From 30b8a24e567263a05db61a637fef620d71d290f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= <marcio.fernandes@outlook.pt>
Date: Thu, 2 Apr 2026 23:55:34 +0000
Subject: [PATCH] modified:   README.md

---
 README.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/README.md b/README.md
index 222ac1e..e89fa5c 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ Kubernetes is an open‑source platform that automates the deployment, scaling,
 - [host cli](#host-cli)
   - [host cli - check port usage](#host-cli---check-port-usage)
 - [cert-manager](#cert-manager)
+  - [Removing cert‑manager Metadata from Secrets](#removing-certmanager-metadata-from-secrets)
 
 ## Namespaces
 
@@ -786,3 +787,55 @@ kubectl delete challenge -A --all
 kubectl delete order -A --all
 
 ```
+
+### Removing cert‑manager Metadata from Secrets
+
+When migrating clusters or taking manual control of TLS certificates, you may need to fully detach a Secret from cert‑manager. Cert‑manager uses labels and annotations to track ownership, ACME challenge state, and renewal configuration. If these remain, cert‑manager may attempt to “adopt” or overwrite the Secret.
+
+This guide shows how to safely remove all cert‑manager metadata so the Secret becomes unmanaged.
+
+**View Secrets Managed by cert‑manager:**
+
+``` bash
+kubectl get secrets -A --show-labels | grep cert-manager
+```
+
+This lists Secrets that contain cert‑manager labels or annotations.
+
+**Remove cert‑manager Labels and Annotations:**
+
+``` bash
+SECRET_NAME=chimera-limbosolutions-com-tls
+NAMESPACE=ignition-provisioner
+
+# Remove cert-manager annotations
+kubectl annotate secret ${SECRET_NAME} -n ${NAMESPACE} \
+  cert-manager.io/alt-names- \
+  cert-manager.io/common-name- \
+  cert-manager.io/ip-sans- \
+  cert-manager.io/issuer-group- \
+  cert-manager.io/issuer-kind- \
+  cert-manager.io/issuer-name- \
+  cert-manager.io/uri-sans- \
+  cert-manager.io/certificate-name- \
+  acme.cert-manager.io/http-domain- \
+  acme.cert-manager.io/dns-domain- \
+  kubectl.kubernetes.io/last-applied-configuration-
+
+# Remove cert-manager controller labels
+kubectl label secret ${SECRET_NAME} -n ${NAMESPACE} \
+  controller.cert-manager.io/fao- \
+  controller.cert-manager.io/owner-kind- \
+  controller.cert-manager.io/owner-name- \
+  controller.cert-manager.io/owner-group-
+```
+
+After this cleanup, the Secret is fully detached from cert‑manager and will no longer be renewed, validated, or overwritten.
+
+**Verify Cleanup:**
+
+``` bash
+kubectl get secrets -A --show-labels | grep cert-manager
+```
+
+If the Secret no longer appears, it is now unmanaged.