Search code examples
kubernetesssl-certificategoogle-kubernetes-enginecert-manager

Stop TLS certificates to be automatically recreated by cert-manager


I was investigating certain things things about cert-manager.

TLS certificates are automatically recreated by cert-manager.

I need to somehow deregister a domain / certificate from being regenerated. I guess I would need to tell cert-manager not to take care about a given domain anymore.

I do not have any clue how to do that right now. Can someone help?


Solution

  • cert-manager is an application implemented using the operator pattern.

    In one sentence, it watches for a Custom Resource (CR for short) named Certificate in the Kubernetes API and it creates and updates Secrets resources to store certificate data.

    If you delete the Secret resource but don't delete the Certificate CR, cert-manager will recreate the secret for you.

    The right way of "deregister a domain" or to better say it "make cert-manager not generate a certificate for a domain any more" is to delete the Certificate CR related to your domain.

    To get a list of all the Certificate CRs in your cluster you can use kubectl

    kubectl get certificate -A
    

    When you found the Certificate related to the domain you want to delete, simply delete it

    kubectl -n <namespace> delete certificate <certificate name>
    

    Once you deleted the certificate CR, you might also want to delete the Secret containing the TLS cert one more time. This time cert-manager will not recreate it.