Skip to content

Use more flexible options to manage Cert Manager's CRDsย #419

New issue
New issue
Open
#420
Open
Use more flexible options to manage Cert Manager's CRDs#419
#420
Assignees
rshade
Labels
kind/enhancementImprovements or new features
@aureq

Description

@aureq
aureq
opened on Apr 18, 2025

What happened?

When Deploying Pulumi Cert Manager v0.2.0, it's possible to pass the option installCRDs: true as shown in the example below.

This option seems to directly match installCRDs in the underlying Helm Chart. However, this option is now deprecated according to values.yaml. Both crds.enabled and crds.keep shoud be used instead.

The deprecation is revealed when retrieving the Helm release deployment notes

  • kubectl get secrets -l "owner=helm" -n cert-system
  • kubectl get secret -n cert-system sh.helm.release.v1.cert-manager-deployment-helm-33c99dcc.v1 -o jsonpath="{.data.release}" | base64 -d | base64 -d | gunzip | jq .info
{
  "first_deployed": "2025-04-18T12:28:20.952314778+10:00",
  "last_deployed": "2025-04-18T12:28:20.952314778+10:00",
  "deleted": "",
  "description": "Install complete",
  "status": "deployed",
  "notes": "\nโš ๏ธ  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.\ncert-manager v1.17.1 has been deployed successfully!\n\nIn order to begin issuing certificates, you will need to set up a ClusterIssuer\nor Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).\n\nMore information on the different types of issuers and how to configure them\ncan be found in our documentation:\n\nhttps://cert-manager.io/docs/configuration/\n\nFor information on how to configure cert-manager to automatically provision\nCertificates for Ingress resources, take a look at the `ingress-shim`\ndocumentation:\n\nhttps://cert-manager.io/docs/usage/ingress/\n"
}

Example

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
import * as certmanager from "@pulumi/kubernetes-cert-manager";

export = async () => {

    const ns = new k8s.core.v1.Namespace(`cert-manager-namespace`, {
        metadata: {
            name: "cert-system",
        }
    });

    const cm = new certmanager.CertManager(`cert-manager-deployment`, {
        installCRDs: true,
        helmOptions: {
            namespace: ns.metadata.name,
        },
    }, { parent: ns });

}

Proposed changes

Since installCRDs doesn't remove the CRDs on update or destroy, it would be beneficial to:

  1. exposing both crds.enabled and crds.keep instead
  2. (maybe) as a way to improve backward compatibility, ensure that CRDs are removed by setting crds.keep: false (but it seems the garbage collector might remove existing CRs, so this could be a problem)

Additional context

Related to #408

Contributing

Vote on this issue by adding a ๐Ÿ‘ reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

Labels

kind/enhancementImprovements or new features

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions