diff --git a/design/20220118.server-side-apply.md b/design/20220118.server-side-apply.md
index 441691940..4e1fa9dd9 100644
--- a/design/20220118.server-side-apply.md
+++ b/design/20220118.server-side-apply.md
@@ -195,3 +195,16 @@ gaining confidence that it is a safe change is to solicit feedback from end
 users who have the feature enabled. Graduation should ideally be done over no
 more than one or two releases, however the project shouldn't proceed with
 removing the gate until the authors are confident.
+
+## Migration
+
+For an exiting cluster with cert-manager and resources installed, a user should
+be able to safely enable the feature or upgrade cert-manager with the feature
+enabled by default without any down time or loss of data.
+
+Although testing is needed, it _should_ be the case that an upgrade/feature
+enable that all controllers on the next reconcile that applies, will take
+ownership of that component's fields and set the correct values. Fields will not
+be deleted that should be however (i.e. Annotation or Label from a previous
+SecretTemplate) as the field manager has changed (though this is the same
+behaviour as today).