ITISFoundation · YuryHrytsuk · Oct 29, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -3,6 +3,9 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ .certName }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    helm.sh/hook-weight: "10"
 spec:
   # https://github.com/emberstack/kubernetes-reflector?tab=readme-ov-file#cert-manager-support
   secretTemplate:

@@ -2,8 +2,6 @@ cert-manager:
   extraArgs:
   - --dns01-recursive-nameservers="8.8.8.8:53"
   - --dns01-recursive-nameservers-only
-  startupapicheck:
-    enabled: false
   skipDNSResolutionCheck: true
   maxConcurrentChallenges: 2
   extraObjects:
@@ -24,6 +22,13 @@ cert-manager:
     metadata:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        helm.sh/hook: post-install,post-upgrade
+        # Run after startupapicheck job. Thus we ensure webhook server is ready
+        # See https://github.com/cert-manager/cert-manager/issues/4155
+        # and https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation
+        helm.sh/hook-weight: "10"
     spec:
       acme:
         email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}

@@ -19,3 +19,11 @@ cert-manager:
   replicaCount: 1
   webhook:
     replicaCount: 1
+
+  startupapicheck:
+    enabled: true
+
+    jobAnnotations:
+      # Explicitly set hook weight to have explicit reference.
+      # Needed to properly install cert-manager resources first time
+       helm.sh/hook-weight: "1"
@@ -17,9 +17,8 @@ cert-manager:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       acme:
         email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}

@@ -7,9 +7,8 @@ cert-manager:
       name: selfsigned-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       selfSigned: {}
   - |
@@ -19,9 +18,8 @@ cert-manager:
       name: local-ca
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       isCA: true
       commonName: local-ca
@@ -43,9 +41,8 @@ cert-manager:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       ca:
         secretName: local-ca-secret