-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
leader election namespace should default to .Release.Namespace
, not kube-system
#6716
Comments
@sdickhoven I'm not able to reproduce your issue. I can successfully install cert-manager in the cert-manager namespace and let it use kube-system for its leader election. I hope this makes the original reasoning behind this behavior a bit clearer. |
hi @inteon 👋 ah, yes. i recently ran into the same issue and it has to do with how i am using this helm chart. 🤦 specifically i'm using helm as a templating engine only to render out the kube manifests with and my apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager # <<<<<<<<<<<<<<<<<<<<<<<
resources:
- cluster-ca.yaml
- letsencrypt-issuer-prod.yaml
- letsencrypt-issuer-staging.yaml
- manifest.yaml so the https://github.com/cert-manager/cert-manager/blob/v1.14.2/deploy/charts/cert-manager/templates/rbac.yaml#L2-L45 ...while the command-line arg still pointed to the kube-system namespace sorry. my bad! though... may i ask what the benefit is of creating the leader lease in a different namespace? it seems somewhat nonsensical to me to not put all the (namespaced) cert-manager resources into the same namespace... in which case what i'm doing above would have worked fine. 🤷 i.e. why not default the leader election namespace to anyway, thanks for looking into this and sorry again for leading you on a wild goose chase. 😊 |
I think we discussed this before in one of our meetings and concluded that it might be a good idea to change the behavior. |
Just encountered the exact scenario as described by @sdickhoven, using kustomize on top of helm, with "kustomized" namespace. Cloud-provider/provisioner: AKS |
+1 |
Describe the bug:
The helm chart defaults the leader election namespace to
kube-system
.https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/values.yaml#L50
however, when deploying cert-manager to a different namespace (which should be an uncontroversial deployment strategy), this default results in the following error:
this bug can easily be circumvented by adding the helm config
but that should not be necessary.
Expected behaviour:
the rbac config specifically only allows cert-manager to manipulate leases in the same namespace that it is deployed in.
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/rbac.yaml#L3
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/rbac.yaml#L14-L17
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-rbac.yaml#L55
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-rbac.yaml#L71-L74
so the leader election leases should default to that same namespace.
i.e. i would expect the default value for the leader election namespace to be omitted in
values.yaml
and for the helm chart to implement logic along the lines of:ref:
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/deployment.yaml#L95
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/templates/cainjector-deployment.yaml#L68
also, why have leader election at all? cert-manager is usually deployed with a single replica:
https://github.com/cert-manager/cert-manager/blob/v1.14.1/deploy/charts/cert-manager/values.yaml#L85
but i understand that adding extra logic to the helm chart to enable leader election only when more than one replica is used is complexity for little gain. 🤷
Steps to reproduce the bug:
deploy cert-manager in a namespace other than
kube-system
using the helm chart.Anything else we need to know?:
no.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: