I found out recently that I could no longer request SSL certificates using cert-manager’s deprecated APIs. This article describes the steps I took to upgrade cert-manager and some error messages found during the process. Total upgrade time took 1 hour and 15 minutes.
- kubernetes 1.16+ (I used 1.18)
- kubectl 1.16+ (I used 1.18)
$ kubectl get -o yaml -n cert-manager secrets > cert-manager-secrets.yaml
Backup relevant objects
$ kubectl get -o yaml \ --all-namespaces \ issuer,clusterissuer,certificates > cert-manager-backup.yaml
Uninstall the old cert-manager
The old cert-manager was installed using a Helm chart:
$ helm delete <helm-release-name>
Delete the cert-manager namespace
$ kubectl delete namespace cert-manager
Remove the old CRDs
$ kubectl delete crd clusterissuers.certmanager.k8s.io $ kubectl delete crd issuers.certmanager.k8s.io $ kubectl delete crd challenges.certmanager.k8s.io $ kubectl delete crd certificates.certmanager.k8s.io
Check for stuck CRDs
In case CRDs could not be deleted, check for finalizers in the CRD’s manifest. Remove the finalizers from the CRD’s manifest and try to delete the CRD again.
This time, I installed using jetstack’s manifests and did not use Helm.
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
Verify pods are running
$ kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE cert-manager-789fdcb77f-7qcgg 1/1 Running 0 3m6s cert-manager-cainjector-6f6d6cb496-hzhzt 1/1 Running 0 3m7s cert-manager-webhook-5c79844f4f-kwskp 1/1 Running 0 3m5s
Update API endpoints from backup
I recommend using a text editor to find-and-replace
Remove outdated syntax (e.g.
http01) (see Issuer/ClusterIssuer issues).
Apply manifests to restore from backup
$ kubectl apply -f cert-manager-secrets.yaml $ kubectl apply -f cert-manager-backup.yaml