Hi all,
Can you tell me if it's necessary to run cert-manager in cert-manager namespace?
I'm trying to use the newest stable version of cert-manager on my Istio setup with Istio Ingress controller. By default Istio helm chart using 0.6.2 version of cert-manager and installs it to istio-system namespace. With this kind of setup, cert-manager works fine.
But when I tried to upgrade cert-manager version to 0.10.0 I can see errors in cert-manager log
1 controller.go:429] cert-manager/controller/webhook-bootstrap "msg"="failed to create new empty Secret" "error"="namespaces \"cert-manager\" not found" "resource_kind"="Secret" "resource_name"="cert-manager-webhook-ca" "resource_namespace"="cert-manager"
So my question is -- is that necessary to run cert-manager on cert-manager namespace and if yes, starting from which version?
I'm running cert-manager on IBM Cloud IKS, but I also tried to run it on GKE with the same result
Environment details::
- Kubernetes version: v1.14.5+IKS
- Cloud-provider/provisioner: IBM IKS
- cert-manager version: 0.10.0
- Install method: via istio 1.2.4 helm chart
/kind bug
tkatrichenko
All 9 comments
Just faced the same issue some minutes ago and fixed it using
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
- --webhook-namespace=$(POD_NAMESPACE)
ecktom
on 20 Sep 2019
Looks like the last one did the trick (first two options were already there). Now it's working fine
Thank you @ecktom
tkatrichenko
on 20 Sep 2019
Where / how am I supposed to use this options? https://github.com/jetstack/cert-manager/issues/2081#issuecomment-533428307
gustavovalverde
on 3 Oct 2019
Just add it to the container args of your Deployment eg.
apiVersion: apps/v1
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
...
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:0.10.1"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
- --webhook-namespace=$(POD_NAMESPACE)
I'm actually trying to add it as helm parameter, but it doesn't work:
helm upgrade istio install/kubernetes/helm/istio --namespace istio-system \
--set gateways.istio-ingressgateway.sds.enabled=true \
--set certmanager.enabled=true \
--set certmanager.email=technical@domain \
--set certmanager.tag=v0.10.0 \
--set certmanager.extraArgs.webhook-namespace="$(POD_NAMESPACE)"
Not quiet sure about the istio helm chart. Looks quiet outdated to be honest... You can have a look at the official chart here https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager
ecktom
on 3 Oct 2019
@gustavovalverde since istio anyway will be installed to istio-system namespace, I put this name not variable to helm template command
helm template install/kubernetes/helm/istio --namespace istio-system \
--set gateways.istio-ingressgateway.sds.enabled=true \
--set certmanager.enabled=true \
--set certmanager.email=technical@domain \
--set certmanager.tag=v0.10.0 \
--set certmanager.extraArgs={--webhook-namespace=istio-system}
@tkatrichenko How can I configure and add --set certmanager.extraArgs={--webhook-namespace=istio-system} in values.yaml file?
rnkhouse
on 21 Nov 2019
@rnkhouse You can put it in here https://github.com/jetstack/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml#L57 like this
extraArgs:
- --webhook-namespace=istio-system
Related issues
f-f
路
4Comments
apetheriotis
路
3Comments
munjal-patel
路
3Comments
howardjohn
路
3Comments
r0bj
路
3Comments
Most helpful comment
Just faced the same issue some minutes ago and fixed it using