Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cert-manager deployment is not in the cert-manager namespace #13

Open
jar349 opened this issue Aug 9, 2021 · 2 comments
Open

cert-manager deployment is not in the cert-manager namespace #13

jar349 opened this issue Aug 9, 2021 · 2 comments

Comments

@jar349
Copy link

jar349 commented Aug 9, 2021

When the helm chart is run with --dry-run, one can see that the Deployment yaml looks like this:

# Source: cert-manager-webhook-dnsimple/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-webhook-dnsimple
  labels:
    app: cert-manager-webhook-dnsimple
    chart: cert-manager-webhook-dnsimple-0.1.0
    release: cert-manager-webhook-dnsimple
    heritage: Helm
spec:
  replicas:
  selector:
    matchLabels:
      app: cert-manager-webhook-dnsimple
      release: cert-manager-webhook-dnsimple
  template:
    metadata:
      labels:
        app: cert-manager-webhook-dnsimple
        release: cert-manager-webhook-dnsimple
    spec:
      serviceAccountName: cert-manager-webhook-dnsimple
      containers:
        - name: cert-manager-webhook-dnsimple
          image: "neoskop/cert-manager-webhook-dnsimple:0.1.0"
          imagePullPolicy: IfNotPresent
          args:
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
          env:
            - name: GROUP_NAME
              value: "your.group.name"
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
            {}
      volumes:
        - name: certs
          secret:
            secretName: cert-manager-webhook-dnsimple-webhook-tls

Importantly, the volume is attempting to mount from the secret named cert-manager-webhook-dnsimple-webhook-tls. This automatically gets created according to the documentation from the Certificate's secretName that's also in the yaml generated by the helm chart in --dry-run mode.

However, when I install everything, the pod remains in ContainerCreating forever, and the description of the pod says:

Events:
  Type     Reason       Age               From               Message
  ----     ------       ----              ----               -------
  Normal   Scheduled    24s               default-scheduler  Successfully assigned default/cert-manager-webhook-dnsimple-5df7648688-28h8r to kn1
  Warning  FailedMount  9s (x6 over 24s)  kubelet            MountVolume.SetUp failed for volume "certs" : secret "cert-manager-webhook-dnsimple-webhook-tls" not found

It turns out that everything in the yaml file (where appropriate) gets created in the cert-manager namespace except for the Deployment, and so the deployment can't mount that volume because the secret is in a different namespace.
@jar349
Copy link
Author

jar349 commented Aug 9, 2021

After I manually edited the yaml to put the Deployment into the cert-manager namespace, the ReplicaSet wasn't able to create the pod because the service account also was not in the cert-manager namespace:

Events:
  Type     Reason        Age                From                   Message
  ----     ------        ----               ----                   -------
  Warning  FailedCreate  9s (x14 over 50s)  replicaset-controller  Error creating: pods "cert-manager-webhook-dnsimple-5df7648688-" is forbidden: error looking up service account cert-manager/cert-manager-webhook-dnsimple: serviceaccount "cert-manager-webhook-dnsimple" not found

Once I also put the service account into the cert-manager, everything started.

@jsonsivar
Copy link

You might be able to get it working by overriding the chart value for the namespace as well. I think it's because here it's referenced in a lot of places: https://github.com/neoskop/cert-manager-webhook-dnsimple/blob/master/deploy/dnsimple/values.yaml#L11.

So when I tried to deploy on another namespace other than cert-manager, I have to also override the Chart value like this (see lines 2 and 4):

helm install cert-manager-webhook-dnsimple \
    --namespace cert-manager-example \
    --set dnsimple.token=$DNSSIMPLE_TOKEN \
    --set certManager.namespace=cert-manager-example \
    --set clusterIssuer.production.enabled=true \
    --set clusterIssuer.staging.enabled=true \
    --set clusterIssuer.email=$EMAIL \
    neoskop/cert-manager-webhook-dnsimple

It's a little redundant so it would be nice if there was a way to let the Helm chart know to just use the --namespace value for namespace everywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jar349 @jsonsivar