Zero downtime SSL migration from v2 to v3 rack

I’m going to try to set up the cert-manager Cloudflare integration using an API key, so that it can automatically create the DNS records: Cloudflare | cert-manager

I’ve also installed the kubectl plugin: Kubectl plugin | cert-manager
(Be careful if you’re on Mac, the default installation instructions are for Linux.) On Mac:

curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-darwin-amd64.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin

Note: I found out that kubectl get all -A doesn’t list issuers or clusterissuers.

$ kubectl get issuer -A
No resources found

$ kubectl get clusterissuer -A
NAME          READY   AGE
letsencrypt   True    3h25m

kubectl edit clusterissuer/letsencrypt:

...
spec:
  acme:
    email: ops@convox.com
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
...

So it looks like Convox sets up an http01 solver. I should be able to follow these instructions to change this to a dns01 solver and pass in my cloudflare credentials, so it can automatically create the required DNS records.

The only thing I’m concerned about is how this works with terraform. If I update my rack, will that blow away all of the changes I’m making via kubectl? Or is this a persistent change that won’t be affected? (I’ll try to test this out after I’ve got it working, by changing a param and updating the rack.)