Allow Cert-Manager to be uninstalled60664-kubernetes-applications-uninstall-cert-manager

Our current version of Cert-Manager does not uninstall
cleanly, and we must manually remove custom resource
definitions.

7 files changed, 79 insertions, 11 deletions

diff --git a/app/assets/javascripts/clusters/components/uninstall_application_confirmation_modal.vue b/app/assets/javascripts/clusters/components/uninstall_application_confirmation_modal.vue
index e067eb13c54..4f60e543666 100644
--- a/app/assets/javascripts/clusters/components/uninstall_application_confirmation_modal.vue
+++ b/app/assets/javascripts/clusters/components/uninstall_application_confirmation_modal.vue
@@ -12,7 +12,7 @@ const CUSTOM_APP_WARNING_TEXT = {
     'ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored.',
   ),
   [CERT_MANAGER]: s__(
-    'ClusterIntegration|The associated certifcate will be deleted and cannot be restored.',
+    'ClusterIntegration|The associated private key will be deleted and cannot be restored.',
   ),
   [PROMETHEUS]: s__('ClusterIntegration|All data will be deleted and cannot be restored.'),
   [RUNNER]: s__('ClusterIntegration|Any running pipelines will be canceled.'),
diff --git a/app/models/clusters/applications/cert_manager.rb b/app/models/clusters/applications/cert_manager.rb
index 7d5a6dec519..2fc1b67dfd2 100644
--- a/app/models/clusters/applications/cert_manager.rb
+++ b/app/models/clusters/applications/cert_manager.rb
@@ -24,12 +24,6 @@ module Clusters
         'stable/cert-manager'
       end
 
-      # We will implement this in future MRs.
-      # Need to reverse postinstall step
-      def allowed_to_uninstall?
-        false
-      end
-
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
           name: 'certmanager',
@@ -41,12 +35,42 @@ module Clusters
         )
       end
 
+      def uninstall_command
+        Gitlab::Kubernetes::Helm::DeleteCommand.new(
+          name: 'certmanager',
+          rbac: cluster.platform_kubernetes_rbac?,
+          files: files,
+          postdelete: post_delete_script
+        )
+      end
+
       private
 
       def post_install_script
         ["kubectl create -f /data/helm/certmanager/config/cluster_issuer.yaml"]
       end
 
+      def post_delete_script
+        [
+          delete_private_key,
+          delete_crd('certificates.certmanager.k8s.io'),
+          delete_crd('clusterissuers.certmanager.k8s.io'),
+          delete_crd('issuers.certmanager.k8s.io')
+        ].compact
+      end
+
+      def private_key_name
+        @private_key_name ||= cluster_issuer_content.dig('spec', 'acme', 'privateKeySecretRef', 'name')
+      end
+
+      def delete_private_key
+        "kubectl delete secret -n #{Gitlab::Kubernetes::Helm::NAMESPACE} #{private_key_name} --ignore-not-found" if private_key_name.present?
+      end
+
+      def delete_crd(definition)
+        "kubectl delete crd #{definition} --ignore-not-found"
+      end
+
       def cluster_issuer_file
         {
           'cluster_issuer.yaml': cluster_issuer_yaml_content
diff --git a/changelogs/unreleased/60664-kubernetes-applications-uninstall-cert-manager.yml b/changelogs/unreleased/60664-kubernetes-applications-uninstall-cert-manager.yml
new file mode 100644
index 00000000000..efc3ec241e2
--- /dev/null
+++ b/changelogs/unreleased/60664-kubernetes-applications-uninstall-cert-manager.yml
@@ -0,0 +1,5 @@
+---
+title: Allow Cert-Manager to be uninstalled
+merge_request: 31166
+author:
+type: added
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index a29df76f4b7..c0106b2cb9e 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -252,6 +252,7 @@ The applications below can be uninstalled.
 
 | Application | GitLab version | Notes |
 | ----------- | -------------- | ----- |
+| Cert-Manager | 12.2+         | The associated private key will be deleted and cannot be restored. Deployed applications will continue to use HTTPS, but certificates will not be renewed. Before uninstalling, you may wish to [back up your configuration](https://docs.cert-manager.io/en/latest/tasks/backup-restore-crds.html) or [revoke your certificates](https://letsencrypt.org/docs/revoking/) |
 | GitLab Runner  | 12.2+         | Any running pipelines will be canceled. |
 | Helm  | 12.2+         | The associated Tiller pod will be deleted and cannot be restored. |
 | Ingress  | 12.1+         | The associated load balancer and IP will be deleted and cannot be restored. Furthermore, it can only be uninstalled if JupyterHub is not installed. |
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 117625e717f..3ddfb6b63a1 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2821,10 +2821,10 @@ msgstr ""
 msgid "ClusterIntegration|The associated Tiller pod will be deleted and cannot be restored."
 msgstr ""
 
-msgid "ClusterIntegration|The associated certifcate will be deleted and cannot be restored."
+msgid "ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored."
 msgstr ""
 
-msgid "ClusterIntegration|The associated load balancer and IP will be deleted and cannot be restored."
+msgid "ClusterIntegration|The associated private key will be deleted and cannot be restored."
 msgstr ""
 
 msgid "ClusterIntegration|The endpoint is in the process of being assigned. Please check your Kubernetes cluster or Quotas on Google Kubernetes Engine if it takes a long time."
diff --git a/spec/features/projects/clusters/applications_spec.rb b/spec/features/projects/clusters/applications_spec.rb
index 8cfd23d16df..3d15095e2da 100644
--- a/spec/features/projects/clusters/applications_spec.rb
+++ b/spec/features/projects/clusters/applications_spec.rb
@@ -183,7 +183,7 @@ describe 'Clusters Applications', :js do
             Clusters::Cluster.last.application_cert_manager.make_installed!
 
             expect(email_form_value).to eq('new_email@example.org')
-            expect(page).to have_css('.js-cluster-application-install-button', exact_text: 'Installed')
+            expect(page).to have_css('.js-cluster-application-uninstall-button', exact_text: 'Uninstall')
           end
 
           expect(page).to have_content('Cert-Manager was successfully installed on your Kubernetes cluster')
diff --git a/spec/models/clusters/applications/cert_manager_spec.rb b/spec/models/clusters/applications/cert_manager_spec.rb
index e956a2355db..93050e80b07 100644
--- a/spec/models/clusters/applications/cert_manager_spec.rb
+++ b/spec/models/clusters/applications/cert_manager_spec.rb
@@ -13,7 +13,7 @@ describe Clusters::Applications::CertManager do
   describe '#can_uninstall?' do
     subject { cert_manager.can_uninstall? }
 
-    it { is_expected.to be_falsey }
+    it { is_expected.to be_truthy }
   end
 
   describe '#install_command' do
@@ -80,6 +80,44 @@ describe Clusters::Applications::CertManager do
     end
   end
 
+  describe '#uninstall_command' do
+    subject { cert_manager.uninstall_command }
+
+    it { is_expected.to be_an_instance_of(Gitlab::Kubernetes::Helm::DeleteCommand) }
+
+    it 'is initialized with cert_manager arguments' do
+      expect(subject.name).to eq('certmanager')
+      expect(subject).to be_rbac
+      expect(subject.files).to eq(cert_manager.files)
+    end
+
+    it 'specifies a post delete command to remove custom resource definitions' do
+      expect(subject.postdelete).to eq([
+        "kubectl delete secret -n gitlab-managed-apps letsencrypt-prod --ignore-not-found",
+        'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
+        'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
+        'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
+      ])
+    end
+
+    context 'secret key name is not found' do
+      before do
+        allow(File).to receive(:read).and_call_original
+        expect(File).to receive(:read)
+          .with(Rails.root.join('vendor', 'cert_manager', 'cluster_issuer.yaml'))
+          .and_return('key: value')
+      end
+
+      it 'does not try and delete the secret' do
+        expect(subject.postdelete).to eq([
+          'kubectl delete crd certificates.certmanager.k8s.io --ignore-not-found',
+          'kubectl delete crd clusterissuers.certmanager.k8s.io --ignore-not-found',
+          'kubectl delete crd issuers.certmanager.k8s.io --ignore-not-found'
+        ])
+      end
+    end
+  end
+
   describe '#files' do
     let(:application) { cert_manager }
     let(:values) { subject[:'values.yaml'] }