I'm attempting to upgrade cert-manager in my kubernetes cluster. Currently the version installed was pre crd name change and I'm trying to clean up the old CRDs.
> kubectl get crd | grep certmanager.k8s.io
certificates.certmanager.k8s.io 2020-01-31T08:25:56Z
challenges.certmanager.k8s.io 2020-01-31T08:25:56Z
clusterissuers.certmanager.k8s.io 2020-01-31T08:25:58Z
issuers.certmanager.k8s.io 2020-01-31T08:25:03Z
orders.certmanager.k8s.io 2020-01-31T08:25:08Z
After identifying the crds I delete them:
> kubectl delete customresourcedefinition certificates.certmanager.k8s.io challenges.certmanager.k8s.io clusterissuers.certmanager.k8s.io issuers.certmanager.k8s.io orders.certmanager.k8s.io
customresourcedefinition.apiextensions.k8s.io "certificates.certmanager.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "challenges.certmanager.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "clusterissuers.certmanager.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "issuers.certmanager.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "orders.certmanager.k8s.io" deleted
Following deletion kubectl get crd | grep certmanager.k8s.io shows no crds but after about 30 seconds they are regenerated. Where do I need to look to identify what's causing them to regenerate.
All other cert-manager resources have been deleted.
This has come about because I don't seem to be able to view/edit/delete resources in the new CRD but applying changes updates the (hidden) resource.
The behavior you are experiencing is probably caused by the Istio addon. When Istio is enabled in the cluster, the following resources are created:
certificates.certmanager.k8s.io,
challenges.certmanager.k8s.io,
clusterissuers.certmanager.k8s.io,
issuers.certmanager.k8s.io, and
orders.certmanager.k8s.io
.. and istio is in charge of reconciling them periodically. This means if you delete them manually they will get automatically recreated.
You can verify this by creating a sample cluster with enabling istio and then run the following command:
~$ kubectl get apiservices
~$ kubectl get customresourcedefinitions.apiextensions.k8s.io, and
~$ kubectl describe customresourcedefinitions.apiextensions.k8s.io certificates.certmanager.k8s.io
There is an addon with label “addonmanager.kubernetes.io/mode=Reconcile” which by definition periodically reconciles and this is the reason why the CRD (managed by Istio) kept getting recreated. For details you can refer to this URL. Please try disabling the addon before doing the deletion."