Managed Kubernetes
Latest
Frequently Asked Questions
Solutions
How Tos
Internal Only
Templates
Powered By
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Disabling pf9-managed cert-manager
Copy Markdown
Open in ChatGPT
Open in Claude
Problem
After upgrading the cluster to version 1.28.6, cert-manager is getting installed in the luigi-system namespace is having conflict with the existing custom cert manager in the cert-manager namespace. As a result, the cert-manager pods are going into an error state.
Javascript
% kubectl get pods -A | grep cert-managercert-manager cert-manager-89b545d6d-zstl8 1/1 Running 2 (3h4m ago) 9hcert-manager cert-manager-cainjector-646bf69b85-xhbxp 0/1 CrashLoopBackOff 64 (78s ago) 9hcert-manager cert-manager-webhook-796478777-qzzfs 1/1 Running 0 9hluigi-system cert-manager-5dcbbc765c-hpbql 1/1 Running 2 (5h3m ago) 8hluigi-system cert-manager-cainjector-6db486b6b7-d8btt 1/1 Running 2 (5h3m ago) 8hluigi-system cert-manager-webhook-57876b9fd-j4f6l 1/1 Running 0 8hEnvironment
- Platform9 Managed Kubernetes 5.9.4
- Kubernetes version 1.28.6
Procedure
To completely disable pf9 managed cert-manager and continue using custom cert-manager:
- Patch the pf9-addon-operator image to the custom private image which doesn't install/uninstall pf9-managed cert-manager.<Need to add the repo details here>
- Apply the below script, which will point all the CRB from luigi-system to cert-manager system.
Javascript
xxxxxxxxxx#!/bin/bash # List of ClusterRoleBindings to updateCRBS=( cert-manager-cainjector cert-manager-controller-issuers cert-manager-controller-clusterissuers cert-manager-controller-certificates cert-manager-controller-orders cert-manager-controller-challenges cert-manager-controller-ingress-shim cert-manager-controller-approve:cert-manager-io cert-manager-controller-certificatesigningrequests cert-manager-webhook:subjectaccessreviews) # New namespace valueNEW_NAMESPACE="cert-manager" echo "Updating ClusterRoleBinding subjects to use namespace: $NEW_NAMESPACE" for crb in "${CRBS[@]}"; do echo "Patching $crb..." kubectl patch clusterrolebinding "$crb" \ --type=json \ -p='[{"op": "replace", "path": "/subjects/0/namespace", "value": "'"$NEW_NAMESPACE"'"}]'done echo "All ClusterRoleBindings updated successfully."- Edit the webhooks to point to the cert-manager namespace instead of luigi-system namespace.
Javascript
xxxxxxxxxxkubectl edit ValidatingWebhookConfiguration cert-manager-webhookkubectl edit MutatingWebhookConfiguration cert-manager-webhookAnd delete all the 3 cert-manager deployments from luigi-system.
Javascript
xxxxxxxxxxkubectl delete deploy cert-manager-webhook -n luigi-systemkubectl delete deploy cert-manager-cainjector -n luigi-systemkubectl delete deploy cert-manager -n luigi-systemOnce this is done all the pf9-managed cert-manager will be completely cleaned and wont be applied again.
VariableType to search · ESC to discard
GlossaryType to search · ESC to discard
InsertType to search · ESC to discard
No matches
Last updated on
Was this page helpful?
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message