weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2155 from munnerz/leaderelection-kube-system

Browse Source 
Update default leader election namespace to be kube-system
This commit is contained in:
jetstack-bot 2019-10-04 13:50:35 +01:00 committed by GitHub
commit 68df81ea45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 79 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/charts/cert-manager/README.md
View File

@ -77,7 +77,7 @@ The following table lists the configurable parameters of the cert-manager chart
| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | Same namespace as cert-manager pod |
| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
| `image.tag` | Image tag | `v0.11.0-beta.0` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |

4
deploy/charts/cert-manager/cainjector/templates/deployment.yaml
View File

@ -46,11 +46,7 @@ spec:
{{- if .Values.global.logLevel }}
- --v={{ .Values.global.logLevel }}
{{- end }}
{{- if .Values.global.leaderElection.namespace }}
- --leader-election-namespace={{ .Values.global.leaderElection.namespace }}
{{- else }}
- --leader-election-namespace=$(POD_NAMESPACE)
{{- end }}
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 10 }}
{{- end }}

49
deploy/charts/cert-manager/cainjector/templates/rbac.yaml
View File

@ -17,7 +17,7 @@ rules:
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "events"]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
@ -47,4 +47,51 @@ subjects:
- name: {{ include "cainjector.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
---
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ template "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ template "cainjector.name" . }}
app.kubernetes.io/name: {{ template "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ template "cainjector.chart" . }}
rules:
# Used for leader election by the controller
# TODO: refine the permission to *just* the leader election configmap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update", "patch"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "cainjector.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cainjector.name" . }}
app.kubernetes.io/name: {{ include "cainjector.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "cainjector.chart" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cainjector.fullname" . }}:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cainjector.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

4
deploy/charts/cert-manager/templates/deployment.yaml
View File

@ -64,11 +64,7 @@ spec:
{{- else }}
- --cluster-resource-namespace=$(POD_NAMESPACE)
{{- end }}
{{- if .Values.global.leaderElection.namespace }}
- --leader-election-namespace={{ .Values.global.leaderElection.namespace }}
{{- else }}
- --leader-election-namespace=$(POD_NAMESPACE)
{{- end }}
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 10 }}
{{- end }}

31
deploy/charts/cert-manager/templates/rbac.yaml
View File

@ -1,9 +1,10 @@
{{- if .Values.global.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
kind: Role
metadata:
name: {{ template "cert-manager.fullname" . }}-leaderelection
name: {{ template "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ template "cert-manager.name" . }}
app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@ -12,12 +13,38 @@ metadata:
helm.sh/chart: {{ template "cert-manager.chart" . }}
rules:
# Used for leader election by the controller
# TODO: refine the permission to *just* the leader election configmap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update", "patch"]
---
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "cert-manager.fullname" . }}:leaderelection
namespace: {{ .Values.global.leaderElection.namespace }}
labels:
app: {{ include "cert-manager.name" . }}
app.kubernetes.io/name: {{ include "cert-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "cert-manager.chart" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cert-manager.fullname" . }}:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole

2
deploy/charts/cert-manager/values.yaml
View File

@ -21,7 +21,7 @@ global:
leaderElection:
# Override the namespace used to store the ConfigMap for leader election
namespace: ""
namespace: "kube-system"
replicaCount: 1