Operator not creating Issuer or Certificate


On one of our clusters, we noticed that the certificate expired, so we had to manually renew them. We do have cert-manager installed, so this wasn’t expected. If I remove the SSL secrets, the operator recreates them directly without creating an Issuer or Certificate. I’m guessing something is going wrong when it’s trying to use cert-manager, but I don’t see any indication of problems in the pxc-operator logs.

Steps to Reproduce:

Follow Transport Encryption (TLS/SSL) - Percona Operator for MySQL based on Percona XtraDB Cluster, then see new secrets created, but no cert-manager Issuer or Certificate resources.




There are no logs or error messages in the pxc-operator pod about cert-manager or TLS.

Expected Result:

I expect the operator to create new cert-manager Issuers and Certificates rather than creating the secrets directly. This works just fine on our other clusters.

Actual Result:

The PXC operator creates the SSL secrets without cert-manager.

Additional Information:


I think I figured this out. When I try to manually create the same Issuer as on another system, I get this error:

unable to recognize no matches for kind “Issuer” in version “cert-manager.io/v1

The version of cert-manager on the failing system is 0.14.1, which doesn’t have the v1 version of Issuer yet, just v1alpha2 and v1alpha3.

I think it would be nice to document the minimum required version of cert-manager (if it’s not already documented), and perhaps log an error or warning message showing why the operator isn’t using cert-manager for certificates. That would make it easier for others who run into this same problem.

Hello @dgloe,
The documentation shows installing version 0.14.2

Does that version have the v1 Issuer?