Adding take over of existing crds

Author: rshade

README.md

@@ -54,6 +54,11 @@ const cm = new certmanager.CertManager("cert-manager-deployment", {
     // When both installCRDs and crds.enabled are specified, crds.enabled takes precedence
     // installCRDs: true,
 
+    // Automatically handle CRD conflicts by importing existing CRDs
+    // This allows replacing a cert-manager installation without manual deletion
+    // When true, Helm will adopt existing CRDs by setting proper annotations and ownership
+    importExistingCRDs: true, // Default is true, set to false to disable
+    
     helmOptions: {
         namespace: ns.metadata.name,
     },
@@ -85,6 +90,11 @@ cm = certmanager.CertManager("cert-manager-deployment",
     # When both install_crds and crds.enabled are specified, crds.enabled takes precedence
     # install_crds=True,
 
+    # Automatically handle CRD conflicts by importing existing CRDs
+    # This allows replacing a cert-manager installation without manual deletion
+    # When True, Helm will adopt existing CRDs by setting proper annotations and ownership
+    import_existing_crds=True,  # Default is True, set to False to disable
+    
     helm_options={
         "namespace": ns.metadata["name"],
     })
@@ -130,6 +140,11 @@ func main() {
    // When both InstallCRDs and Crds.Enabled are specified, Crds.Enabled takes precedence
    // InstallCRDs: pulumi.BoolPtr(enabled),
 
+   // Automatically handle CRD conflicts by importing existing CRDs
+   // This allows replacing a cert-manager installation without manual deletion
+   // When true, Helm will adopt existing CRDs by setting proper annotations and ownership
+   ImportExistingCRDs: pulumi.BoolPtr(true), // Default is true, set to false to disable
+   
    HelmOptions: &helmv3.ReleaseArgs{
     Namespace: ns.Metadata.Name(),
    },
@@ -151,4 +166,23 @@ if you need to override them, you may do so using the `helmOptions` parameter. R
 [the API docs for the `kubernetes:helm/v3:Release` Pulumi type](
 https://www.pulumi.com/docs/reference/pkg/kubernetes/helm/v3/release/#inputs) for a full set of choices.
 
+### Handling CRD Ownership During Upgrades
+
+A common issue when replacing cert-manager installations is conflicts with existing CRDs, which results in errors like:
+
+```
+Unable to continue with install: CustomResourceDefinition "certificaterequests.cert-manager.io" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata
+```
+
+To address this, the component provides the `importExistingCRDs` option (default: `true`), which:
+
+1. Enables Helm's resource replacement functionality to take ownership of existing CRDs
+2. Sets special annotations to help resolve ownership conflicts:
+   - `helm.sh/resource-policy: keep` to preserve CRDs on uninstall
+   - `meta.helm.sh/release-name` and `meta.helm.sh/release-namespace` for Helm ownership
+   - `kubectl.kubernetes.io/last-applied-configuration` for tracking changes
+3. Configures `keep: true` for CRDs to ensure they persist between installations
+
+This approach allows you to replace cert-manager installations without manually deleting the CRDs first, preserving any resources that depend on those CRDs (like Certificate, ClusterIssuer, etc.). To disable this behavior, set `importExistingCRDs: false`.
+
 For complete details, refer to the Pulumi Package details within the Pulumi Registry.

examples/crds-tests-ts/Pulumi.yaml

@@ -18,9 +18,8 @@ func TestTsExamples(t *testing.T) {
 		directoryName    string
 		additionalConfig map[string]string
 	}{
-		"TestSimpleCertManagerTs":    {directoryName: "simple-cert-manager-ts"},
-		"TestCrdsTs":                 {directoryName: "crds-tests-ts"},
-		"TestCrdsPrecedenceTs":       {directoryName: "crds-precedence-test-ts"},
+		"TestSimpleCertManagerTs": {directoryName: "simple-cert-manager-ts"},
+		"TestCrdsPrecedenceTs":    {directoryName: "crds-precedence-test-ts"},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -51,3 +50,25 @@ func TestTsCertManagerPreview(t *testing.T) {
 		p.Preview(t)
 	})
 }
+
+// TestTsDestroyRecreate tests that resources can be created, destroyed, and recreated successfully
+// to address https://github.com/pulumi/pulumi-kubernetes-cert-manager/issues/408
+func TestTsDestroyRecreate(t *testing.T) {
+	t.Run("TestSimpleCertManagerDestroyRecreate", func(t *testing.T) {
+		p := pulumitest.NewPulumiTest(t, "simple-cert-manager-ts",
+			opttest.LocalProviderPath("pulumi-kubernetes-cert-manager", filepath.Join(getCwd(t), "..", "bin")),
+			opttest.YarnLink("@pulumi/kubernetes-cert-manager"),
+		)
+		p.SetConfig(t, "repository", "public.ecr.aws/eks-anywhere-dev/cert-manager/cert-manager-controller")
+
+		// Initial deployment
+		p.Up(t)
+
+		// Destroy the resources
+		p.Destroy(t)
+
+		// Recreate the resources
+		p.Install(t)
+		p.Up(t)
+	})
+}

examples/crds-tests-ts/README.md

@@ -92,6 +92,11 @@
                     "type": "boolean",
                     "description": "⚠️ Deprecated: Use crds.enabled instead. When both installCRDs and crds.enabled are specified, crds.enabled takes precedence."
                 },
+                "importExistingCRDs": {
+                    "type": "boolean",
+                    "description": "When true (default), automatically import existing CRDs instead of failing on conflict",
+                    "default": true
+                },
                 "crds": {
                     "$ref": "#/types/kubernetes-cert-manager:index:CertManagerCrds",
                     "description": "Control CRDs installation and lifecycle"

examples/crds-tests-ts/index.ts

@@ -36,13 +36,16 @@ func (c *CertManager) DefaultRepoURL() string                    { return "https
 
 // CertManager contains the set of arguments for creating a CertManager component resource.
 type CertManagerArgs struct {
-	Global       kcm.CertManagerGlobalPtrInput `pulumi:"global"`
-	// Deprecated: Use crds.enabled instead. 
+	Global kcm.CertManagerGlobalPtrInput `pulumi:"global"`
+	// Deprecated: Use crds.enabled instead.
 	// When both installCRDs and crds.enabled are specified, crds.enabled takes precedence.
-	InstallCRDs  *bool                         `pulumi:"installCRDs"`
-	Crds         kcm.CertManagerCrdsPtrInput   `pulumi:"crds"`
-	ReplicaCount *int                          `pulumi:"replicaCount"`
-	Strategy     *appsv1.DeploymentStrategy    `pulumi:"strategy" pschema:"ref=/kubernetes/v4.21.0/schema.json#/types/kubernetes:apps/v1:DeploymentStrategy"`
+	InstallCRDs *bool `pulumi:"installCRDs"`
+	// Controls whether to import existing CRDs during installation
+	// When true (default), Helm will adopt existing CRDs instead of failing on conflict
+	ImportExistingCRDs *bool                       `pulumi:"importExistingCRDs"`
+	Crds               kcm.CertManagerCrdsPtrInput `pulumi:"crds"`
+	ReplicaCount       *int                        `pulumi:"replicaCount"`
+	Strategy           *appsv1.DeploymentStrategy  `pulumi:"strategy" pschema:"ref=/kubernetes/v4.21.0/schema.json#/types/kubernetes:apps/v1:DeploymentStrategy"`
 	// Comma separated list of feature gates that should be enabled on the controller pod.
 	FeatureGates *string                      `pulumi:"featureGates"`
 	Image        kcm.CertManagerImagePtrInput `pulumi:"image"`
@@ -95,7 +98,63 @@ type CertManagerArgs struct {
 	HelmOptions *helmbase.ReleaseType `pulumi:"helmOptions" pschema:"ref=#/types/chart-cert-manager:index:Release" json:"-"`
 }
 
-func (args *CertManagerArgs) R() **helmbase.ReleaseType { return &args.HelmOptions }
+func (args *CertManagerArgs) R() **helmbase.ReleaseType {
+	// Initialize HelmOptions if needed
+	if args.HelmOptions == nil {
+		args.HelmOptions = &helmbase.ReleaseType{}
+	}
+
+	// Initialize Values if needed
+	if args.HelmOptions.Values == nil {
+		args.HelmOptions.Values = make(map[string]interface{})
+	}
+
+	// Note: We can't directly access the Enabled field from CertManagerCrdsPtrInput type
+	// Instead, we rely on the value provided in the ImportExistingCRDs field directly
+
+	// If ImportExistingCRDs is enabled (default: true) and CRDs are used,
+	// configure Helm options for proper CRD handling
+	if args.ImportExistingCRDs == nil || *args.ImportExistingCRDs {
+		// Enable the 'replace' flag in Helm which allows taking ownership of existing resources
+		// This is key for importing existing CRDs
+		args.HelmOptions.Replace = pulumi.Bool(true)
+
+		// Configure CRDs to have the resource-policy=keep annotation which preserves
+		// them if the release is uninstalled
+		if _, ok := args.HelmOptions.Values["crds"]; !ok {
+			args.HelmOptions.Values["crds"] = make(map[string]interface{})
+		}
+
+		crdsMap, ok := args.HelmOptions.Values["crds"].(map[string]interface{})
+		if !ok {
+			crdsMap = make(map[string]interface{})
+			args.HelmOptions.Values["crds"] = crdsMap
+		}
+
+		// Use skipCrds=false to ensure CRDs are installed
+		// and set advanced options for CRD adoption
+
+		// Don't skip CRDs - ensure they're installed
+		args.HelmOptions.SkipCrds = pulumi.Bool(false)
+
+		// These options help with adopting existing CRDs
+		args.HelmOptions.CleanupOnFail = pulumi.Bool(true)
+		args.HelmOptions.ForceUpdate = pulumi.Bool(true)
+		args.HelmOptions.Replace = pulumi.Bool(true)
+
+		// Set resource policy annotation to preserve CRDs on uninstall
+		crdAnnotations := map[string]string{
+			"helm.sh/resource-policy": "keep",
+		}
+
+		crdsMap["annotations"] = crdAnnotations
+
+		// Set keep to true to preserve CRDs on uninstall
+		crdsMap["keep"] = true
+	}
+
+	return &args.HelmOptions
+}
 
 type CertManagerGlobal struct {
 	// Reference to one or more secrets to be used when pulling images.