Adding take over of existing crds

Author: rshade

CLAUDE.md

@@ -0,0 +1,40 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Commands
+
+- Build provider: `make build_provider`
+- Generate all SDKs: `make generate`
+- Build all SDKs: `make build`
+- Run Go tests: `go test ./...`
+- Run specific Go test: `go test ./examples -run=TestSimpleCertManagerGo`
+- Ensure dependencies consistency: `make ensure`
+- Format Go code: `go fmt ./...`
+- Lint Go code: `golangci-lint run`
+- Generate code for SDK after schema changes: `make codegen && make generate`
+
+## Code Style Guidelines
+
+- Go code follows standard Go formatting conventions (`go fmt`)
+- Copyright header required on all source files
+- Use descriptive variable names following Go's camelCase convention
+- Proper error handling with propagation or logging
+- Imports should be grouped by standard lib, external, then internal packages
+- Follow existing patterns in the code for component implementations
+- For TypeScript code: Use types everywhere, follow Pulumi naming conventions
+- Maintain consistent structure between language SDKs (Go, .NET, Python, TypeScript)
+- Write comprehensive test cases for any added functionality
+
+## Development Notes
+
+- When modifying schema.json or provider code, use `make codegen` to generate SDK code
+- Do not manually edit files in the sdk/ directory as they are auto-generated
+- Updates to schema.json will propagate to all language SDKs through codegen
+- Provider implementation is in provider/pkg/provider/ directory
+- CRD handling is managed through the cert-manager Helm chart values and Helm options:
+  - The `importExistingCRDs` parameter (default: true) controls CRD adoption behavior
+  - Helm options like `Replace`, `ForceUpdate`, and `CleanupOnFail` manage CRD conflicts
+  - CRD annotations should use simple values, not Helm template variables like `{{.Release.Name}}`
+  - Test CRD adoption functionality with `TestTsDestroyRecreate` test
+- Never commit changes unless explicitly instructed to do so

README.md

@@ -54,6 +54,11 @@ const cm = new certmanager.CertManager("cert-manager-deployment", {
     // When both installCRDs and crds.enabled are specified, crds.enabled takes precedence
     // installCRDs: true,
 
+    // Automatically handle CRD conflicts by importing existing CRDs
+    // This allows replacing a cert-manager installation without manual deletion
+    // When true, Helm will adopt existing CRDs by setting proper annotations and ownership
+    importExistingCRDs: true, // Default is true, set to false to disable
+    
     helmOptions: {
         namespace: ns.metadata.name,
     },
@@ -85,6 +90,11 @@ cm = certmanager.CertManager("cert-manager-deployment",
     # When both install_crds and crds.enabled are specified, crds.enabled takes precedence
     # install_crds=True,
 
+    # Automatically handle CRD conflicts by importing existing CRDs
+    # This allows replacing a cert-manager installation without manual deletion
+    # When True, Helm will adopt existing CRDs by setting proper annotations and ownership
+    import_existing_crds=True,  # Default is True, set to False to disable
+    
     helm_options={
         "namespace": ns.metadata["name"],
     })
@@ -130,6 +140,11 @@ func main() {
    // When both InstallCRDs and Crds.Enabled are specified, Crds.Enabled takes precedence
    // InstallCRDs: pulumi.BoolPtr(enabled),
 
+   // Automatically handle CRD conflicts by importing existing CRDs
+   // This allows replacing a cert-manager installation without manual deletion
+   // When true, Helm will adopt existing CRDs by setting proper annotations and ownership
+   ImportExistingCRDs: pulumi.BoolPtr(true), // Default is true, set to false to disable
+   
    HelmOptions: &helmv3.ReleaseArgs{
     Namespace: ns.Metadata.Name(),
    },
@@ -151,4 +166,29 @@ if you need to override them, you may do so using the `helmOptions` parameter. R
 [the API docs for the `kubernetes:helm/v3:Release` Pulumi type](
 https://www.pulumi.com/docs/reference/pkg/kubernetes/helm/v3/release/#inputs) for a full set of choices.
 
+### Handling CRD Ownership During Upgrades
+
+A common issue when replacing cert-manager installations is conflicts with existing CRDs, which results in errors like:
+
+```
+Unable to continue with install: CustomResourceDefinition "certificaterequests.cert-manager.io" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata
+```
+
+This provider addresses this issue through dynamic CRD discovery and Pulumi's resource import capabilities:
+
+1. **Dynamic CRD Finding and Adoption**: Following the same pattern as Pulumi's Kubernetes SDK, the provider:
+   - Lists all CustomResourceDefinitions in the cluster
+   - Filters the results to identify cert-manager CRDs (by label or known patterns)
+   - Imports each identified CRD into Pulumi's state management
+   - Removes problematic Helm ownership annotations, allowing for clean installation
+
+2. **Helm Configuration**: Through the `importExistingCRDs` option (default: `true`), the provider also:
+   - Enables Helm's resource replacement functionality to take ownership of existing CRDs
+   - Sets special annotations to help resolve ownership conflicts:
+     - `helm.sh/resource-policy: keep` to preserve CRDs on uninstall
+     - `meta.helm.sh/release-name` and `meta.helm.sh/release-namespace` for Helm ownership
+   - Configures `keep: true` for CRDs to ensure they persist between installations
+
+This approach dynamically discovers and adopts any cert-manager CRDs that already exist in your cluster, without needing manual intervention. It's based on the same patterns used in the Pulumi Kubernetes SDK v4.22.2 for handling existing CRDs.
+
 For complete details, refer to the Pulumi Package details within the Pulumi Registry.

examples/crds-tests-ts/Pulumi.yaml

@@ -18,9 +18,8 @@ func TestTsExamples(t *testing.T) {
 		directoryName    string
 		additionalConfig map[string]string
 	}{
-		"TestSimpleCertManagerTs":    {directoryName: "simple-cert-manager-ts"},
-		"TestCrdsTs":                 {directoryName: "crds-tests-ts"},
-		"TestCrdsPrecedenceTs":       {directoryName: "crds-precedence-test-ts"},
+		"TestSimpleCertManagerTs": {directoryName: "simple-cert-manager-ts"},
+		"TestCrdsPrecedenceTs":    {directoryName: "crds-precedence-test-ts"},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@@ -51,3 +50,25 @@ func TestTsCertManagerPreview(t *testing.T) {
 		p.Preview(t)
 	})
 }
+
+// TestTsDestroyRecreate tests that resources can be created, destroyed, and recreated successfully
+// to address https://github.com/pulumi/pulumi-kubernetes-cert-manager/issues/408
+func TestTsDestroyRecreate(t *testing.T) {
+	t.Run("TestSimpleCertManagerDestroyRecreate", func(t *testing.T) {
+		p := pulumitest.NewPulumiTest(t, "simple-cert-manager-ts",
+			opttest.LocalProviderPath("pulumi-kubernetes-cert-manager", filepath.Join(getCwd(t), "..", "bin")),
+			opttest.YarnLink("@pulumi/kubernetes-cert-manager"),
+		)
+		p.SetConfig(t, "repository", "public.ecr.aws/eks-anywhere-dev/cert-manager/cert-manager-controller")
+
+		// Initial deployment
+		p.Up(t)
+
+		// Destroy the resources
+		p.Destroy(t)
+
+		// Recreate the resources
+		p.Install(t)
+		p.Up(t)
+	})
+}

examples/crds-tests-ts/README.md

@@ -5,9 +5,9 @@
     },
     "dependencies": {
         "@pulumi/kubernetes": "4.22.2",
+        "@pulumi/kubernetes-cert-manager": "^0.2.0",
         "@pulumi/pulumi": "3.163.0",
-        "@pulumi/kubernetes-cert-manager": "latest",
         "@pulumi/random": "4.18.0",
         "google-protobuf": "3.21.4"
     }
-}
+}

examples/crds-tests-ts/index.ts

@@ -92,6 +92,11 @@
                     "type": "boolean",
                     "description": "⚠️ Deprecated: Use crds.enabled instead. When both installCRDs and crds.enabled are specified, crds.enabled takes precedence."
                 },
+                "importExistingCRDs": {
+                    "type": "boolean",
+                    "description": "When true (default), automatically import existing CRDs instead of failing on conflict",
+                    "default": true
+                },
                 "crds": {
                     "$ref": "#/types/kubernetes-cert-manager:index:CertManagerCrds",
                     "description": "Control CRDs installation and lifecycle"