modified: README.md
This commit is contained in:
Márcio Fernandes
53
README.md
53
README.md
@@ -58,6 +58,7 @@ Kubernetes is an open‑source platform that automates the deployment, scaling,
|
||||
- [host cli](#host-cli)
|
||||
- [host cli - check port usage](#host-cli---check-port-usage)
|
||||
- [cert-manager](#cert-manager)
|
||||
- [Removing cert‑manager Metadata from Secrets](#removing-certmanager-metadata-from-secrets)
|
||||
|
||||
## Namespaces
|
||||
|
||||
@@ -786,3 +787,55 @@ kubectl delete challenge -A --all
|
||||
kubectl delete order -A --all
|
||||
|
||||
```
|
||||
|
||||
### Removing cert‑manager Metadata from Secrets
|
||||
|
||||
When migrating clusters or taking manual control of TLS certificates, you may need to fully detach a Secret from cert‑manager. Cert‑manager uses labels and annotations to track ownership, ACME challenge state, and renewal configuration. If these remain, cert‑manager may attempt to “adopt” or overwrite the Secret.
|
||||
|
||||
This guide shows how to safely remove all cert‑manager metadata so the Secret becomes unmanaged.
|
||||
|
||||
**View Secrets Managed by cert‑manager:**
|
||||
|
||||
``` bash
|
||||
kubectl get secrets -A --show-labels | grep cert-manager
|
||||
```
|
||||
|
||||
This lists Secrets that contain cert‑manager labels or annotations.
|
||||
|
||||
**Remove cert‑manager Labels and Annotations:**
|
||||
|
||||
``` bash
|
||||
SECRET_NAME=chimera-limbosolutions-com-tls
|
||||
NAMESPACE=ignition-provisioner
|
||||
|
||||
# Remove cert-manager annotations
|
||||
kubectl annotate secret ${SECRET_NAME} -n ${NAMESPACE} \
|
||||
cert-manager.io/alt-names- \
|
||||
cert-manager.io/common-name- \
|
||||
cert-manager.io/ip-sans- \
|
||||
cert-manager.io/issuer-group- \
|
||||
cert-manager.io/issuer-kind- \
|
||||
cert-manager.io/issuer-name- \
|
||||
cert-manager.io/uri-sans- \
|
||||
cert-manager.io/certificate-name- \
|
||||
acme.cert-manager.io/http-domain- \
|
||||
acme.cert-manager.io/dns-domain- \
|
||||
kubectl.kubernetes.io/last-applied-configuration-
|
||||
|
||||
# Remove cert-manager controller labels
|
||||
kubectl label secret ${SECRET_NAME} -n ${NAMESPACE} \
|
||||
controller.cert-manager.io/fao- \
|
||||
controller.cert-manager.io/owner-kind- \
|
||||
controller.cert-manager.io/owner-name- \
|
||||
controller.cert-manager.io/owner-group-
|
||||
```
|
||||
|
||||
After this cleanup, the Secret is fully detached from cert‑manager and will no longer be renewed, validated, or overwritten.
|
||||
|
||||
**Verify Cleanup:**
|
||||
|
||||
``` bash
|
||||
kubectl get secrets -A --show-labels | grep cert-manager
|
||||
```
|
||||
|
||||
If the Secret no longer appears, it is now unmanaged.
|
||||
|
||||
Reference in New Issue
Block a user