This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 69%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK7%3C/text%3E%3C/svg%3E)
Hi
We have an AKS cluster and want to use azure container storage extension... OpenEBS based storage.
Now we faced the problem, that the extension helm chart installs cert-manager as a dependency but with default configuration and in an old version. We want to use our own cert-manager deployment, which is configured to use workload identity within the DNS01 challenge.
But if we do this, we have two cert-manager deployments side by side, each one wants to be the leader "leaderelection.go:248] attempting to acquire leader lease kube-system/cert-manager-controller..."
Is there a way to disable the dependency while installing the azure container storage extension, or can we somehow configure it at least?
Thanks for your help.
Regards Kevin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Grando Kevin,
Based on understanding from your query, you want to use Azure Container Storage extension in which the helm installs cert-manager as a dependency from it. Besides this, you want to use your own custom deployment for cert-manager which in turn makes two cert-manager deployments in a AKS cluster.
Could you please confirm does the Helm chart for Azure Container Storage provides option to configure cert-manager as a dependency during setup or also Helm chart configuration values?
If you have any queries, please do let us know by sharing more details, we will help you.
Following up on this. Hope you got a chance to check my suggestion.
Hello Kevin, hope your query is resolved now.
Hello GrandoKevin-7124, the Azure Container Storage extension installs its own cert-manager Helm chart as a dependency and as a result it can cause conflicts when an existing cert-manager is already deployed, especially when both compete for the leader election lease in the kube-system namespace. The Azure CLI automatically enables the ACS extension, which internally uses a Helm chart. Unfortunately, the Helm chart does not expose a documented way to disable the bundled cert-manager dependency. As a result, you get two cert-manager instances, both trying to control the same leader election lock.
As a workaround you can either patch the ACS-Installed cert-manager or skip ACS and use OpenEBS directly as below-
helm repo add openebs https://openebs.github.io/charts
helm repo update
helm install openebs openebs/openebs \
--namespace openebs \
--create-namespace \
-f custom-values.yaml
Yes exactly.
I found no documentation about the helm chart, cannot say what settings are possible. That cert-manager was installed as a dependency, I found out while investigate the secret which saves the helm configuration.
To use the container storage, I installed it with the az cli command:
az aks update \
--name $AKS_PRIMARY_CLUSTER_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--enable-azure-container-storage azureDisk \
--azure-container-storage-nodepools $USER_NODE_POOL_NAME
This command installs the AKS extension with a helm chart provided by Microsoft.
Hi
Yes, I know that two Cert-Manager instances gets deployed, that is what I wrote initially, also I found no documentation to deactivate this. My hope was to get information how to do it.
Clear, I could use OpenEBS directly, but the whole point from Azure Container Storage is to use it as a service and not need to hassle with the storage by myself. But if it always deploys an old Cert-Manager which also cannot be configured, the service is kind of useless and not usable for production, or do I get something wrong here?
Thanks, Best regards
Kevin
I understand GrandoKevin-7124, Azure Container Storage is designed to provide a turnkey experience like CSI + OpenEBS managed as-a-service but at the cost of flexibility. If your use case requires cert-manager customizations, this tradeoff becomes a blocker.
I have read in the documentation that there is an option to disable the prometheus stack. Maybe there is an option for cert-manager too?
az k8s-extension update --cluster-type managedClusters --cluster-name <cluster_name> --resource-group <resource_group_name> --name azurecontainerstorage --config base.metrics.enablePrometheusStack=false
Hello GrandoKevin-7124, as of now there’s no documented or supported config to disable the cert-manager sub chart in the ACS Helm extension. The cert-manager deployment is still installed by default, hardcoded into the Helm release Microsoft publishes and not configurable through az k8s-extension --config. If you try to pass something like base.certmanager.enabled=false, it’ll be rejected because that key isn’t recognized by the extension framework. It's a limitation and you can share your feedback with Microsoft regarding this.
The other way what would work for me is to add labels to pods and service accounts.
We want to use cert-manager with managed identity for the DNS01 challenge. If I self deploy it, I can add the labels with these values:
--set-string serviceAccount.labels."azure\.workload\.identity/use"="true" \
--set-string podLabels."azure\.workload\.identity/use"="true" \
I saw in the chart values that there is a section cert-manager.podLabels: {} So from my understanding it should be possible to add labels via the az cli --config parameter, but it has a problem parsing the dots and slashes, I get an error.
--config cert-manager.podLabels.azure\.workload\.identity/use=true(ExtensionOperationFailed) The extension operation failed with the following error: Helm Upgrade Failed : Unable to build the Kubernetes resources in the extension based on the cluster : InnerError [unable to decode "": json: cannot unmarshal object into Go struct field ObjectMeta.metadata.labels of type string], For general troubleshooting visit: https://aka.ms/k8s-extensions-TSG. Code: ExtensionOperationFailed
I tried different escape patterns and also put it in a json file but always the same. Does anyone see how I can get this to work?
Hello GrandoKevin-7124, the underlying Helm chart for the Azure Container Storage extension does expose fields like cert-manager.podLabels and cert-manager.serviceAccount.labels. You’ve hit a known pain point: the az k8s-extension CLI doesn't support passing complex nested keys like cert-manager.podLabels.azure.workload.identity/use due to the way it serializes values into JSON for the extension backend.
When you do something like this-
--config cert-manager.podLabels.azure.workload.identity/use=true
The backend tries to deserialize this into a structure like this
{
"cert-manager": {
"podLabels": {
"azure.workload.identity/use": "true"
}
}
}
But it treats azure.workload.identity/use as a nested object, and this breaks parsing because Kubernetes labels must be flat key-value strings. Hence the error:
json: cannot unmarshal object into Go struct field ObjectMeta.metadata.labels of type string
Even using --config-file with valid JSON doesn’t work because the Helm extension parser doesn’t allow literal strings with / in keys inside maps — it’s a limitation of the current extension framework.
I would recommend that you once try patching the cert-manager deployment and service account after installation
Or
Since you already mentioned you're open to deploying your own cert-manager, I would recommend you try that path as that may actually be a cleaner solution long term.
I would recommend that you once try patching the cert-manager deployment and service account after installation
I would, but the helm deployment should override my changes on each reconcile run.
Since you already mentioned you're open to deploying your own cert-manager, I would recommend you try that path as that may actually be a cleaner solution long term.
This was my intention from the beginning, but as I wrote in my first post, I cannot disable the cert-manager installed by azure container storage.
Hello Kevin, as I already mentioned and even you pointed out acs doesn't support disabling cert mgr. There is currently no supported way to prevent acs from installing it's own cert mgr instance and you are correct. Helm reconciliation will override the manual patches. I tried the same from my end. Currently it's a limitation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 87%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
Hi GrandoKevin-7124,
Because of the current limitations of Azure Container Storage (ACS) notably its hardcoded installation of an outdated cert-manager without customization options, the better approach I can say is to uninstall ACS and directly deploy OpenEBS. This strategy grants full control over your storage setup and cert-manager configuration, ensuring compatibility with workload identity and DNS challenges.
Follow the steps mentioned below
Uninstall Azure Container Storage Extension:
az k8s-extension delete --cluster-name <AKS_CLUSTER_NAME> --resource-group <RESOURCE_GROUP_NAME> --name azurecontainerstorage --cluster-type managedClusters
Install OpenEBS via Helm:
helm repo add openebs https://openebs.github.io/charts
helm repo update
helm install openebs openebs/openebs \
--namespace openebs \
--create-namespace \
-f custom-values.yaml
Refer to the OpenEBS Installation Guide for detailed instructions.
Deploy Custom cert-manager with Workload Identity Labels:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
--set-string serviceAccount.labels."azure\.workload\.identity/use"="true" \
--set-string podLabels."azure\.workload\.identity/use"="true"
For more information, consult the cert-manager Helm Installation Documentation.
Please let us know if it was helpful, and feel free to reach out if you have any further queries.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 49%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hello, where is the ACS helm chart located? How would one go about patching this out, why is cert-manager required for Azure Container Storage, and does it also install prometheus alongside cert-manager? I was looking to use ACS but cannot use it in production if it will install cert-manager or prometheus due to organizational policies.