Installing trust-manager just after installing cert-manager makes it FAIL forever

[luopeien]

To reproduce it, on a k3s (any latest version) clean install:

1. kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
2. helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager

The #2 will output fail:
Release "trust-manager" does not exist. Installing it now.
Error: failed to create resource: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority

Then get pods will show:
cert-manager cert-manager-d894bbbd4-cr8s5 1/1 Running 0 87s
cert-manager cert-manager-cainjector-5fd6444f95-7n86t 1/1 Running 0 87s
cert-manager cert-manager-webhook-869674f96f-hqwhd 1/1 Running 0 87s
cert-manager trust-manager-5d65c4dc4f-jhvp9 0/1 Init:0/1 0 16s

That trust-manager pod will stuck in that state forever.

Tried if adding a delay before step 2 (the delay needs to be as long as like 3 minutes), then installation of trust-manager will be successful.

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[Kaslie]

It's happen to me also

NAME                                       READY   STATUS     RESTARTS   AGE
cert-manager-648cf9d949-d9ctx              1/1     Running    0          46h
cert-manager-cainjector-69c965b557-mrsbl   1/1     Running    0          46h
cert-manager-webhook-6c57d4fc48-4lz4j      1/1     Running    0          46h
trust-manager-7fd9fbd-s5gd4                0/1     Init:0/1   0          42h

  Warning  FailedMount  5s (x5 over 13s)  kubelet                                MountVolume.SetUp failed for volume "tls" : secret "trust-manager-tls" not found

disableAutoApproval: false

[hawksight]

/remove-lifecycle rotten

[hawksight]

Thanks for reporting the issue. We know there is the dependency on cert-manager, and if the cert-manager webhook service is not ready this might cause the issue. Let me see if I can also replicate this. I think we generally want to try to remove the dependency but I can't remember where we got with that.

[erikgb]

I think we generally want to try to remove the dependency but I can't remember where we got with that.

We have several initiatives to remove this unwanted dependency.

• https://github.com/cert-manager/webhook-cert-lib - to allow trust-manager to be self-provisioned with webhook certificates.
• Replace webhook validations with CEL validation #475, which could eventually remove trust-manager webhook.
• ClusterBundle target API rework #486, which will improve the API spec to eventually remove the need for custom webhook validation.

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[chanyshev]

I have the same problem:
describe pod

MountVolume.SetUp failed for volume "tls" : secret "trust-manager-tls" not found

Helm upgrade failed for release cert-manager/trust-manager with chart trust-manager@v0.18.0: failed to create resource: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": context deadline exceeded

[hawksight]

@chanyshev - can you describe your cluster? Is it k3s or k3d, is it vanilla, or are there other controllers installed first?

[luopeien]

it's k3s.

…

On Tue, Sep 23, 2025 at 5:30 PM Peter Fiddes ***@***.***> wrote: *hawksight* left a comment (cert-manager/trust-manager#465) <#465 (comment)> @chanyshev <https://github.com/chanyshev> - can you describe your cluster? Is it k3s or k3d, is it vanilla, or are there other controllers installed first? — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACOSYA6CJVWVXTOE6QCTI433UEHKLAVCNFSM6AAAAABQ56V632VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGMRTGEZTOOJQHE> . You are receiving this because you authored the thread.Message ID: ***@***.***>