What happened?

When Deploying Pulumi Cert Manager v0.2.0, it's possible to pass the option installCRDs: true as shown in the example below.

This option seems to directly match installCRDs in the underlying Helm Chart. However, this option is now deprecated according to values.yaml. Both crds.enabled and crds.keep shoud be used instead.

The deprecation is revealed when retrieving the Helm release deployment notes

• kubectl get secrets -l "owner=helm" -n cert-system
• kubectl get secret -n cert-system sh.helm.release.v1.cert-manager-deployment-helm-33c99dcc.v1 -o jsonpath="{.data.release}" | base64 -d | base64 -d | gunzip | jq .info

{
  "first_deployed": "2025-04-18T12:28:20.952314778+10:00",
  "last_deployed": "2025-04-18T12:28:20.952314778+10:00",
  "deleted": "",
  "description": "Install complete",
  "status": "deployed",
  "notes": "\n⚠️  WARNING: `installCRDs` is deprecated, use `crds.enabled` instead.\ncert-manager v1.17.1 has been deployed successfully!\n\nIn order to begin issuing certificates, you will need to set up a ClusterIssuer\nor Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).\n\nMore information on the different types of issuers and how to configure them\ncan be found in our documentation:\n\nhttps://cert-manager.io/docs/configuration/\n\nFor information on how to configure cert-manager to automatically provision\nCertificates for Ingress resources, take a look at the `ingress-shim`\ndocumentation:\n\nhttps://cert-manager.io/docs/usage/ingress/\n"
}

Example

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
import * as certmanager from "@pulumi/kubernetes-cert-manager";

export = async () => {

    const ns = new k8s.core.v1.Namespace(`cert-manager-namespace`, {
        metadata: {
            name: "cert-system",
        }
    });

    const cm = new certmanager.CertManager(`cert-manager-deployment`, {
        installCRDs: true,
        helmOptions: {
            namespace: ns.metadata.name,
        },
    }, { parent: ns });

}

Proposed changes

Since installCRDs doesn't remove the CRDs on update or destroy, it would be beneficial to:

1. exposing both crds.enabled and crds.keep instead
2. (maybe) as a way to improve backward compatibility, ensure that CRDs are removed by setting crds.keep: false (but it seems the garbage collector might remove existing CRs, so this could be a problem)

Additional context

Related to #408

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).