Rancher upgrade has failed with an error no matches for kind "Issuer" in version "cert-manager.io/v1alpha2"

This document (000020805) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6.x

Situation

Rancher upgrade is failing due to the deprecated apiVersion for the cert-manager CRD. This affects cert-manager upgrades from an earlier release, for example upgrading cert-manager from 0.12 to 1.7.1, which in turn has the potential to create a deprecated apiVersion within the existing Rancher release manifest.

The relevant error message may appear as below and occurs when running the helm upgrade command to upgrade Rancher.

Error: UPGRADE FAILED: unable to build kubernetes objects from current release manifest: resource mapping not found for name: "rancher" namespace: "" from "": no matches for kind "Issuer" in version "cert-manager.io/v1alpha2" ensure CRDs are installed first

Resolution

Follow the below steps to edit the latest Helm v3 config for Rancher, and replace cert-manager.io/v1alpha2 with cert-manager.io/v1.

1. Execute the below command and locate the latest version of sh.helm.release.v1.rancher.v*

 kubectl get secrets -n cattle-system

2. Back up the object, this example assumes sh.helm.release.v1.rancher.v1 is the latest

kubectl get secret sh.helm.release.v1.rancher.v1 -n cattle-system -o yaml > helm-rancher-config.yaml

3. Decode the data.release field and save the output to yaml (jq must be installed before executing the below steps)

kubectl get secrets sh.helm.release.v1.rancher.v1 -n cattle-system -o json | jq .data.release | tr -d '"' | base64 -d | base64 -d | gzip -d > helm-rancher-config-data-decoded.yaml

4. Change the apiVersion from v1/alpha2 to v1.

sed -e 's/cert-manager.io\/v1alpha2/cert-manager.io\/v1/' helm-rancher-config-data-decoded.yaml > helm-rancher-config-data-decoded-replaced.yaml

5. Store the encoded data in a variable to reuse in the next step

releaseData=$(cat helm-rancher-config-data-decoded-replaced.yaml | gzip | base64 | base64 | tr -d "\n")

6. Replace the release data

sed 's/^\(\s*release\s*:\s*\).*/\1'$releaseData'/' helm-rancher-config.yaml > helm-rancher-config-final.yaml

7. Apply the yaml

kubectl apply -f helm-rancher-config-final.yaml -n cattle-system

Cause

Old CRD's are not deleted properly after the upgrade of cert-manager, this may cause a deprecated apiVersion to be used in the Rancher release manifest.

Status

Top Issue

Additional Information

The correct way of upgrading cert-manager is in the below link
https://docs.ranchermanager.rancher.io/getting-started/installation-and-upgrade/resources/upgrade-cert-manager#option-a-upgrade-cert-manager-with-internet-access

Below is a snippet of helm get manifest -n cattle-system rancher which uses old CRDs, and thus has deprecated apiVersions.

---
# Source: rancher/templates/issuer-rancher.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.6.6
    heritage: Helm
    release: rancher
spec:
  ca:
    secretName: tls-rancher

As in the above, /v1apha2 is referenced, this version has been deprecated.

Command to get the available apiVersion for cert-manager

kubectl get --raw /apis/cert-manager.io | jq .

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.