cert-manager deployment is not in the cert-manager namespace

[jar349]

When the helm chart is run with --dry-run, one can see that the Deployment yaml looks like this:

# Source: cert-manager-webhook-dnsimple/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cert-manager-webhook-dnsimple
  labels:
    app: cert-manager-webhook-dnsimple
    chart: cert-manager-webhook-dnsimple-0.1.0
    release: cert-manager-webhook-dnsimple
    heritage: Helm
spec:
  replicas:
  selector:
    matchLabels:
      app: cert-manager-webhook-dnsimple
      release: cert-manager-webhook-dnsimple
  template:
    metadata:
      labels:
        app: cert-manager-webhook-dnsimple
        release: cert-manager-webhook-dnsimple
    spec:
      serviceAccountName: cert-manager-webhook-dnsimple
      containers:
        - name: cert-manager-webhook-dnsimple
          image: "neoskop/cert-manager-webhook-dnsimple:0.1.0"
          imagePullPolicy: IfNotPresent
          args:
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
          env:
            - name: GROUP_NAME
              value: "your.group.name"
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
            {}
      volumes:
        - name: certs
          secret:
            secretName: cert-manager-webhook-dnsimple-webhook-tls

Importantly, the volume is attempting to mount from the secret named cert-manager-webhook-dnsimple-webhook-tls. This automatically gets created according to the documentation from the Certificate's secretName that's also in the yaml generated by the helm chart in --dry-run mode.

However, when I install everything, the pod remains in ContainerCreating forever, and the description of the pod says:

Events:
  Type     Reason       Age               From               Message
  ----     ------       ----              ----               -------
  Normal   Scheduled    24s               default-scheduler  Successfully assigned default/cert-manager-webhook-dnsimple-5df7648688-28h8r to kn1
  Warning  FailedMount  9s (x6 over 24s)  kubelet            MountVolume.SetUp failed for volume "certs" : secret "cert-manager-webhook-dnsimple-webhook-tls" not found

It turns out that everything in the yaml file (where appropriate) gets created in the cert-manager namespace except for the Deployment, and so the deployment can't mount that volume because the secret is in a different namespace.

[jar349]

After I manually edited the yaml to put the Deployment into the cert-manager namespace, the ReplicaSet wasn't able to create the pod because the service account also was not in the cert-manager namespace:

Events:
  Type     Reason        Age                From                   Message
  ----     ------        ----               ----                   -------
  Warning  FailedCreate  9s (x14 over 50s)  replicaset-controller  Error creating: pods "cert-manager-webhook-dnsimple-5df7648688-" is forbidden: error looking up service account cert-manager/cert-manager-webhook-dnsimple: serviceaccount "cert-manager-webhook-dnsimple" not found

Once I also put the service account into the cert-manager, everything started.

[jsonsivar]

You might be able to get it working by overriding the chart value for the namespace as well. I think it's because here it's referenced in a lot of places: https://github.com/neoskop/cert-manager-webhook-dnsimple/blob/master/deploy/dnsimple/values.yaml#L11.

So when I tried to deploy on another namespace other than cert-manager, I have to also override the Chart value like this (see lines 2 and 4):

helm install cert-manager-webhook-dnsimple \
    --namespace cert-manager-example \
    --set dnsimple.token=$DNSSIMPLE_TOKEN \
    --set certManager.namespace=cert-manager-example \
    --set clusterIssuer.production.enabled=true \
    --set clusterIssuer.staging.enabled=true \
    --set clusterIssuer.email=$EMAIL \
    neoskop/cert-manager-webhook-dnsimple

It's a little redundant so it would be nice if there was a way to let the Helm chart know to just use the --namespace value for namespace everywhere.