Open jar349 opened 2 years ago
After I manually edited the yaml to put the Deployment into the cert-manager
namespace, the ReplicaSet wasn't able to create the pod because the service account also was not in the cert-manager namespace:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 9s (x14 over 50s) replicaset-controller Error creating: pods "cert-manager-webhook-dnsimple-5df7648688-" is forbidden: error looking up service account cert-manager/cert-manager-webhook-dnsimple: serviceaccount "cert-manager-webhook-dnsimple" not found
Once I also put the service account into the cert-manager, everything started.
You might be able to get it working by overriding the chart value for the namespace as well. I think it's because here it's referenced in a lot of places: https://github.com/neoskop/cert-manager-webhook-dnsimple/blob/master/deploy/dnsimple/values.yaml#L11.
So when I tried to deploy on another namespace other than cert-manager
, I have to also override the Chart value like this (see lines 2 and 4):
helm install cert-manager-webhook-dnsimple \
--namespace cert-manager-example \
--set dnsimple.token=$DNSSIMPLE_TOKEN \
--set certManager.namespace=cert-manager-example \
--set clusterIssuer.production.enabled=true \
--set clusterIssuer.staging.enabled=true \
--set clusterIssuer.email=$EMAIL \
neoskop/cert-manager-webhook-dnsimple
It's a little redundant so it would be nice if there was a way to let the Helm chart know to just use the --namespace
value for namespace everywhere.
When the helm chart is run with
--dry-run
, one can see that the Deployment yaml looks like this:Importantly, the volume is attempting to mount from the secret named
cert-manager-webhook-dnsimple-webhook-tls
. This automatically gets created according to the documentation from theCertificate
'ssecretName
that's also in the yaml generated by the helm chart in--dry-run
mode.However, when I install everything, the pod remains in
ContainerCreating
forever, and the description of the pod says:It turns out that everything in the yaml file (where appropriate) gets created in the
cert-manager
namespace except for the Deployment, and so the deployment can't mount that volume because the secret is in a different namespace.