Skip to content

Rancher install fails in an airgap environment with an error: no matches for kind "Issuer" in version certmanager.k8s.io/v1alpha1

This document (000020848) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6.x

Situation

When installing Rancher in an airgap environment, an error is seen for the issuer CRD.

The relevant error message may appear as below and occurs when running the kubectl -n cattle-system apply -R -f ./rancher command

clusterrolebinding.rbac.authorization.k8s.io/rancher unchanged
deployment.apps/rancher created
ingress.networking.k8s.io/rancher created
service/rancher created
serviceaccount/rancher created
error: unable to recognize "rancher/templates/issuer-rancher.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1

Resolution

While rendering the Rancher template, add to the helm template arguments to specify the exact Kubernetes version you are using with --kube-version.

helm template rancher ./rancher-2.6.6.tgz --output-dir . --no-hooks --namespace cattle-system --set hostname=rancherreg.support.rancher.space --set rancherImage=registry.example.com:443/rancher/rancher --set systemDefaultRegistry=registry.example.com:443
--set useBundledSystemChart=true --set certmanager.version=1.7.1 --kube-version=1.22.9

Then deploy the Rancher manifest files

kubectl -n cattle-system apply -R -f ./rancher

Cause

When the helm template runs, it does not interact with the cluster to determine available CRDs and apiVersions. This in turn means the logic does not select the correct apiVersion for the Issuer object in the rendered template, applying the manifest in this case presents the apiVersion error.

Below is the snippet of issuer-rancher.yaml file which has the deprecated apiVersion

cat "rancher/templates/issuer-rancher.yaml"
---
# Source: rancher/templates/issuer-rancher.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: rancher
  labels:
    app: rancher
    chart: rancher-2.6.6
    heritage: Helm
    release: rancher
spec:
  ca:
    secretName: tls-rancher

Status

Top Issue

Additional Information

Helm chart - Issuer object

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.