Cert-manager: Cannot deploy 0.11 CRDs to Kubernetes 1.14

The installation notes mention that you need to include ‘—validate=false’ when installing the CRDs. This is a known issue, but has no other negative affect to workaround 😀

Sorry missed that, Thanks

Within https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager#installing-the-chart i also missed that. It is not mentioned there. Just in case using helm for install.

I don't see those notes anywhere.

It's mentioned here: https://cert-manager.readthedocs.io/en/latest/getting-started/install/kubernetes.html#steps

Why do people keep telling people to turn off validation... its there for a reason. This just opens the door for making mistakes that are not picked up.

This whole thing feels like a big old code smell. It makes it a ton more difficult to deploy this helm chart with something like FluxCD

Why has this been closed? as @cannibal-kush has commented, it makes it pretty much impossible to deploy cert-manager with something like flux.

I'm happy to help in anyway with the CRDs when i have time?

Is this still the case with 0.12? EDIT: yes, still an issue.

This is still an issue for us in Flux. Our logs are filling up with this:

ts=2019-12-03T15:31:30.447535936Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=209.956653ms err="running kubectl: error: error validating \"STDIN\": error validating data: ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec; if you choose to ignore these errors, turn validation off with --validate=false" output=
ts=2019-12-03T15:31:30.648673299Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=201.045961ms err="running kubectl: error: error validating \"STDIN\": error validating data: ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec; if you choose to ignore these errors, turn validation off with --validate=false" output=
ts=2019-12-03T15:31:30.792460696Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=143.719147ms err="running kubectl: error: error validating \"STDIN\": error validating data: [ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec, ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.solver.properties.dns01.properties.webhook.properties.config): unknown field \"x-kubernetes-preserve-unknown-fields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps]; if you choose to ignore these errors, turn validation off with --validate=false" output=
ts=2019-12-03T15:31:31.006052236Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=213.517609ms err="running kubectl: error: error validating \"STDIN\": error validating data: ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec; if you choose to ignore these errors, turn validation off with --validate=false" output=
ts=2019-12-03T15:31:31.162814047Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=156.67057ms err="running kubectl: error: error validating \"STDIN\": error validating data: ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec; if you choose to ignore these errors, turn validation off with --validate=false" output=
ts=2019-12-03T15:31:31.302665184Z caller=sync.go:548 method=Sync cmd="kubectl apply -f -" took=139.760596ms err="running kubectl: error: error validating \"STDIN\": error validating data: ValidationError(CustomResourceDefinition.spec): unknown field \"preserveUnknownFields\" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec; if you choose to ignore these errors, turn validation off with --validate=false" output=

Hi all !

Maybe there is a workaround of this problem, I came up with this "solution":

If you have this dir layout:

fluxcd-config/
    releases/
        cert-manager/
            01-issuer-prod.yml
            02-issuer-stag.yml
            03-helmrelease-cert-manager.yaml

You can put one more file there, like this:

fluxcd-config/
    releases/
        cert-manager/
            00-flux-job.yaml
            ...

And this file contains the following:

apiVersion: batch/v1
kind: Job
metadata:
  name: cert-man-flux-job
  namespace: kube-system
spec:
  template:
    spec:
      containers:
      - name: cert-man-flux-job
        image: bitnami/kubectl:1.12
        command: ["bash", "-c"]
        args:
        - |
          set -ex
          kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
          ### check crds condition if you want !
          # kubectl wait --for condition=established --timeout=60s crd/< crd name >
          # tail -f /dev/null
          exit 0
      restartPolicy: Never
      serviceAccount: helm
      serviceAccountName: helm
  backoffLimit: 4

Cuz flux read all yaml file, with numeric order, this will be the first and install the neccessary crds ...

It's not perfect, I know, like you can't pause flux to install another files, like '01-issuer-prod.yml, 02-issuer-stag.yml', and it will fail cuz crds not installed yet.

I hope this will be useful in some way :D !