| Release  | Release Date | End of Life      | [Supported Kubernetes / OpenShift Versions][s] |
-|:--------:|:------------:|:----------------:|:----------------------------------------------:|
-| [1.16][] | Oct 03, 2024 | Release of 1.18  |          1.27 → 1.31 / 4.14 → 4.16             |
+| Release  | Release Date | End of Life     | [Supported Kubernetes / OpenShift Versions][s] |
+|:--------:|:------------:|:---------------:|:----------------------------------------------:|
+| [1.17][] | Feb 03, 2025 | Release of 1.19 | 1.27 → 1.31 / 4.14 → 4.16                      |
 
 Dates in the future are not firm commitments and are subject to change.
 
@@ -295,6 +295,7 @@ are no longer supported.
 
 | Release  | Release Date |     EOL      | Compatible Kubernetes versions | Compatible OpenShift versions |
 |----------|:------------:|:------------:|:------------------------------:|:-----------------------------:|
+| [1.14][] | Feb 03, 2024 | Oct 03, 2024 |          1.24 → 1.31           |          4.11 → 4.16          |
 | [1.13][] | Sep 12, 2023 | Jun 05, 2024 |          1.21 → 1.27           |          4.8 → 4.14           |
 | [1.11][] | Jan 11, 2023 | Sep 12, 2023 |          1.21 → 1.27           |          4.8 → 4.14           |
 | [1.10][] | Oct 17, 2022 | May 19, 2023 |          1.20 → 1.26           |          4.7 → 4.13           |
@@ -317,7 +318,8 @@ are no longer supported.
 
 [s]: #kubernetes-supported-versions
 [test]: #supported-vs-tested
-[1.16]: https://github.com/cert-manager/cert-manager/milestone/38
+[1.17]: https://github.com/cert-manager/cert-manager/milestone/39
+[1.16]: ./release-notes/release-notes-1.16.md
 [1.15]: ./release-notes/release-notes-1.15.md
 [1.14]: ./release-notes/release-notes-1.14.md
 [1.13]: ./release-notes/release-notes-1.13.md
diff --git a/content/docs/releases/release-notes/release-notes-1.16.md b/content/docs/releases/release-notes/release-notes-1.16.md
new file mode 100644
index 00000000000..ffb064e3b44
--- /dev/null
+++ b/content/docs/releases/release-notes/release-notes-1.16.md
@@ -0,0 +1,285 @@
+---
+title: Release 1.16
+description: 'cert-manager release notes: cert-manager 1.16'
+---
+
+The cert-manager 1.16 release includes: new Helm chart features, more Prometheus
+metrics, memory optimizations, and various improvements and bug fixes for the
+ACME issuer and Venafi Issuer.
+
+## Breaking changes
+
+1. Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.
+   For more details, refer to the [Helm](#helm) section below.
+1. Venafi Issuer may fail to renew certificates if the requested duration conflicts with the CA’s minimum or maximum policy settings in Venafi.
+   For more details, refer to the [Venafi Issuer](#venafi-issuer) section below.
+1. Venafi Issuer may fail to renew Certificates if the issuer has been configured for TPP with username-password authentication.
+   For more details, refer to the [Venafi Issuer](#venafi-issuer) section below.
+
+## Themes
+
+### Helm
+
+The Helm chart now includes a JSON schema which will validate the values that you supply when installing the chart.
+This will help you to get your Helm values right first time.
+It will alert you to typos and unrecognized fields in your existing Helm values files.
+And it will make it easier for the cert-manager maintainers to maintain the Helm chart,
+avoiding typos and mistakes in the default values file.
+
+> ⚠️ Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.
+> You can use `helm template` to test your Helm values before you upgrade:
+> ```bash
+> helm template cert-manager \
+>   --repo https://charts.jetstack.io \
+>   --version [[VAR::cert_manager_latest_version]] \
+>   --values values.cert-manager.yaml
+> ```
+> Here's an example of an error that would be caught by the schema validation:
+> ```yaml
+> # values.cert-manager.yaml
+> global:
+>   logLevel: debug # ❗ Should be an integer.
+> ```
+> ```console
+> Error: values don't meet the specifications of the schema(s) in the following chart(s):
+> cert-manager:
+>  - global.logLevel: Invalid type. Expected: number, given: string
+> ```
+>
+> ℹ️ The schema files are generated by [helm-tool](https://github.com/cert-manager/helm-tool), a utility which generates Helm docs, schema files and performs linting.
+>
+> 📖 Read [Helm: Charts: Schema Files](https://helm.sh/docs/topics/charts/#schema-files) to learn more.
+
+### Extended Metrics
+
+The webhook and cainjector components now have metrics servers,
+so that platform teams can monitor the performance of all the cert-manager components
+and gain more information about the underlying Go runtime in the event of a problem.
+Read the [Prometheus Metrics](../../devops-tips/prometheus-metrics.md) page to learn more.
+
+### Venafi Issuer
+
+We've made some important improvements to the Venafi Issuer.
+
+If you use the Venafi Issuer with a TPP server with  username-password authentication,
+cert-manager 1.16 now uses OAuth authentication instead of the deprecated API Key authentication.
+This is a potentially breaking change, because you may need to reconfigure your TPP server to enable OAuth authentication,
+and you may need to reconfigure the cert-manager service accounts in TPP to work with OAuth.
+
+The desired `certificate.spec.duration` value will now be sent to the Venafi API server.
+The default value for `certificate.spec.duration` is 90 days, but you may have changed this in your Certificate resources.
+Your Venafi issuing template may be configured to ignore the requested `From` and `To` times,
+in which case nothing will change.
+Your Venafi issuing template may be configured with a maximum or a minimum duration,
+in which case your certificate requests may fail after you upgrade to cert-manager 1.16.
+Consider this carefully when upgrading to cert-manager 1.16.
+
+When connecting to Venafi TPP, cert-manager can now load the CA certificate from a Secret resource.
+This allows you to manage the CA with familiar tools such as trust-manager.
+
+Read the [Venafi Issuer](../../configuration/venafi.md#creating-a-venafi-trust-protection-platform-issuer) page to learn more.
+
+### Route53 DNS01 Solver Cleanup
+
+The Route53 DNS01 solver code had become over-complicated due to its age and due
+to the variety of authentication methods that have been added over the years.
+When we upgraded to `AWS SDK for Go V2`in the last release, we did not have a
+good understanding of the new SDK and we were not able to test it thoroughly
+with all authentication methods. In this release we started putting that right.
+
+In this release we have tidied up the code and added more logging so that it is
+easier to debug problems in the field.
+We have improved the documentation of the Route53 API fields, particularly the region field,
+where we have tried to describe where and how cert-manager uses that value.
+
+We have relaxed the API validation so that the `region` field is now optional.
+cert-manager will now fall back to using the `AWS_REGION` environment variable of the controller Pod,
+regardless of which authentication mechanism is used.
+
+Users who use IAM Roles for Service accounts or Pod Identity need
+not specify the region, but if your Issuer or ClusterIssuer does include a region (for the sake of satisfying the old API validation),
+that issuer region will be ignored, if the `AWS_REGION` environment variable is set.
+
+cert-manager will now use regional STS endpoints, when using `AssumeRole` or when
+using a dedicated (non-mounted) Kubernetes ServiceAccount.
+The regional endpoint will be computed based on the Issuer `region` field,
+or the `AWS_REGION` environment variable.
+
+> ℹ️ This change only affects the `AssumeRole` configuration, which is used for cross-account authentication,
+> and the `AssumeRoleWithWebIdentity` configuration, where the user supplies the name of a Kubernetes ServiceAccount.
+> It does not affect you if you have configured the cert-manager ServiceAccount for [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html),
+> where the ServiceAccount token is mounted in to the cert-manager controller Pod.
+> Regional STS endpoints were already being used in that case.
+>
+> ℹ️ There are good reasons to use regional STS endpoints, summarized as follows on the [Amazon AWS blog](https://aws.amazon.com/blogs/security/how-to-use-regional-aws-sts-endpoints/):
+>
+> > Although the global (legacy) AWS STS endpoint https://sts.amazonaws.com is highly available, it’s hosted in a single AWS Region — US East (N. Virginia) — and like other endpoints, it doesn’t provide automatic fail-over to endpoints in other Regions.
+>
+> 📖 Read [Manage AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+to learn about which regions support STS.
+>
+> 📖 Read [AWS STS Regional endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html),
+to learn how to configure the use of regional STS endpoints using environment variables.
+
+Read the [ACME Issuer Route53](../../configuration/acme/dns01/route53.md) page to learn more.
+
+### Memory Optimizations
+
+We have continued our effort to reduce the memory footprint of cert-manager.
+
+The cainjector no longer caches Secret data; instead it only caches the metadata of Secret resources.
+This significantly reduces its memory usage.
+It also reduces the load on the Kubernetes API server, when cainjector starts up,
+because it no longer needs to send all the data of all the Secret resources over the network.
+
+cert-manager now uses client-go `v0.31.0` which [supports a new `WatchListClient` feature](https://relnotes.k8s.io/?markdown=WatchListClient).
+This enables cert-manager to make use of the [Streaming Lists feature of the Kubernetes API server](https://kubernetes.io/docs/reference/using-api/api-concepts/#streaming-lists).
+This reduces the load on the Kubernetes API server,
+because cert-manager components will no longer request complete unpaged lists of all API resources when they start up.
+And it reduces the peak memory use of the cert-manager components when they startup,
+because they no longer have to hold a duplicate unpaged list of resources in-memory
+while they add them to the client side cache.
+To use this feature, you first need to enable the `WatchList` feature in the Kubernetes API server,
+which is available since Kubernetes 1.27.
+Second, you need to enable the client-go `WatchListClient` feature in the cert-manager components.
+If you installed cert-manager using Helm, you can use the following Helm values:
+
+```
+# values.cert-manager.yaml
+extraEnv:
+  - name: KUBE_FEATURE_WatchListClient
+    value: "true"
+cainjector:
+  extraEnv:
+    - name: KUBE_FEATURE_WatchListClient
+      value: "true"
+webhook:
+  extraEnv:
+    - name: KUBE_FEATURE_WatchListClient
+      value: "true"
+```
+
+
+You will see log messages reporting the state of the client-go feature gates, when cert-manager starts up.
+And if you increase the logging verbosity, you will see `sendInitialEvents=true` and `resourceVersionMatch=NotOlderThan` among the requests.
+For example:
+
+```console
+Feature gate updated state [caller=features/envvar.go:169 enabled=true feature=WatchListClient]
+GET https://10.96.0.1:443/api/v1/secrets?allowWatchBookmarks=true&labelSelector=%21controller.cert-manager.io%2Ffao&resourceVersionMatch=NotOlderThan&sendInitialEvents=true&timeout=6m49s&timeoutSeconds=409&watch=true 200 OK in 2 milliseconds [caller=transport/round_trippers.go:553]
+```
+
+Read [Kubernetes API Concepts: Streaming Lists](https://kubernetes.io/docs/reference/using-api/api-concepts/#streaming-lists),
+to learn more.
+Read [Introducing Feature Gates to Client-Go: Enhancing Flexibility and Control](https://kubernetes.io/blog/2024/08/12/feature-gates-in-client-go),
+to learn about enabling and disabling client-go features.
+
+### Logging
+
+We have improved the signal-to-noise ratio in the logs.
+
+The controller has a new feature gate: `UseDomainQualifiedFinalizer`.
+This changes the finalizer added to ACME Challenge resources,
+from `finalizer.acme.cert-manager.io` to `acme.cert-manager.io/finalizer`.
+The new finalizer name is [compliant with Kubernetes standards](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#finalizers),
+and will resolve warnings in cert-manager-controller pods of the form:
+> `W0910 20:07:22.491920 1 warnings.go:70] metadata.finalizers: "finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers`
+
+Read [cert-manager component configuration: Feature gates](../../installation/configuring-components.md#feature-gates) to learn more.
+
+cert-manager now uses client-go `v0.31.0`, which removes a lot of noisy errors from logs, of the form:
+> `reflector.go: unable to sync list result: internal error: cannot cast object DeletedFinalStateUnknown`
+
+Read [cert-manager issue 6753](https://github.com/cert-manager/cert-manager/issues/6753) to learn more.
+
+## Community
+
+Thanks to all our open-source contributors with commits in this release, including:
+[`@Guitarkalle`](https://github.com/Guitarkalle),
+[`@Jasper-Ben`](https://github.com/Jasper-Ben),
+[`@aidy`](https://github.com/aidy),
+[`@bdols`](https://github.com/bdols),
+[`@cbroglie`](https://github.com/cbroglie),
+[`@eplightning`](https://github.com/eplightning),
+[`@hawksight`](https://github.com/hawksight),
+[`@joshmue`](https://github.com/joshmue),
+[`@jrcichra`](https://github.com/jrcichra),
+[`@jsoref`](https://github.com/jsoref),
+[`@miguelvr`](https://github.com/miguelvr),
+[`@mindw`](https://github.com/mindw),
+[`@sankalp-at-gh`](https://github.com/sankalp-at-gh).
+
+Thanks also to the following cert-manager maintainers for their contributions during this release:
+[`@SgtCoDFish`](https://github.com/SgtCoDFish),
+[`@ThatsMrTalbot`](https://github.com/ThatsMrTalbot),
+[`@inteon`](https://github.com/inteon),
+[`@wallrj`](https://github.com/wallrj).
+
+Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!
+
+Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
+
+In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
+
+## Changes since `v1.15.0`
+
+### Feature
+
+- Add `SecretRef` support for Venafi TPP issuer CA Bundle ([#7036](https://github.com/cert-manager/cert-manager/pull/7036), [`@sankalp-at-gh`](https://github.com/sankalp-at-gh))
+- Add `renewBeforePercentage` alternative to `renewBefore` ([#6987](https://github.com/cert-manager/cert-manager/pull/6987), [`@cbroglie`](https://github.com/cbroglie))
+- Add a metrics server to the cainjector ([#7194](https://github.com/cert-manager/cert-manager/pull/7194), [`@wallrj`](https://github.com/wallrj))
+- Add a metrics server to the webhook ([#7182](https://github.com/cert-manager/cert-manager/pull/7182), [`@wallrj`](https://github.com/wallrj))
+- Add client certificate auth method for Vault issuer ([#4330](https://github.com/cert-manager/cert-manager/pull/4330), [`@joshmue`](https://github.com/joshmue))
+- Add process and go runtime metrics for controller ([#6966](https://github.com/cert-manager/cert-manager/pull/6966), [`@mindw`](https://github.com/mindw))
+- Added `app.kubernetes.io/managed-by: cert-manager` label to the cert-manager-webhook-ca Secret ([#7154](https://github.com/cert-manager/cert-manager/pull/7154), [`@jrcichra`](https://github.com/jrcichra))
+- Allow the user to specify a Pod template when using GatewayAPI HTTP01 solver, this mirrors the behavior when using the Ingress HTTP01 solver. ([#7211](https://github.com/cert-manager/cert-manager/pull/7211), [`@ThatsMrTalbot`](https://github.com/ThatsMrTalbot))
+- Create token request RBAC for the cert-manager ServiceAccount by default ([#7213](https://github.com/cert-manager/cert-manager/pull/7213), [`@Jasper-Ben`](https://github.com/Jasper-Ben))
+- Feature: Append cert-manager user-agent string to all AWS API requests, including IMDS and STS requests. ([#7295](https://github.com/cert-manager/cert-manager/pull/7295), [`@wallrj`](https://github.com/wallrj))
+- Feature: Log AWS SDK warnings and API requests at cert-manager debug level to help debug AWS Route53 problems in the field. ([#7292](https://github.com/cert-manager/cert-manager/pull/7292), [`@wallrj`](https://github.com/wallrj))
+- Feature: The Route53 DNS solver of the ACME Issuer will now use regional STS endpoints computed from the region that is supplied in the Issuer spec or in the `AWS_REGION` environment variable.
+  Feature: The Route53 DNS solver of the ACME Issuer now uses the "ambient" region (`AWS_REGION` or `AWS_DEFAULT_REGION`) if `issuer.spec.acme.solvers.dns01.route53.region` is empty; regardless of the flags `--issuer-ambient-credentials` and `--cluster-issuer-ambient-credentials`. ([#7299](https://github.com/cert-manager/cert-manager/pull/7299), [`@wallrj`](https://github.com/wallrj))
+- Helm: adds JSON schema validation for the Helm values. ([#7069](https://github.com/cert-manager/cert-manager/pull/7069), [`@inteon`](https://github.com/inteon))
+- If the `--controllers` flag only specifies disabled controllers, the default controllers are now enabled implicitly.
+  Added `disableAutoApproval` and `approveSignerNames` Helm chart options. ([#7049](https://github.com/cert-manager/cert-manager/pull/7049), [`@inteon`](https://github.com/inteon))
+- Make it easier to configure cert-manager using Helm by defaulting `config.apiVersion` and `config.kind` within the Helm chart. ([#7126](https://github.com/cert-manager/cert-manager/pull/7126), [`@ThatsMrTalbot`](https://github.com/ThatsMrTalbot))
+- Now passes down specified duration to Venafi client instead of using the CA default only. ([#7104](https://github.com/cert-manager/cert-manager/pull/7104), [`@Guitarkalle`](https://github.com/Guitarkalle))
+- Reduce the memory usage of `cainjector`, by only caching the metadata of Secret resources.
+  Reduce the load on the K8S API server when `cainjector` starts up, by only listing the metadata of Secret resources. ([#7161](https://github.com/cert-manager/cert-manager/pull/7161), [`@wallrj`](https://github.com/wallrj))
+- The Route53 DNS01 solver of the ACME Issuer can now detect the AWS region from the `AWS_REGION` and `AWS_DEFAULT_REGION` environment variables, which is set by the IAM for Service Accounts (IRSA) webhook and by the Pod Identity webhook.
+  The `issuer.spec.acme.solvers.dns01.route53.region` field is now optional.
+  The API documentation of the `region` field has been updated to explain when and how the region value is used. ([#7287](https://github.com/cert-manager/cert-manager/pull/7287), [`@wallrj`](https://github.com/wallrj))
+- Venafi TPP issuer can now be used with a username & password combination with OAuth. Fixes #4653.
+  Breaking: cert-manager will no longer use the API Key authentication method which was deprecated in 20.2 and since removed in 24.1 of TPP. ([#7084](https://github.com/cert-manager/cert-manager/pull/7084), [`@hawksight`](https://github.com/hawksight))
+- You can now configure the pod security context of HTTP-01 solver pods. ([#5373](https://github.com/cert-manager/cert-manager/pull/5373), [`@aidy`](https://github.com/aidy))
+- Helm: New value `webhook.extraEnv`, allows you to set custom environment variables in the webhook Pod.
+  Helm: New value `cainjector.extraEnv`, allows you to set custom environment variables in the cainjector Pod.
+  Helm: New value `startupapicheck.extraEnv`, allows you to set custom environment variables in the startupapicheck Pod. ([#7319](https://github.com/cert-manager/cert-manager/pull/7319), [`@wallrj`](https://github.com/wallrj))
+
+### Bug or Regression
+
+- Adds support (behind a flag) to use a domain qualified finalizer. If the feature is enabled (which is not by default), it should prevent Kubernetes from reporting: `metadata.finalizers: "finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers` ([#7273](https://github.com/cert-manager/cert-manager/pull/7273), [`@jsoref`](https://github.com/jsoref))
+- BUGFIX Route53: explicitly set the `aws-global` STS region which is now required by the `github.com/aws/aws-sdk-go-v2` library. ([#7108](https://github.com/cert-manager/cert-manager/pull/7108), [`@inteon`](https://github.com/inteon))
+- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. ([#7105](https://github.com/cert-manager/cert-manager/pull/7105), [`@inteon`](https://github.com/inteon))
+- BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing its CA certificate. Please upgrade before the expiration of this CA certificate is reached. ([#7230](https://github.com/cert-manager/cert-manager/pull/7230), [`@inteon`](https://github.com/inteon))
+- Bugfix: Prevent aggressive Route53 retries caused by IRSA authentication failures by removing the Amazon Request ID from errors wrapped by the default credential cache. ([#7291](https://github.com/cert-manager/cert-manager/pull/7291), [`@wallrj`](https://github.com/wallrj))
+- Bugfix: Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors. ([#7259](https://github.com/cert-manager/cert-manager/pull/7259), [`@wallrj`](https://github.com/wallrj))
+- Bump `grpc-go` to fix `GHSA-xr7q-jx4m-x55m` ([#7164](https://github.com/cert-manager/cert-manager/pull/7164), [`@SgtCoDFish`](https://github.com/SgtCoDFish))
+- Bump the `go-retryablehttp` dependency to fix `CVE-2024-6104` ([#7125](https://github.com/cert-manager/cert-manager/pull/7125), [`@SgtCoDFish`](https://github.com/SgtCoDFish))
+- Fix Azure DNS causing panics whenever authentication error happens ([#7177](https://github.com/cert-manager/cert-manager/pull/7177), [`@eplightning`](https://github.com/eplightning))
+- Fix incorrect indentation of `endpointAdditionalProperties` in the `PodMonitor` template of the Helm chart ([#7190](https://github.com/cert-manager/cert-manager/pull/7190), [`@wallrj`](https://github.com/wallrj))
+- Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of HTTPRoute resources ([#7178](https://github.com/cert-manager/cert-manager/pull/7178), [`@miguelvr`](https://github.com/miguelvr))
+- Handle errors arising from challenges missing from the ACME server ([#7202](https://github.com/cert-manager/cert-manager/pull/7202), [`@bdols`](https://github.com/bdols))
+- Helm BUGFIX: the cainjector ConfigMap was not mounted in the cainjector deployment. ([#7052](https://github.com/cert-manager/cert-manager/pull/7052), [`@inteon`](https://github.com/inteon))
+- Improve the startupapicheck: validate that the validating and mutating webhooks are doing their job. ([#7057](https://github.com/cert-manager/cert-manager/pull/7057), [`@inteon`](https://github.com/inteon))
+- The `KeyUsages` X.509 extension is no longer added when there are no key usages set (in accordance to RFC 5280 Section 4.2.1.3) ([#7250](https://github.com/cert-manager/cert-manager/pull/7250), [`@inteon`](https://github.com/inteon))
+- Update `github.com/Azure/azure-sdk-for-go/sdk/azidentity` to address `CVE-2024-35255` ([#7087](https://github.com/cert-manager/cert-manager/pull/7087), [`@dependabot[bot]`](https://github.com/apps/dependabot))
+
+### Other (Cleanup or Flake)
+
+- Old API versions were removed from the codebase.
+  Removed:
+  (acme.)cert-manager.io/v1alpha2
+  (acme.)cert-manager.io/v1alpha3
+  (acme.)cert-manager.io/v1beta1 ([#7278](https://github.com/cert-manager/cert-manager/pull/7278), [`@inteon`](https://github.com/inteon))
+- Upgrading to client-go `v0.31.0` removes a lot of noisy `reflector.go: unable to sync list result: internal error: cannot cast object DeletedFinalStateUnknown` errors from logs. ([#7237](https://github.com/cert-manager/cert-manager/pull/7237), [`@inteon`](https://github.com/inteon))
+- Bump Go to `v1.23.2` ([#7324](https://github.com/cert-manager/cert-manager/pull/7324), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
diff --git a/content/docs/releases/upgrading/upgrading-1.15-1.16.md b/content/docs/releases/upgrading/upgrading-1.15-1.16.md
new file mode 100644
index 00000000000..dc95c239c33
--- /dev/null
+++ b/content/docs/releases/upgrading/upgrading-1.15-1.16.md
@@ -0,0 +1,17 @@
+---
+title: Upgrading from v1.15 to v1.16
+description: 'cert-manager installation: Upgrading v1.15 to v1.16'
+---
+
+Before upgrading cert-manager from 1.15 to 1.16 please read the following important notes about breaking changes in 1.16:
+
+1. Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.
+   For more details, refer to the [Helm](../release-notes/release-notes-1.16.md#helm) section in the release notes.
+1. Venafi Issuer may fail to renew certificates if the requested duration conflicts with the CA’s minimum or maximum policy settings in Venafi.
+   For more details, refer to the [Venafi Issuer](../release-notes/release-notes-1.16.md#venafi-issuer) section in the release notes.
+1. Venafi Issuer may fail to renew Certificates if the issuer has been configured for TPP with username-password authentication.
+   For more details, refer to the [Venafi Issuer](../release-notes/release-notes-1.16.md#venafi-issuer) section in the release notes.
+
+## Next Steps
+
+From here on you can follow the [regular upgrade process](../../installation/upgrade.md).
diff --git a/content/docs/usage/certificate.md b/content/docs/usage/certificate.md
index 34bf98d0b4b..03ce0773f27 100644
--- a/content/docs/usage/certificate.md
+++ b/content/docs/usage/certificate.md
@@ -327,11 +327,11 @@ The certificate may get issued successfully, but be rejected by clients during T
 
 cert-manager will automatically renew `Certificate`s. It will calculate _when_ to renew a `Certificate` based on the issued X.509 certificate's duration and a 'renewBefore' value which specifies _how long_ before expiry a certificate should be renewed.
 
-`spec.duration` and `spec.renewBefore` fields on a `Certificate` can be used to specify an X.509 certificate's duration and a 'renewBefore' value. Default value for `spec.duration` is 90 days. Some issuers might be configured to only issue certificates with a set duration, so the actual duration may be different.
-Minimum value for `spec.duration` is 1 hour and minimum value for `spec.renewBefore` is 5 minutes.
+`spec.duration` and `spec.renewBefore`/`spec.renewBeforePercentage` fields on a `Certificate` can be used to specify an X.509 certificate's duration and a 'renewBefore' value. Default value for `spec.duration` is 90 days. Some issuers might be configured to only issue certificates with a set duration, so the actual duration may be different. `spec.renewBefore` specifies an absolute duration, while `spec.renewBeforePercentage` computes the effective 'renewBefore' using the actual duration of the issued certificate. Using `spec.renewBeforePercentage` is recommended to prevent renewal loops in case the actual duration is less than expected.
+Minimum value for `spec.duration` is 1 hour and minimum value for effective `spec.renewBefore` is 5 minutes.
 It is also required that `spec.duration` > `spec.renewBefore`.
 
-Once an X.509 certificate has been issued, cert-manager will calculate the renewal time for the `Certificate`. By default this will be 2/3 through the X.509 certificate's duration. If `spec.renewBefore` has been set, it will be `spec.renewBefore` amount of time before expiry. cert-manager will set `Certificate`'s `status.RenewalTime` to the time when the renewal will be attempted.
+Once an X.509 certificate has been issued, cert-manager will calculate the renewal time for the `Certificate`. By default this will be 2/3 through the X.509 certificate's duration. If `spec.renewBefore` or `spec.renewBeforePercentage` has been set, it will be the effective `spec.renewBefore` amount of time before expiry. cert-manager will set `Certificate`'s `status.RenewalTime` to the time when the renewal will be attempted.
 
 <a id="non-renewal-reissuance"></a>
 <a id="actions-triggering-private-key-rotation"></a>
diff --git a/content/docs/variables.json b/content/docs/variables.json
index d62331f2691..39d1c770143 100644
--- a/content/docs/variables.json
+++ b/content/docs/variables.json
@@ -1,3 +1,3 @@
 {
-    "cert_manager_latest_version": "v1.15.3"
+  "cert_manager_latest_version": "v1.16.0"
 }
diff --git a/public/docs/devops-tips/prometheus-metrics/prometheus-status-targets.png b/public/docs/devops-tips/prometheus-metrics/prometheus-status-targets.png
new file mode 100644
index 00000000000..ba6963795c2
Binary files /dev/null and b/public/docs/devops-tips/prometheus-metrics/prometheus-status-targets.png differ
diff --git a/scripts/gendocs/generate-new-import-path-docs b/scripts/gendocs/generate-new-import-path-docs
index 4e5b812fbd0..31592e2b56e 100755
--- a/scripts/gendocs/generate-new-import-path-docs
+++ b/scripts/gendocs/generate-new-import-path-docs
@@ -152,8 +152,9 @@ LATEST_VERSION="docs" # to also upgrade a specific version, use v1.13-docs, v1.1
 #genversionwithcli "release-1.12" "v1.12-docs"
 #genversionwithcli "release-1.13" "v1.13-docs"
 #genversionwithcli "release-1.14" "v1.14-docs"
+#genversionwithcli "release-1.15" "v1.15-docs"
 
-genversionwithcli "release-1.15" "$LATEST_VERSION"
+genversionwithcli "release-1.16" "$LATEST_VERSION"
 
 # Rather than generate the same docs again for /docs, copy from the latest version
 
diff --git a/scripts/gendocs/postprocess/api-doc-postprocess.js b/scripts/gendocs/postprocess/api-doc-postprocess.js
index af6c37cccaf..3f91568a95a 100755
--- a/scripts/gendocs/postprocess/api-doc-postprocess.js
+++ b/scripts/gendocs/postprocess/api-doc-postprocess.js
@@ -12,7 +12,7 @@ const { content, data } = matter(apiDocsFile)
 
 let result = content
 
-result = prettier.format(`<div>${result}</div>`, {
+result = await prettier.format(`<div>${result}</div>`, {
   parser: 'babel',
   htmlWhitespaceSensitivity: 'strict',
   proseWrap: 'never',
@@ -24,7 +24,7 @@ result = prettier.format(`<div>${result}</div>`, {
 result = result.split('\n').slice(1, -2).join('\n')
 result = result.replace(new RegExp(/{" "}/g), ' ')
 
-result = prettier.format(result, {
+result = await prettier.format(result, {
   parser: 'html',
   proseWrap: 'never',
   htmlWhitespaceSensitivity: 'strict',