From 58bea67b68c6cd235f6b35bf0bcb114b3b8ff44a Mon Sep 17 00:00:00 2001 From: rtsp Date: Tue, 5 Apr 2022 01:10:11 +0700 Subject: [PATCH] [2.18] cert-manager: Backport cert-manager leader election namespace fixes from master (#8681) cherry-picked from * ccd3180 cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433) * e791089 cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424) --- inventory/sample/group_vars/k8s_cluster/addons.yml | 1 + .../cert_manager/defaults/main.yml | 4 ++++ .../cert_manager/templates/cert-manager.yml.j2 | 12 ++++++------ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml index 2a51fefdf..dedc5ab2a 100644 --- a/inventory/sample/group_vars/k8s_cluster/addons.yml +++ b/inventory/sample/group_vars/k8s_cluster/addons.yml @@ -134,6 +134,7 @@ cert_manager_enabled: false # -----BEGIN CERTIFICATE----- # [REPLACE with your CA certificate] # -----END CERTIFICATE----- +# cert_manager_leader_election_namespace: kube-system # MetalLB deployment metallb_enabled: false diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml index 58c09e6a9..73ef131c7 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml @@ -1,3 +1,7 @@ --- cert_manager_namespace: "cert-manager" cert_manager_user: 1001 + +## Change leader election namespace when deploying on GKE Autopilot that forbid the changes on kube-system namespace. +## See https://github.com/jetstack/cert-manager/issues/3717 +cert_manager_leader_election_namespace: kube-system diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 index 96cfccf26..9c58b12c1 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 @@ -630,7 +630,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cert-manager-cainjector:leaderelection - namespace: {{ cert_manager_namespace }} + namespace: {{ cert_manager_leader_election_namespace }} labels: app: cainjector app.kubernetes.io/name: cainjector @@ -664,7 +664,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cert-manager:leaderelection - namespace: {{ cert_manager_namespace }} + namespace: {{ cert_manager_leader_election_namespace }} labels: app: cert-manager app.kubernetes.io/name: cert-manager @@ -719,7 +719,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager-cainjector:leaderelection - namespace: {{ cert_manager_namespace }} + namespace: {{ cert_manager_leader_election_namespace }} labels: app: cainjector app.kubernetes.io/name: cainjector @@ -742,7 +742,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cert-manager:leaderelection - namespace: {{ cert_manager_namespace }} + namespace: {{ cert_manager_leader_election_namespace }} labels: app: cert-manager app.kubernetes.io/name: cert-manager @@ -866,7 +866,7 @@ spec: imagePullPolicy: {{ k8s_image_pull_policy }} args: - --v=2 - - --leader-election-namespace=kube-system + - --leader-election-namespace={{ cert_manager_leader_election_namespace }} env: - name: POD_NAMESPACE valueFrom: @@ -928,7 +928,7 @@ spec: args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - - --leader-election-namespace=kube-system + - --leader-election-namespace={{ cert_manager_leader_election_namespace }} ports: - containerPort: 9402 protocol: TCP