In some cases there may be a need to do a full uninstall and re-install of cert-manager. An example could be when a very old cert-manager version needs to be brought up to date and it isn't feasible to upgrade one minor version at a time, which is our default recommended upgrade strategy.
CustomResourceDefinitions are also uninstalled, this will mean
loss of associated cert-manager custom resources such as
main concern associated with this is application downtime and unnecessary
certificate reissuance, that could happen if
Secrets with the X.509
certificates get deleted. You can use
on the cert-manager controller to configure whether the
Secrets should be deleted.
If this flag is set to true, each
Secret will have an owner reference to the
Certificate for which it was created and when the
Certificate is deleted,
Secret will be garbage collected. The default value for this flag is
false. If the
Certificates get deleted and re-applied, but the
in the cluster, the newly applied
Certificates should be able to pick up the
Secrets and should not unnecessarily reissue the X.509 certs.
When uninstalling and re-installing in order to upgrade, you should still read through the release notes for each skipped version.
Some things to look out for when considering uninstalling and re-installing cert-manager including the CRDs:
--enable-certificate-owner-refflag currently set to true or could it have been set to true at some point previously? Due to an earlier bug, the owner reference that gets added to
Secrets is not removed when the value of
--enable-certificate-owner-refis changed from true to false, see
- Are there currently any certificate issuances in progress? If so, with the custom resources deleted, the progress will be lost. This could potentially cause duplicated issuances.
- Is there a need to convert cert-manager custom resource manifests to v1 API? You can use
cmctl convertcommand to do that.