Disabling pf9-managed cert-manager

Problem

After upgrading the cluster to version 1.28.6, cert-manager is getting installed in the luigi-system namespace is having conflict with the existing custom cert manager in the cert-manager namespace. As a result, the cert-manager pods are going into an error state.

Javascript
    
% kubectl get pods -A | grep cert-managercert-manager             cert-manager-89b545d6d-zstl8                             1/1     Running            2 (3h4m ago)       9hcert-manager             cert-manager-cainjector-646bf69b85-xhbxp                 0/1     CrashLoopBackOff   64 (78s ago)       9hcert-manager             cert-manager-webhook-796478777-qzzfs                     1/1     Running            0                  9hluigi-system             cert-manager-5dcbbc765c-hpbql                            1/1     Running            2 (5h3m ago)       8hluigi-system             cert-manager-cainjector-6db486b6b7-d8btt                 1/1     Running            2 (5h3m ago)       8hluigi-system             cert-manager-webhook-57876b9fd-j4f6l                     1/1     Running            0                  8h
Copy

Environment

Platform9 Managed Kubernetes 5.9.4
Kubernetes version 1.28.6

Procedure

To completely disable pf9 managed cert-manager and continue using custom cert-manager:

Patch the pf9-addon-operator image to the custom private image which doesn't install/uninstall pf9-managed cert-manager.<Need to add the repo details here>
Apply the below script, which will point all the CRB from luigi-system to cert-manager system.

Javascript
    
​x
 
#!/bin/bash​# List of ClusterRoleBindings to updateCRBS=(  cert-manager-cainjector  cert-manager-controller-issuers  cert-manager-controller-clusterissuers  cert-manager-controller-certificates  cert-manager-controller-orders  cert-manager-controller-challenges  cert-manager-controller-ingress-shim  cert-manager-controller-approve:cert-manager-io  cert-manager-controller-certificatesigningrequests  cert-manager-webhook:subjectaccessreviews)​# New namespace valueNEW_NAMESPACE="cert-manager"​echo "Updating ClusterRoleBinding subjects to use namespace: $NEW_NAMESPACE"​for crb in "${CRBS[@]}"; do  echo "Patching $crb..."  kubectl patch clusterrolebinding "$crb" \    --type=json \    -p='[{"op": "replace", "path": "/subjects/0/namespace", "value": "'"$NEW_NAMESPACE"'"}]'done​echo "All ClusterRoleBindings updated successfully."
Copy

Edit the webhooks to point to the cert-manager namespace instead of luigi-system namespace.

Javascript
    
 
kubectl edit ValidatingWebhookConfiguration cert-manager-webhookkubectl edit MutatingWebhookConfiguration cert-manager-webhook
Copy

And delete all the 3 cert-manager deployments from luigi-system.

Javascript
    
 
kubectl delete deploy cert-manager-webhook -n luigi-systemkubectl delete deploy cert-manager-cainjector -n luigi-systemkubectl delete deploy cert-manager -n luigi-system
Copy

Once this is done all the pf9-managed cert-manager will be completely cleaned and wont be applied again.

Last updated on

Was this page helpful?