kubernetesgoogle-cloud-platformcert-managergoogle-cloud-dnsacme

cert-manager.io/v1 Certificate no acme field

I am trying to migrate cert-manager to API v1, I was able to migrate the Issuer to ClusterIssue (the first part of the YAML). However, I am dealing with a breaking change that there is no more acme on kind Certificate

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-myapp-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ssl@company.com
    privateKeySecretRef:
      name: wildcard-myapp-com
    solvers:
      - dns01:
          cloudDNS:
            serviceAccountSecretRef:
              name: clouddns-service-account
              key: key.json
            project: project-id

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-com-tls
  namespace: default
spec:
  secretName: myapp-com-tls
  issuerRef:
    name: letsencrypt-myapp-issuer
  commonName: '*.myapp.com'
  dnsNames:
  - myapp.com
  acme:
    config:
    - dns01:
        provider: google-dns
      domains:
      - '*.myapp.com'
      - myapp.com

When I run kubectl apply I got the error:

error validating data: ValidationError(Certificate.spec): unknown field "acme" in io.cert-manager.v1.Certificate.spec

How can I migrate to the new version of cert-manager?

Solution

  • As part of v0.8, a new format for configure ACME Certificate resources has been introduced. Notably, challenge solver configuration has moved from the Certificate resource (under certificate.spec.acme) and now resides on your configure Issuer resource, under issuer.spec.acme.solvers.

    So the result manifests should be as following;

    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-myapp-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ssl@company.com
    privateKeySecretRef:
      name: wildcard-myapp-com
    solvers:
      - selector:
          dnsNames:
          - '*.myapp.com'
          - myapp.com
        dns01:
          cloudDNS:
            serviceAccountSecretRef:
              name: clouddns-service-account
              key: key.json
            project: project-id

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: myapp-com-tls
  namespace: default
spec:
  secretName: myapp-com-tls
  issuerRef:
    name: letsencrypt-myapp-issuer
  commonName: '*.myapp.com'
  dnsNames:
  - myapp.com