enhance restore cert-manager resources (#1694)

Muhannadimad · Muhannad.abdulkareem · web-flow · commit 1b0f7b327df5 · 2025-09-07T18:43:28.000Z
* enhance restore cert-manager resources

Signed-off-by: Muhannad.abdulkareem &lt;Muhannad.abdulkareem.ext@nokia.com&gt;

* Update backup.md

Signed-off-by: MuhannadImad &lt;61332284+Muhannadimad@users.noreply.github.com&gt;

* remove unneeded change

Signed-off-by: MuhannadImad &lt;61332284+Muhannadimad@users.noreply.github.com&gt;

---------

Signed-off-by: Muhannad.abdulkareem &lt;Muhannad.abdulkareem.ext@nokia.com&gt;
Signed-off-by: MuhannadImad &lt;61332284+Muhannadimad@users.noreply.github.com&gt;
Co-authored-by: Muhannad.abdulkareem &lt;Muhannad.abdulkareem.ext@nokia.com&gt;
diff --git a/content/docs/devops-tips/backup.md b/content/docs/devops-tips/backup.md
@@ -20,7 +20,7 @@ certificates, restoring to a cluster that does not already have those
 To backup all of your cert-manager configuration resources, run:
 
 ```bash
-kubectl get --all-namespaces -oyaml issuer,clusterissuer,cert > backup.yaml
+kubectl get --all-namespaces -ojson issuer,clusterissuer,cert > backup.json
 ```
 
 If you are transferring data to a new cluster, you may also need to copy across
@@ -51,9 +51,16 @@ created above after installing cert-manager, with the exception of the
 `uid` and `resourceVersion` fields that do not need to be restored:
 
 ```bash
-kubectl apply -f <(awk '!/^ *(resourceVersion|uid): [^ ]+$/' backup.yaml)
+jq 'walk(if type == "object" and has("metadata") then .metadata |= (del(.uid) | del(.resourceVersion)) else . end)' \
+backup.json | kubectl apply -f -
 ```
 
+Note:
+If your backup contains resources such as Certificate objects that were generated by annotated Ingress resources, be aware that those Certificate resources may contain `ownerReferences` with `uid` fields that are required to maintain their association with the Ingress.
+
+The above command safely removes the `uid` from the top-level metadata, but preserves the `uid` in `ownerReferences`, ensuring that the ownership relationship between Ingress and Certificate is retained.
+
+
 ## Full cluster backup and restore
 
 This section refers to backing up and restoring 'all' Kubernetes resources in a
@@ -197,4 +204,4 @@ velero restore create \
  [^1]: there is an edge case where certain changes to `Certificate` spec may not
     trigger re-issuance if there is no `CertificateRequest` for that
     `Certificate`. See [documentation on when do certificates get
-    re-issued](../faq/README.md#when-do-certs-get-re-issued).
+    re-issued](../faq/README.md#when-do-certs-get-re-issued).
