From ccd3180a69b69a9cfa6b5cd0ed7da7c310ea7daf Mon Sep 17 00:00:00 2001
From: rtsp <git@rtsp.us>
Date: Sat, 15 Jan 2022 03:54:26 +0700
Subject: [PATCH] cert-manager: Allow to change leader election namespace for
 GKE Autopilot support (#8424)

More information:

- kubernetes-sigs/kubespray#8393
- jetstack/cert-manager#4102
- jetstack/cert-manager#3717
---
 inventory/sample/group_vars/k8s_cluster/addons.yml            | 1 +
 .../ingress_controller/cert_manager/defaults/main.yml         | 4 ++++
 .../cert_manager/templates/cert-manager.yml.j2                | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml
index 31363ce67..4d875e175 100644
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -152,6 +152,7 @@ cert_manager_enabled: false
 #   -----BEGIN CERTIFICATE-----
 #   [REPLACE with your CA certificate]
 #   -----END CERTIFICATE-----
+# cert_manager_leader_election_namespace: kube-system
 
 # MetalLB deployment
 metallb_enabled: false
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
index 74fbb52d7..b12a1a97c 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
@@ -4,3 +4,7 @@ cert_manager_user: 1001
 cert_manager_tolerations: []
 cert_manager_affinity: {}
 cert_manager_nodeselector: {}
+
+## Change leader election namespace when deploying on GKE Autopilot that forbid the changes on kube-system namespace.
+## See https://github.com/jetstack/cert-manager/issues/3717
+cert_manager_leader_election_namespace: kube-system
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 011042230..23b3ea118 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -866,7 +866,7 @@ spec:
           imagePullPolicy: {{ k8s_image_pull_policy }}
           args:
           - --v=2
-          - --leader-election-namespace=kube-system
+          - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
           env:
           - name: POD_NAMESPACE
             valueFrom:
@@ -940,7 +940,7 @@ spec:
           args:
           - --v=2
           - --cluster-resource-namespace=$(POD_NAMESPACE)
-          - --leader-election-namespace=kube-system
+          - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
           ports:
           - containerPort: 9402
             protocol: TCP