Reinstalling cert-manager¶
In some cases there may be a need to do a full uninstall and re-install of cert-manager. For example, when a very old cert-manager version needs to be brought up to date and it isn't feasible to upgrade one minor version at a time, which is our default recommended upgrade strategy.
If cert-manager CustomResourceDefinitions
are also uninstalled, this will mean loss of associated cert-manager custom resources such as Certificates
. The main concern associated with this is application downtime and unnecessary certificate reissuance that could happen if Secrets with the X.509 certificates are deleted. You can use the --enable-certificate-owner-ref
flag on the cert-manager controller to configure whether the Secrets should be deleted. If this flag is set to true
, each Secret will have an owner reference to the Certificate for which it was created and, when the Certificate is deleted, the Secret will be garbage collected. The default value for this flag is false
. If the Certificates are deleted and re-applied, but the Secrets remain in the cluster, the newly applied Certificates can pick up the same Secrets and not reissue the X.509 certs unnecessarily.
Important
When uninstalling and re-installing in order to upgrade, you should still read through the release notes for each skipped version.
Some things to look out for when considering uninstalling and re-installing cert-manager including the CRDs:
- Is the
--enable-certificate-owner-ref
flag currently set totrue
, or could it have been set totrue
at some point previously? Due to an earlier issue, the owner reference that gets added to Secrets is not removed when the value of--enable-certificate-owner-ref
is changed fromtrue
tofalse
. - Are there currently any certificate issuances in progress? If so, with the custom resources deleted, the progress will be lost. This could potentially cause duplicated issuances.
- Is there a need to convert cert-manager custom resource manifests to v1 API? You can use cmctl convert command to do that.