From c8946a89651a135f2fcae5e517374cdfeab307a6 Mon Sep 17 00:00:00 2001 From: ops Date: Wed, 29 Apr 2026 21:41:40 +0200 Subject: [PATCH] cert-manager subchart: use dep-name alias + crds.enabled (v1.16 install fix) --- Chart.yaml | 4 ++-- values.yaml | 24 +++++++++++++++++++----- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index e630cac..4691cdf 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -23,8 +23,8 @@ description: | Git). type: application -version: 0.2.1 -appVersion: "0.2.1" +version: 0.2.2 +appVersion: "0.2.2" dependencies: - name: cert-manager diff --git a/values.yaml b/values.yaml index 729013e..86f234a 100644 --- a/values.yaml +++ b/values.yaml @@ -24,13 +24,27 @@ acme: email: m@havari.me server: https://acme-v02.api.letsencrypt.org/directory -# certManager — the upstream jetstack chart, pinned at v1.16.1 by -# Chart.yaml's dependency. We turn on CRDs + force the namespace so -# the ClusterIssuer template below can reference solver Secrets in -# `cert-manager` ns. +# certManager — gate for the conditional in Chart.yaml dependencies. +# Helm reads this for the `condition: certManager.enabled` flag only; +# the actual subchart values live below under the dep name `cert-manager`. certManager: enabled: true - installCRDs: true + +# cert-manager — values passed THROUGH to the upstream jetstack subchart +# (Chart.yaml dependency name = "cert-manager"). Subchart values must +# nest under the dep name, not under our top-level `certManager` alias — +# putting them under `certManager:` does nothing. +# +# crds.enabled — install the cert-manager CRDs in the same release. The +# v1.14+ jetstack chart renamed `installCRDs` to `crds.enabled`; the +# old key is silently ignored, leaving the CRDs absent and any +# Certificate / ClusterIssuer manifest failing with "no matches for kind". +# crds.keep — leave CRDs in place if the chart is uninstalled. Safer for +# disconnect flows where the customer might re-add the cluster later. +cert-manager: + crds: + enabled: true + keep: true # traefik — upstream chart. LoadBalancer Service so the customer's # k3s servicelb maps :80/:443 to the host. Tower currently doesn't