Cluster-api: Deploy cert-manager from clusterctl
User Story
As a developer I would like to deploy cert-manager from clusterctl for adding webhooks
Detailed Description
We need to deploy cert-manager for provisioning the certificates for the webhook server.
We need to update clusterctl to deploy cert-manager first, wait for cert-manager pods to be ready. Otherwise when applying manifests, we'll get following errors
Internal error occurred: failed calling webhook "webhook.certmanager.k8s.io": the server is currently unable to handle the request
/kind feature
tahsinrahman
All 16 comments
/assign
tahsinrahman
on 8 Oct 2019
How about we add cert-manager as part of the published cluster-api components?
vincepri
on 8 Oct 2019
@vincepri As long as it wouldn't cause issues with deploying webhooks as part of the cluster-api components I'm good with that solution as well.
detiber
on 8 Oct 2019
Definitely needs to be tested out, open to any alternative
vincepri
on 8 Oct 2019
/priority important-soon
vincepri
on 8 Oct 2019
@vincepri I think publishing cert-manager as part of clusterapi components(in a single yaml) will not work. As in clusterctl, as all clusterapi components + provider components are passed to clusterctl by single --provider-components flag, but we need to deploy cert-manager separately at first, then deploy other components.
Also, in future if we want to add webhooks for clusterapi types, we need to separate cert-manager from clusterapi components.
We can do the following
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.1/cert-manager.yaml
before deploying clusterapi + provider components
Or, we can copy cert-manager manifests to config/certmanager/cert-manager.yaml in cluster-api, and add a flag --cert-manager-manifests to clusterctl. Providers can use that file in the flag
tahsinrahman
on 10 Oct 2019
Would you mind expanding a little on the reason on why it wouldn't work?
vincepri
on 10 Oct 2019
If we all end up agreeing to proceed with the clusterctl v2 proposal, maybe we defer implementing this until that is closer to being done? And we'd probably want to make deploying cert-manager something the user could opt out of, wouldn't we?
ncdc
on 10 Oct 2019
Moving to the next release
/milestone v0.3.0
ncdc
on 10 Oct 2019
Would you mind expanding a little on the reason on why it wouldn't work?
If we add cert-manager manifests in the same yaml with capi + provider components, it won't work. Until cert-manager pods are not ready, we'll get error
validatingwebhookconfiguration.admissionregistration.k8s.io/capa-validating-webhook-configuration configured
Error from server (InternalError): error when creating "examples/_out/provider-components.yaml": Internal error occurred: failed calling webhook "webhook.certmanager.k8s.io": the server is currently unable to handle the request
Error from server (InternalError): error when creating "examples/_out/provider-components.yaml": Internal error occurred: failed calling webhook "webhook.certmanager.k8s.io": the server is currently unable to handle the request
Is this something that eventually resolves itself? Or does it stay in a perpetual error state?
detiber
on 10 Oct 2019
I'm wondering if we can just dump the yaml and wait out the errors
detiber
on 10 Oct 2019
I'm wondering if we can just dump the yaml and wait out the errors
yes, eventually cert-manager pods will be ready and it will work
tahsinrahman
on 10 Oct 2019
So, we can publish cert-manager with capi add do a wait.PollImmediate on clusterctl.
tahsinrahman
on 10 Oct 2019
That sounds good to me :)
vincepri
on 10 Oct 2019
If there's anything we in the cert-manager project can do to help here, please let me know and feel free to reach out 馃槃
munnerz
on 10 Oct 2019
Related issues
gyliu513
路
6Comments
ncdc
路
5Comments
chaosaffe
路
6Comments
vincepri
路
4Comments
invidian
路
5Comments
Most helpful comment
That sounds good to me :)