Upgrading cert-manager from v0.10 to v1.2.0

I found out recently that I could no longer request SSL certificates using cert-manager’s deprecated APIs. This article describes the steps I took to upgrade cert-manager and some error messages found during the process. Total upgrade time took 1 hour and 15 minutes.

Prerequisites

  • kubernetes 1.16+ (I used 1.18)
  • kubectl 1.16+ (I used 1.18)

Backup secrets

$ kubectl get -o yaml -n cert-manager secrets > cert-manager-secrets.yaml

Backup relevant objects

$ kubectl get -o yaml \
    --all-namespaces \
    issuer,clusterissuer,certificates > cert-manager-backup.yaml

Uninstall the old cert-manager

The old cert-manager was installed using a Helm chart:

$ helm delete <helm-release-name>

Delete the cert-manager namespace

$ kubectl delete namespace cert-manager

Remove the old CRDs

$ kubectl delete crd clusterissuers.certmanager.k8s.io
$ kubectl delete crd issuers.certmanager.k8s.io
$ kubectl delete crd challenges.certmanager.k8s.io
$ kubectl delete crd certificates.certmanager.k8s.io

Check for stuck CRDs

In case CRDs could not be deleted, check for finalizers in the CRD’s manifest. Remove the finalizers from the CRD’s manifest and try to delete the CRD again.

Install cert-manager

This time, I installed using jetstack’s manifests and did not use Helm.

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml

Verify pods are running

$ kubectl get pods -n cert-manager

Example output:

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-789fdcb77f-7qcgg              1/1     Running   0          3m6s
cert-manager-cainjector-6f6d6cb496-hzhzt   1/1     Running   0          3m7s
cert-manager-webhook-5c79844f4f-kwskp      1/1     Running   0          3m5s

Update API endpoints from backup

I recommend using a text editor to find-and-replace certmanager.k8s.io/v1alpha1 with cert-manager.io/v1.

Remove outdated syntax (e.g. http01) (see Issuer/ClusterIssuer issues).

Apply manifests to restore from backup

$ kubectl apply -f cert-manager-secrets.yaml
$ kubectl apply -f cert-manager-backup.yaml

See also

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s