leader election namespace should default to .Release.Namespace, not kube-system
#6716
Comments
|
@sdickhoven I'm not able to reproduce your issue. I can successfully install cert-manager in the cert-manager namespace and let it use kube-system for its leader election. I hope this makes the original reasoning behind this behavior a bit clearer. |
inteon
added
the
triage/not-reproducible
|
hi @inteon 👋 ah, yes. i recently ran into the same issue and it has to do with how i am using this helm chart. 🤦 specifically i'm using helm as a templating engine only to render out the kube manifests with and my apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager # <<<<<<<<<<<<<<<<<<<<<<<
resources:
- cluster-ca.yaml
- letsencrypt-issuer-prod.yaml
- letsencrypt-issuer-staging.yaml
- manifest.yamlso the https://github.com/cert-manager/cert-manager/blob/v1.14.2/deploy/charts/cert-manager/templates/rbac.yaml#L2-L45 ...while the command-line arg still pointed to the kube-system namespace sorry. my bad! though... may i ask what the benefit is of creating the leader lease in a different namespace? it seems somewhat nonsensical to me to not put all the (namespaced) cert-manager resources into the same namespace... in which case what i'm doing above would have worked fine. 🤷 i.e. why not default the leader election namespace to anyway, thanks for looking into this and sorry again for leading you on a wild goose chase. 😊 |
I think we discussed this before in one of our meetings and concluded that it might be a good idea to change the behavior. |
|
Just encountered the exact scenario as described by @sdickhoven, using kustomize on top of helm, with "kustomized" namespace. Cloud-provider/provisioner: AKS |
|
+1 |
Describe the bug:
The helm chart defaults the leader election namespace to
kube-system.https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/values.yaml#L50
however, when deploying cert-manager to a different namespace (which should be an uncontroversial deployment strategy), this default results in the following error:
this bug can easily be circumvented by adding the helm config
but that should not be necessary.
Expected behaviour:
the rbac config specifically only allows cert-manager to manipulate leases in the same namespace that it is deployed in.
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/rbac.yaml#L3
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/rbac.yaml#L14-L17
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-rbac.yaml#L55
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-rbac.yaml#L71-L74
so the leader election leases should default to that same namespace.
i.e. i would expect the default value for the leader election namespace to be omitted in
values.yamland for the helm chart to implement logic along the lines of:- --leader-election-namespace={{ .Values.global.leaderElection.namespace | default .Release.Namespace }}ref:
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/deployment.yaml#L95
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-deployment.yaml#L68
also, why have leader election at all? cert-manager is usually deployed with a single replica:
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/values.yaml#L85
but i understand that adding extra logic to the helm chart to enable leader election only when more than one replica is used is complexity for little gain. 🤷
Steps to reproduce the bug:
deploy cert-manager in a namespace other than
kube-systemusing the helm chart.Anything else we need to know?:
no.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: