cert-manager is a widely adopted Kubernetes add-on that automates the issuance and renewal of TLS certificates for cluster workloads. By integrating with multiple certificate authorities (including ACME providers like Let’s Encrypt), cert-manager streamlines the process of requesting and validating certificates, significantly reducing manual effort. It continuously monitors certificate expiration and renews them ahead of time, ensuring secure communication for applications at scale.

However, for teams that rely on cert-manager in their clusters, upgrading this add-on can present significant operational risks—such as changes to CRDs, renamed API fields, or new webhook requirements that come with newer Kubernetes versions. Without careful planning, such changes could lead to failed certificate issuances or unexpected downtime after an upgrade. In this post, we’ll show you how Chkk’s Operational Safety Platform offers an end-to-end solution for managing cert-manager upgrades. 

Chkk’s Coverage for cert-manager

Curated Release Notes

Chkk tracks cert-manager release notes to highlight new features, breaking changes, or CRD updates relevant to your environment. It alerts you to shifts—like renamed or removed API versions—so you can adapt configurations before upgrading. Each curated summary points out potential operational impacts, saving your team from going through long upstream changelogs. This way, you stay focused on what matters and avoid unexpected issues during upgrades.

Preflight & Postflight Checks

Before any upgrade, Chkk’s preflight checks validate that your cluster meets cert-manager’s requirements: for example, verifying the Kubernetes version compatibility, ensuring CRDs and the cert-manager webhook are ready, and flagging any deprecated APIs in use that might be removed in the new release. 

After the upgrade, postflight checks confirm everything is functioning correctly—healthy controller pods, a responsive webhook, and successful certificate issuance/renewals. This two-step validation ensures certificate management continues uninterrupted, quickly catching any errors so teams can address issues early.

Version Recommendations

Chkk continuously monitors cert-manager’s release timeline and support lifecycle, flagging EOL risks or critical security patches for the version you’re running. It factors in Kubernetes version compatibility to recommend the safest, most stable release to upgrade to. You’ll receive alerts well before your current version becomes unsafe or unsupported, along with suggestions for the best minor version to minimize breaking changes. Following these recommendations helps you stay ahead of critical updates and avoid running outdated, risky versions of cert-manager.

Upgrade Templates

Whether you prefer an in-place update or a blue-green deployment, Chkk provides step-by-step Upgrade Templates tailored to cert-manager:

• In-place Upgrades sequentially update the cert-manager CRDs and controller within your cluster, preserving ongoing certificate services during the process.
• Blue-Green Deployments launch a parallel cert-manager instance on the new version and cut over to it once it’s verified, minimizing any potential downtime or disruption.

Both strategies come with detailed checks and defined rollback points, letting you handle both minor version bumps and major changes with peace of mind.

Preverification

For major or complex upgrades—especially those involving significant cert-manager changes or new ACME configurations—Chkk’s preverification feature tests the process in a controlled environment before you apply it in production. It spins up a test environment with your Issuer and Certificate custom resources, runs the new cert-manager controller, and checks for issues on the target version. This “dry-run” upgrade lets you identify and fix problems ahead of time. By validating your exact setup against the new version, preverification greatly reduces downtime risk and gives you confidence in a smooth upgrade.

Supported Packages

Whether your team installs cert-manager via the official Helm chart, operators, or raw YAML manifests, Chkk seamlessly integrates into your deployment workflow. It adapts to custom installation scenarios, supporting private container registries, custom-built cert-manager images, or vendor-specific cert-manager forks, ensuring that the Upgrade Plan aligns with your existing management methods. Regardless of deployment style, Chkk’s comprehensive coverage guarantees consistency and repeatability in the upgrade process across all your environments.

Chkk’s Core Benefits

Chkk Operational Safety Platform simplifies upgrades, reduces risk, and keeps your Kubernetes infrastructure operational. Here’s how that applies to cert-manager upgrades:

• Speed Up and De-Risk Upgrades: Manually upgrading cert-manager is time-consuming. Chkk accelerates the process and makes it safer by generating a detailed Upgrade Plan for each cluster. This plan spans all components—control plane, node versions, add-ons, and dependencies—and flags required changes, including recommended add-on versions or deprecated APIs. Instead of piecing together requirements from various release notes, teams receive a clear and actionable upgrade path. Chkk’s automation can cut upgrade preparation time by 3-5x, reducing weeks of planning to just days.
• Eliminate Redundant Effort: Many organizations squander countless hours on repetitive upgrade planning and research. By unifying upgrade workflows across teams, Chkk prevents duplication of effort and ensures that insights and processes don’t need to be reinvented with every release. This consolidation of efforts can save thousands of hours.
• Delegate, Parallelize, and Standardize Workflows: Chkk makes it easy to break out upgrade tasks among team members, all while maintaining standardized workflows that reduce confusion and boost efficiency. Engineers spend less time context-switching, and institutional knowledge is retained and shared effectively. During staff turnover or organizational changes, having a historical record of upgrade best practices prevents delays.
• Enhance Operational Safety: Kubernetes upgrades introduce inherent risk, but Chkk helps you detect and fix potential problems before they cause disruptions. With automated risk detection, your team can prevent hundreds of potential breakages annually—for every hundred clusters—saving significant break-fix effort. By focusing on proactive measures, you can innovate rather than constantly firefighting.

Simplify Upgrades for cert-manager and 100s of Other Kubernetes Add-ons

Try Chkk Upgrade Copilot to experience how these extended capabilities can simplify your upgrade processes for cert-manager and 100s of other Kubernetes Add-ons, Application Services, and Open Source Projects. We look forward to helping you achieve seamless, secure, and efficient operations. 

Click the button below to book a demo and learn more.