epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2025-12-14 13:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

[2.18] cert-manager: Backport cert-manager leader election namespace fixes from master (#8681)

Browse Source 
cherry-picked from
* ccd3180 cert-manager: Fix incorrect leader election namespace lead to insufficient permission (#8433)
* e791089 cert-manager: Allow to change leader election namespace for GKE Autopilot support (#8424)
This commit is contained in:
rtsp
2022-04-05 01:10:11 +07:00
committed by GitHub
parent f091b1cfd7
commit 58bea67b68
3 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
inventory/sample/group_vars/k8s_cluster/addons.yml
View File

@@ -134,6 +134,7 @@ cert_manager_enabled: false
# -----BEGIN CERTIFICATE----- # -----BEGIN CERTIFICATE-----
# [REPLACE with your CA certificate] # [REPLACE with your CA certificate]
# -----END CERTIFICATE----- # -----END CERTIFICATE-----
# cert_manager_leader_election_namespace: kube-system
# MetalLB deployment # MetalLB deployment
metallb_enabled: false metallb_enabled: false

4
roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
View File

@@ -1,3 +1,7 @@
--- ---
cert_manager_namespace: "cert-manager" cert_manager_namespace: "cert-manager"
cert_manager_user: 1001 cert_manager_user: 1001
## Change leader election namespace when deploying on GKE Autopilot that forbid the changes on kube-system namespace.
## See https://github.com/jetstack/cert-manager/issues/3717
cert_manager_leader_election_namespace: kube-system

12
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
View File

@@ -630,7 +630,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cert-manager-cainjector:leaderelection name: cert-manager-cainjector:leaderelection
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_leader_election_namespace }}
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector app.kubernetes.io/name: cainjector
@@ -664,7 +664,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: cert-manager:leaderelection name: cert-manager:leaderelection
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_leader_election_namespace }}
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager app.kubernetes.io/name: cert-manager
@@ -719,7 +719,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager-cainjector:leaderelection name: cert-manager-cainjector:leaderelection
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_leader_election_namespace }}
labels: labels:
app: cainjector app: cainjector
app.kubernetes.io/name: cainjector app.kubernetes.io/name: cainjector
@@ -742,7 +742,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: cert-manager:leaderelection name: cert-manager:leaderelection
namespace: {{ cert_manager_namespace }} namespace: {{ cert_manager_leader_election_namespace }}
labels: labels:
app: cert-manager app: cert-manager
app.kubernetes.io/name: cert-manager app.kubernetes.io/name: cert-manager
@@ -866,7 +866,7 @@ spec:
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
args: args:
- --v=2 - --v=2
- --leader-election-namespace=kube-system - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@@ -928,7 +928,7 @@ spec:
args: args:
- --v=2 - --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE) - --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system - --leader-election-namespace={{ cert_manager_leader_election_namespace }}
ports: ports:
- containerPort: 9402 - containerPort: 9402
protocol: TCP protocol: TCP