Upgrade component-cert-manager from v1.x to v2.x

Version 2.x upgrades the underlying cert-manager Helm chart from v0.x to v1.x. There are some breaking changes in cert-manager. More information can be found in changelog on GitHub and in the upgrade documentation.

This upgrade should require no manual steps, but it’s recommended to verify the upgrade.

Verify cert-manager and certificates

  1. Verify successful sync and health status in ArgoCD

    Under no circumstances should you trigger a force sync in ArgoCD. This causes ArgoCD to remove and recreate the CRDs, in which case all attached resources get deleted.

  2. Check for obvious deployment errors

    kubectl -n syn-cert-manager get pods
kubectl -n syn-cert-manager logs -l "app.kubernetes.io/name=cert-manager"

  3. Optional: Create testing ingress with cert-manager managed certificate.

    The cluster must be publicly reachable and have a valid DNS entry pointing to the ingress controller. If you like to test the renewal on an existing ingress, be sure to backup the TLS Secret first.

    		 
    # Create an ingress with a certificate
CLUSTER_ISSUER=letsencrypt-staging
INGRESS_HOST=<your-DNS-entry>
kubectl create ingress cm-test --class=default \
  --rule="${INGRESS_HOST}/=svc:https,tls=cm-test-ingress-cert" \
  --annotation="cert-manager.io/cluster-issuer=${CLUSTER_ISSUER}"

# Wait for the certificate to become ready
kubectl get certificate cm-test-ingress-cert --watch

# Delete the newly created ingress
kubectl delete ingress cm-test