website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Document how to install cert-manager in a different namespace

Open irbekrm opened this issue 2 years ago • 8 comments

A common scenario is to install cert-manager in a custom namespace + restrict the installation to that one namespace (by configuring cert-manager controller and cainjector to perform leader election in that namespace)

This is relatively straightforward with helm by passing the new namespace via the --namespace flag and setting the global.leaderElection.namespace however it is more difficult for a user of kubectl apply or similar who needs to figure out where to change the namespace and what flags are used to configure leader election.

We could either document how to do this with static manifests (i.e what lines need changing + what flags need setting) or, if feasible, provide a kustomize file to do that.

Some places where a namespace needs to be configured:

  • annotations on validating and mutation webhook configurations here and here
  • leader election flag for cainjector here
  • leader election flag for controller here
  • cluster resource namesapce flag here
  • all resource namespaces that the manifests deploy

Marking this as a good first issue as I think it might be interesting to pick up for somebody interested in getting started with cert-manager and getting a high level understanding of what components get deployed.

irbekrm avatar Apr 26 '22 16:04 irbekrm

@irbekrm, I would like to take it.

/assign

mhmohona avatar Apr 27 '22 03:04 mhmohona

Hi @mhmohona do you still aim to work on this?

irbekrm avatar Jun 13 '22 12:06 irbekrm

Yea, please keep it for me. 😬 I am really sorry for the delay.

mhmohona avatar Jun 13 '22 15:06 mhmohona

No worries at all! Do let us know if you need any help getting started

irbekrm avatar Jun 13 '22 15:06 irbekrm

There is some useful context in https://github.com/cert-manager/cert-manager/issues/5207

irbekrm avatar Jun 14 '22 05:06 irbekrm

Is this issue still open/relevant? I'm working at this at work currently and would be happy to make a contribution here as well to help future devs!

jooseppi-luna avatar Jul 23 '23 21:07 jooseppi-luna

In case anyone is still awaiting solution, please refer to the changes mentioned below to install cert-manager in a different namespace other than the default "cert-manager" using manifest based installation. This example is based on version v1.9.1.

Replace <YOUR_NAMESPACE> with the new namespace in the file.

cert_manager_template_different_namespace.txt

sakshisharma84 avatar Jan 19 '24 16:01 sakshisharma84

Here's a kustomization based script I've been using to "relocate" namespace in cert-manager.yaml release artifact (e.g. v1.14.5 yaml), doesn't tackle leader-election namespace (keeping it as kube-system):

## NOTE: Replace these vars.
CERTMAN_YAML="https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml"
NEW_NAMESPACE="<new-certmanager-namespace>"

# Local staging dir
CERTMANKUST=artifacts

# Acquire pristine cert-manager yaml under base kustomization
mkdir -p $CERTMANKUST/base
curl -sLo $CERTMANKUST/base/cert-manager.yaml "$CERTMAN_YAML"

# Define namespace rename as part of base kustomization
cat <<EOT>$CERTMANKUST/base/kustomization.yaml
resources:
- cert-manager.yaml
transformers:
- set-namespace.yaml
EOT

cat <<EOT>$CERTMANKUST/base/set-namespace.yaml
apiVersion: builtin
kind: NamespaceTransformer
metadata:
  name: dummy
  namespace: ${NEW_NAMESPACE}
setRoleBindingSubjects: allServiceAccounts
fieldSpecs:
- path: metadata/name
  kind: Namespace
  create: true
EOT

# Define an overlay kustomization of patches to handle stuff not properly dealt by the base's namespace transformer.
# E.g. some Roles/RoleBindings need to remain in kube-system, some annotations need an update too.
mkdir -p $CERTMANKUST/overlay

cat <<EOT>$CERTMANKUST/overlay/kustomization.yaml
resources:
  - ../base
patches:
- path: reset-namespaces.yaml
  target:
    group: rbac.authorization.k8s.io
    version: v1
    kind: Role
    name: cert-manager.*:leaderelection
- path: reset-namespaces.yaml
  target:
    group: rbac.authorization.k8s.io
    version: v1
    kind: RoleBinding
    name: cert-manager.*:leaderelection
- path: set-namespace-in-webhook-annotations.yaml
  target:
    group: admissionregistration.k8s.io
    version: v1
    kind: MutatingWebhookConfiguration
    name: cert-manager-webhook
- path: set-namespace-in-webhook-annotations.yaml
  target:
    group: admissionregistration.k8s.io
    version: v1
    kind: ValidatingWebhookConfiguration
    name: cert-manager-webhook
EOT

cat <<EOT>$CERTMANKUST/overlay/reset-namespaces.yaml
- op: replace
  path: /metadata/namespace
  value: kube-system
EOT

cat <<EOT>$CERTMANKUST/overlay/set-namespace-in-webhook-annotations.yaml
- op: replace
  path: /metadata/annotations/cert-manager.io~1inject-ca-from-secret
  value: ${NEW_NAMESPACE}/cert-manager-webhook-ca
EOT

# Finally run kustomize build:
kustomize build $CERTMANKUST/overlay > $CERTMANKUST/cert-manager.yaml
# Apply to create cert-manager:
# kubectl apply -f $CERTMANKUST/cert-manager.yaml
# Check cert-manager status
# cmctl check api --namespace $NEW_NAMESPACE

nikhaild avatar May 21 '24 22:05 nikhaild