Rancher uses cert-manager to automatically generate and renew TLS certificates for HA deployments of Rancher. As of Fall 2019, three important changes to cert-manager are set to occur that you need to take action on if you have an HA deployment of Rancher:

  1. Let’s Encrypt will be blocking cert-manager instances older than 0.8.0 starting November 1st 2019.
  2. Cert-manager is deprecating and replacing the certificate.spec.acme.solvers field. This change has no exact deadline.
  3. Cert-manager is deprecating v1alpha1 API and replacing its API group

To address these changes, this guide will do two things:

  1. Document the procedure for upgrading cert-manager
  2. Explain the cert-manager API changes and link to cert-manager’s official documentation for migrating your data

Important: If you are currently running the cert-manger whose version is older than v0.11, and want to upgrade both Rancher and cert-manager to a newer version, you need to reinstall both of them:

  1. Take a one-time snapshot of your Kubernetes cluster running Rancher server
  2. Uninstall Rancher, cert-manager, and the CustomResourceDefinition for cert-manager
  3. Install the newer version of Rancher and cert-manager

The reason is that when Helm upgrades Rancher, it will reject the upgrade and show error messages if the running Rancher app does not match the chart template used to install it. Because cert-manager changed its API group and we cannot modify released charts for Rancher, there will always be a mismatch on the cert-manager’s API version, therefore the upgrade will be rejected.

For reinstalling Rancher with Helm, please check Option B: Reinstalling Rancher Chart under the upgrade Rancher section.

Upgrade Cert-Manager Only

Note: These instructions are applied if you have no plan to upgrade Rancher.

The namespace used in these instructions depends on the namespace cert-manager is currently installed in. If it is in kube-system use that in the instructions below. You can verify by running kubectl get pods --all-namespaces and checking which namespace the cert-manager-* pods are listed in. Do not change the namespace cert-manager is running in or this can cause issues.

These instructions have been updated for Helm 3. If you are still using Helm 2, refer to these instructions.

In order to upgrade cert-manager, follow these instructions:

  1. Back up existing resources as a precaution

    kubectl get -o yaml --all-namespaces \
issuer,clusterissuer,certificates,certificaterequests > cert-manager-backup.yaml

    Important: If you are upgrading from a version older than 0.11.0, Update the apiVersion on all your backed up resources from certmanager.k8s.io/v1alpha1 to cert-manager.io/v1alpha2. If you use any cert-manager annotations on any of your other resources, you will need to update them to reflect the new API group. For details, refer to the documentation on additional annotation changes.

  2. Uninstall existing deployment

    helm uninstall cert-manager

    Delete the CustomResourceDefinition using the link to the version vX.Y you installed

    kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-X.Y/deploy/manifests/00-crds.yaml

  3. Install the CustomResourceDefinition resources separately

    kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml

    Note: If you are running Kubernetes v1.15 or below, you will need to add the --validate=false flag to your kubectl apply command above. Otherwise, you will receive a validation error relating to the x-kubernetes-preserve-unknown-fields field in cert-manager’s CustomResourceDefinition resources. This is a benign error and occurs due to the way kubectl performs resource validation.

  4. Create the namespace for cert-manager if needed

    kubectl create namespace cert-manager

  5. Add the Jetstack Helm repository

    helm repo add jetstack https://charts.jetstack.io

  6. Update your local Helm chart repository cache

    helm repo update

  7. Install the new version of cert-manager

    helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.12.0

  8. Restore back up resources

    kubectl apply -f cert-manager-backup.yaml

Prerequisites

Before you can perform the upgrade, you must prepare your air gapped environment by adding the necessary container images to your private registry and downloading or rendering the required Kubernetes manifest files.

  1. Follow the guide to Prepare your Private Registry with the images needed for the upgrade.

  2. From a system connected to the internet, add the cert-manager repo to Helm

    helm repo add jetstack https://charts.jetstack.io
helm repo update

  3. Fetch the latest cert-manager chart available from the Helm chart repository.

    helm fetch jetstack/cert-manager --version v0.12.0

  4. Render the cert manager template with the options you would like to use to install the chart. Remember to set the image.repository option to pull the image from your private registry. This will create a cert-manager directory with the Kubernetes manifest files.

    The Helm 3 command is as follows:

    helm template cert-manager ./cert-manager-v0.12.0.tgz --output-dir . \
--namespace cert-manager \
--set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller
--set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-webhook
--set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-cainjector

    The Helm 2 command is as follows:

    helm template ./cert-manager-v0.12.0.tgz --output-dir . \
--name cert-manager --namespace cert-manager \
--set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller
--set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-webhook
--set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-cainjector

  5. Download the required CRD file for cert-manager (old and new)

    curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
curl -L -o cert-manager/cert-manager-crd-old.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-X.Y/deploy/manifests/00-crds.yaml

Install cert-manager

  1. Back up existing resources as a precaution

    kubectl get -o yaml --all-namespaces \
issuer,clusterissuer,certificates,certificaterequests > cert-manager-backup.yaml

    Important: If you are upgrading from a version older than 0.11.0, Update the apiVersion on all your backed up resources from certmanager.k8s.io/v1alpha1 to cert-manager.io/v1alpha2. If you use any cert-manager annotations on any of your other resources, you will need to update them to reflect the new API group. For details, refer to the documentation on additional annotation changes.

  2. Delete the existing cert-manager installation

    kubectl -n cert-manager \
delete deployment,sa,clusterrole,clusterrolebinding \
-l 'app=cert-manager' -l 'chart=cert-manager-v0.5.2'

    Delete the CustomResourceDefinition using the link to the version vX.Y you installed

    kubectl delete -f cert-manager/cert-manager-crd-old.yaml

  3. Install the CustomResourceDefinition resources separately

    kubectl apply -f cert-manager/cert-manager-crd.yaml

    Note: If you are running Kubernetes v1.15 or below, you will need to add the --validate=false flag to your kubectl apply command above. Otherwise, you will receive a validation error relating to the x-kubernetes-preserve-unknown-fields field in cert-manager’s CustomResourceDefinition resources. This is a benign error and occurs due to the way kubectl performs resource validation.

  4. Create the namespace for cert-manager

    kubectl create namespace cert-manager

  5. Install cert-manager

    kubectl -n cert-manager apply -R -f ./cert-manager

  6. Restore back up resources

    kubectl apply -f cert-manager-backup.yaml

Once you’ve installed cert-manager, you can verify it is deployed correctly by checking the kube-system namespace for running pods:

kubectl get pods --namespace cert-manager

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5c6866597-zw7kh               1/1     Running   0          2m
cert-manager-cainjector-577f6d9fd7-tr77l   1/1     Running   0          2m
cert-manager-webhook-787858fcdb-nlzsq      1/1     Running   0          2m

Cert-Manager API change and data migration

Cert-manager has deprecated the use of the certificate.spec.acme.solvers field and will drop support for it completely in an upcoming release.

Per the cert-manager documentation, a new format for configuring ACME certificate resources was introduced in v0.8. Specifically, the challenge solver configuration field was moved. Both the old format and new are supported as of v0.9, but support for the old format will be dropped in an upcoming release of cert-manager. The cert-manager documentation strongly recommends that after upgrading you update your ACME Issuer and Certificate resources to the new format.

Details about the change and migration instructions can be found in the cert-manager v0.7 to v0.8 upgrade instructions.

The v0.11 release marks the removal of the v1alpha1 API that was used in previous versions of cert-manager, as well as our API group changing to be cert-manager.io instead of certmanager.k8s.io.

We have also removed support for the old configuration format that was deprecated in the v0.8 release. This means you must transition to using the new solvers style configuration format for your ACME issuers before upgrading to v0.11. For more information, see the upgrading to v0.8 guide.

Details about the change and migration instructions can be found in the cert-manager v0.10 to v0.11 upgrade instructions.

More info about cert-manager upgrade information.