By default the uninstall process (https://github.com/syseleven/designate-certmanager-webhook/blob/master/helm/designate-certmanager-webhook/templates/uninstall.yaml) creates a serviceaccount, a clusterrole, a clusterrolebinding and a job. The serviceaccount name is the same as a created by a deployment (serviceAccountName: {{ include "designate-certmanager-webhook.fullname" . }}) , so it would caused a conflict if both would be created to a cert-manager's namespace. I think that is why the uninstall process creates a job and a serviceaccount to the default namespace. The namespace is hardcoded in the uninstall template within the helm chart, so it cannot be overwritten/customized from outside. It would be nice, if the uninstall related k8s components could be created to the application's namespace.
Besides that there is no way to provide imagepullsecret for the uninstall job, so kubectl image must be came from a public registry.
By default the uninstall process (https://github.com/syseleven/designate-certmanager-webhook/blob/master/helm/designate-certmanager-webhook/templates/uninstall.yaml) creates a serviceaccount, a clusterrole, a clusterrolebinding and a job. The serviceaccount name is the same as a created by a deployment (serviceAccountName: {{ include "designate-certmanager-webhook.fullname" . }}) , so it would caused a conflict if both would be created to a cert-manager's namespace. I think that is why the uninstall process creates a job and a serviceaccount to the default namespace. The namespace is hardcoded in the uninstall template within the helm chart, so it cannot be overwritten/customized from outside. It would be nice, if the uninstall related k8s components could be created to the application's namespace. Besides that there is no way to provide imagepullsecret for the uninstall job, so kubectl image must be came from a public registry.
We have modified the file (https://github.com/syseleven/designate-certmanager-webhook/blob/master/helm/designate-certmanager-webhook/templates/uninstall.yaml) and fixed those issue-s using the below code (changes highlighted):
` apiVersion: batch/v1 kind: Job metadata: name: uninstall-{{ include "designate-certmanager-webhook.fullname" . }} labels: app: {{ include "designate-certmanager-webhook.name" . }} chart: {{ include "designate-certmanager-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded spec: template: spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} restartPolicy: Never serviceAccountName: {{ include "designate-certmanager-webhook.fullname" . }}-uninstall containers:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "designate-certmanager-webhook.fullname" . }}:uninstall labels: app: {{ include "designate-certmanager-webhook.name" . }} chart: {{ include "designate-certmanager-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded rules:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "designate-certmanager-webhook.fullname" . }}:uninstall labels: app: {{ include "designate-certmanager-webhook.name" . }} chart: {{ include "designate-certmanager-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "designate-certmanager-webhook.fullname" . }}:uninstall subjects:
apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "designate-certmanager-webhook.fullname" . }}-uninstall labels: app: {{ include "designate-certmanager-webhook.name" . }} chart: {{ include "designate-certmanager-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded namespace: {{ .Release.Namespace }}
`