The KAPP controller installed via Tanzu CLI for the CLI managed packages is not the same as the KAPP controller installed via TMC. These two KAPP controllers can conflict with each other. Additionally, some of the original packages, such as cert-manager were installed with the package install, app, and all deployments/pods/services in the same namespace. When removing the older cert-manager packages, the service account is removed with the package, but is required to remove the app, leading to a deletion loop that requires manual intervention. Several actions are required to remove the old CLI managed packages and to install the packages again via TMC if desired.
CAUTION: Moving package management from the manually installed KAPP controller to the TMC managed KAPP controller requires removal of the original packages. This might lead to data loss depending on the package in use. The workaround detailed below applies to ONLY contour and cert-manager packages, and doesn't include packages like Harbor, which contain customer data.