Rancher upgrade has failed with an error no matches for kind "Issuer" in version "cert-manager.io/v1alpha2"

This document (000020805) is provided subject to the disclaimer at the end of this document.


Rancher 2.6.x


Rancher upgrade is failing due to the deprecated apiVersion for the cert-manager CRD. This affects cert-manager upgrades from an earlier release, for example upgrading cert-manager from 0.12 to 1.7.1, which in turn has the potential to create a deprecated apiVersion within the existing Rancher release manifest.

The relevant error message may appear as below and occurs when running the helm upgrade command to upgrade Rancher.
Error: UPGRADE FAILED: unable to build kubernetes objects from current release manifest: resource mapping not found for name: "rancher" namespace: "" from "": no matches for kind "Issuer" in version "cert-manager.io/v1alpha2" ensure CRDs are installed first


Follow the below steps to edit the latest Helm v3 config for Rancher, and replace cert-manager.io/v1alpha2 with cert-manager.io/v1.

1. Execute the below command and locate the latest version of sh.helm.release.v1.rancher.v*
 kubectl get secrets -n cattle-system
2. Back up the object, this example assumes sh.helm.release.v1.rancher.v1 is the latest
kubectl get secret sh.helm.release.v1.rancher.v1 -n cattle-system -o yaml > helm-rancher-config.yaml 
3. Decode the data.release field and save the output to yaml (jq must be installed before executing the below steps)
kubectl get secrets sh.helm.release.v1.rancher.v1 -n cattle-system -o json | jq .data.release | tr -d '"' | base64 -d | base64 -d | gzip -d > helm-rancher-config-data-decoded.yaml 
4. Change the apiVersion from v1/alpha2 to v1.
sed -e 's/cert-manager.io\/v1alpha2/cert-manager.io\/v1/' helm-rancher-config-data-decoded.yaml > helm-rancher-config-data-decoded-replaced.yaml
5. Store the encoded data in a variable to reuse in the next step
releaseData=$(cat helm-rancher-config-data-decoded-replaced.yaml | gzip | base64 | base64 | tr -d "\n")
6. Replace the release data
sed 's/^\(\s*release\s*:\s*\).*/\1'$releaseData'/' helm-rancher-config.yaml > helm-rancher-config-final.yaml
7. Apply the yaml
kubectl apply -f helm-rancher-config-final.yaml -n cattle-system


Old CRD's are not deleted properly after the upgrade of cert-manager, this may cause a deprecated apiVersion to be used in the Rancher release manifest.


Top Issue

Additional Information

The correct way of upgrading cert-manager is in the below link

Below is a snippet of helm get manifest -n cattle-system rancher which uses old CRDs, and thus has deprecated apiVersions.
# Source: rancher/templates/issuer-rancher.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
  name: rancher
    app: rancher
    chart: rancher-2.6.6
    heritage: Helm
    release: rancher
    secretName: tls-rancher
As in the above, /v1apha2 is referenced, this version has been deprecated.

Command to get the available apiVersion for cert-manager
kubectl get --raw /apis/cert-manager.io | jq .


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020805
  • Creation Date: 16-Jan-2023
  • Modified Date:16-Jan-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center