Skip to content
Percona Operators Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Migrate from Operator-generated or custom certificates to cert-manager

You can start using cert-manager for TLS certificate lifecycle management if you have previously deployed your cluster with auto-generated or custom certificates. The use of cert-manager provides automatic certificate renewal, configurable validity periods, and centralized certificate management across your Kubernetes cluster.

Read more about cert-manager in About cert-manager

Migration steps

  1. Export the cluster name and the namespace where the cluster is running as an environment variable:

    export CLUSTER_NAME=<cluster1>
export NAMESPACE=<namespace>

  2. Pause the cluster to stop reconciliation before you change TLS resources. Run the following command to patch your running cluster:

    kubectl patch -n $NAMESPACE pxc $CLUSTER_NAME --type merge --patch '{
"spec": {
  "pause": true}
  }'

  3. Verify the cluster status:

    kubectl get pxc $CLUSTER_NAME -n $NAMESPACE

    Wait until the cluster status is Paused. You can verify with kubectl get pods -n $NAMESPACE.

  4. Deploy cert-manager:

    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml

    This command installs cert-manager in the default cert-manager namespace.

  5. Verify that cert-manager is running:

    kubectl get pods -n cert-manager

  6. Delete the TLS Secrets.

    1. List the Secrets:

      kubectl get secrets -n $NAMESPACE -o custom-columns=NAME:.metadata.name,TYPE:.type | grep -E 'NAME|ssl'
      Expected output 
      cluster1-ssl            kubernetes.io/tls
cluster1-ssl-internal   kubernetes.io/tls

    2. Delete the Secrets:

      kubectl delete secret $CLUSTER_NAME-ssl $CLUSTER_NAME-ssl-internal -n  $NAMESPACE

    1. Update the Custom Resource and remove all references to Secrets that contain your custom certificates:

      kubectl -n $NAMESPACE patch pxc $CLUSTER_NAME --type merge --patch '{
  "spec": {
    "sslSecretName": null,
    "sslInternalSecretName": null
  }
}'

    2. Delete the Secrets. This includes your custom Secrets and the ones generated by the Operator:

      kubectl delete secret <sslSecretName-value> <sslInternalSecretName-value> -n $NAMESPACE
kubectl delete secret $CLUSTER_NAME-ssl $CLUSTER_NAME-ssl-internal -n $NAMESPACE

  7. Resume the cluster. Set spec.pause back to false:

    kubectl patch -n $NAMESPACE pxc $CLUSTER_NAME --type merge --patch '{
"spec": {
  "pause": false}
  }'

The Operator detects the missing Secrets, sees cert-manager installed, requests new certificates from cert-manager, creates the Secrets, and resumes the cluster.

Verify the migration

After the cluster is running, verify that cert-manager resources were created:

kubectl get issuers -n $NAMESPACE
kubectl get certificates -n $NAMESPACE
kubectl get secret $CLUSTER_NAME-ca-cert $CLUSTER_NAME-ssl $CLUSTER_NAME-ssl-internal -n $NAMESPACE
Last update: June 5, 2026
Created: June 5, 2026