1. Let’s Encrypt will be blocking cert-manager instances older than 0.8.0 starting November 1st 2019.
    2. . This change has no exact deadline.
    3. Cert-manager is deprecating API and replacing its API group

    To address these changes, this guide will do two things:

    1. Document the procedure for upgrading cert-manager
    2. Explain the cert-manager API changes and link to cert-manager’s offficial documentation for migrating your data

    The namespace used in these instructions depends on the namespace cert-manager is currently installed in. If it is in kube-system use that in the instructions below. You can verify by running kubectl get pods --all-namespaces and checking which namespace the cert-manager-* pods are listed in. Do not change the namespace cert-manager is running in or this can cause issues.

    In order to upgrade cert-manager, follow these instructions:

    Upgrading cert-manager with Internet access

    1. Back up existing resources as a precaution

    2. Delete the existing deployment

      1. helm delete --purge cert-manager

    3. Install the CustomResourceDefinition resources separately

      1. kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml

    4. Update your local Helm chart repository cache

      1. helm repo update

    5. Install the new version of cert-manager

      Upgrading cert-manager in an airgapped environment

    Before you can perform the upgrade, you must prepare your air gapped environment by adding the necessary container images to your private registry and downloading or rendering the required Kubernetes manifest files.

    1. Follow the guide to with the images needed for the upgrade.

    2. From a system connected to the internet, add the cert-manager repo to Helm

      1. helm repo add jetstack https://charts.jetstack.io
      2. helm repo update

    3. Fetch the latest cert-manager chart available from the Helm chart repository.

      1. helm fetch jetstack/cert-manager --version v0.12.0

    4. Render the cert manager template with the options you would like to use to install the chart. Remember to set the option to pull the image from your private registry. This will create a cert-manager directory with the Kubernetes manifest files.

      1. helm template ./cert-manager-v0.12.0.tgz --output-dir . \
      2. --name cert-manager --namespace kube-system \
      3. --set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller
      4. --set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-webhook
      5. --set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-cainjector

    Install cert-manager

    1. Back up existing resources as a precaution

    2. Delete the existing cert-manager installation

      1. kubectl -n kube-system delete deployment,sa,clusterrole,clusterrolebinding -l 'app=cert-manager' -l 'chart=cert-manager-v0.5.2'

    4. Install cert-manager

      1. kubectl -n kube-system apply -R -f ./cert-manager

    Once you’ve installed cert-manager, you can verify it is deployed correctly by checking the kube-system namespace for running pods:

    1. kubectl get pods --namespace kube-system
    3. NAME                                            READY   STATUS      RESTARTS   AGE
    4. cert-manager-7cbdc48784-rpgnt                   1/1     Running     0          3m
    5. cert-manager-webhook-5b5dd6999-kst4x            1/1     Running     0          3m
    6. cert-manager-cainjector-3ba5cd2bcd-de332x       1/1     Running     0          3m

    If the ‘webhook’ pod (2nd line) is in a ContainerCreating state, it may still be waiting for the Secret to be mounted into the pod. Wait a couple of minutes for this to happen but if you experience problems, please check cert-manager’s troubleshooting guide.

    Cert-Manager API change and data migration

    Cert-manager has deprecated the use of the certificate.spec.acme.solvers field and will drop support for it completely in an upcoming release.

    Per the cert-manager documentation, a new format for configuring ACME certificate resources was introduced in v0.8. Specifically, the challenge solver configuration field was moved. Both the old format and new are supported as of v0.9, but support for the old format will be dropped in an upcoming release of cert-manager. The cert-manager documentation strongly recommends that after upgrading you update your ACME Issuer and Certificate resources to the new format.

    Details about the change and migration instructions can be found in the cert-manager v0.7 to v0.8 upgrade instructions.

    The v0.11 release marks the removal of the v1alpha1 API that was used in previous versions of cert-manager, as well as our API group changing to be instead of certmanager.k8s.io.

    We have also removed support for the old configuration format that was deprecated in the v0.8 release. This means you must transition to using the new solvers style configuration format for your ACME issuers before upgrading to v0.11. For more information, see the .

    Details about the change and migration instructions can be found in the cert-manager v0.10 to v0.11 upgrade instructions.

    For information on upgrading from all other versions of cert-manager, refer to the .