Upgrade component-cert-manager from v1.x to v2.x

Version 2.x upgrades the underlying cert-manager Helm chart from v0.x to v1.x. There are some breaking changes in cert-manager. More information can be found in changelog on GitHub and in the upgrade documentation.

This upgrade should require no manual steps, but it’s recommended to verify the upgrade.

Verify cert-manager and certificates

  1. Verify successful sync and health status in ArgoCD

    Under no circumstances should you trigger a force sync in ArgoCD. This causes ArgoCD to remove and recreate the CRDs, in which case all attached resources get deleted.

  2. Check for obvious deployment errors

    kubectl -n syn-cert-manager get pods
    kubectl -n syn-cert-manager logs -l "app.kubernetes.io/name=cert-manager"
  3. Optional: Create testing ingress with cert-manager managed certificate.

    The cluster must be publicly reachable and have a valid DNS entry pointing to the ingress controller. If you like to test the renewal on an existing ingress, be sure to backup the TLS Secret first.

    # Create an ingress with a certificate
    kubectl create ingress cm-test --class=default \
      --rule="${INGRESS_HOST}/=svc:https,tls=cm-test-ingress-cert" \
    # Wait for the certificate to become ready
    kubectl get certificate cm-test-ingress-cert --watch
    # Delete the newly created ingress
    kubectl delete ingress cm-test