0

We're currently running cert-manager 0.10 on GKE 1.15 in Production. How can I upgrade to the current 1.0 without 'downtime', i.e. losing certificates?

Can I uninstall cert-manager (without deleting the certificates) and then just install 1.0? Does 1.0 have backward-compatibility with the old certmanager.k8s.io API namespace so the existing certificates are still recognized (and eventually replaced)?

Or must I go through each intermediate version (0.11, 0.12, 0.13, 0.14, 0.15, 0.16, 1.0) and execute every specific upgrade instruction. The Upgrading chapter on the cert-manager site shows some rather complex steps between each version, specifically the API namespace change from 0.10 to 0.11 recommends uninstalling cert-manager before installing the 0.11 CRD's and manifests.

Martijn Heemels
  • 7,728
  • 7
  • 40
  • 64

1 Answers1

0

We're currently running cert-manager 0.10 on GKE 1.15 in Production. How can I upgrade to the current 1.0 without 'downtime', i.e. losing certificates?

Current GKE version default is 1.16.13-gke.401, if you want to change certificates you could also think about upgrading GKE version if this is possible. Before any changes its always good to backup your certs. It's well described in Cert-Manager docs.

Can I uninstall cert-manager (without deleting the certificates) and then just install 1.0? Does 1.0 have backward-compatibility with the old certmanager.k8s.io API namespace so the existing certificates are still recognized (and eventually replaced)?

Between 0.10 and 1.0 Cert-Manager versions, there are some changes. For 0.10 to 0.11 annotation changes. As mention in docs, before upgrading form 0.10 to 0.11 you must change configuration format:

We have also removed support for the old configuration format that was deprecated in the v0.8 release. This means you must transition to using the new solvers style configuration format for your ACME issuers before upgrading to v0.11.

Also there is information:

You must be sure to properly backup, uninstall, re-install and restore your installation in order to ensure the upgrade is successful.

Also between 0.14 to 0.15 versions, big change was introduced, new CRDs.

If there would be no significant changes between version, it could be upgraded in range of a few versions, like in this article - v0.4 to v0.7.2. However newer versions introducing new features or changes in configuration like:

v0.10 to v0.11: ACME issuers and certificates must be upgraded before upgrading to v0.11. Additionally there are annotation changes that reflect the new API.

v0.12 to v0.3: No special upgrade steps required!

v0.11 to v0.12: Removal of webhook API service

In my opinion, there are 3 options:

  1. Upgrading 1 by 1 (applying new features and verify in each version if this works correctly).
  2. Upgrade from 0.10 to 1.0, but all configuration changes between those version would need to be tuned.
  3. Configure from scratch your Cert-Manager with newest version.
PjoterS
  • 705
  • 3
  • 11
  • Thanks PjoterS. I was aware of the complex upgrade steps for each version which is why I asked if it's possible to go directly to 1.0. It appears the cert-manager team have built some backward-compatibility into the newer versions. Do you know what happens to existing certificates when I uninstall the old 0.10 version and install 1.0? Will they keep working with their old annotations (and slowly get replaced when they expire) or must I upgrade them right away? – Martijn Heemels Nov 04 '20 at 16:38