From 1464fe69a41e9bea64d8cca1e1aae0ab875d4aac Mon Sep 17 00:00:00 2001
From: James Munnelly <james@munnelly.eu>
Date: Fri, 4 Oct 2019 13:14:11 +0100
Subject: [PATCH] Update default leader election namespace to be kube-system

Signed-off-by: James Munnelly <james@munnelly.eu>
---
 deploy/charts/cert-manager/README.md          |  2 +-
 .../cainjector/templates/deployment.yaml      |  4 --
 .../cainjector/templates/rbac.yaml            | 49 ++++++++++++++++++-
 .../cert-manager/templates/deployment.yaml    |  4 --
 .../charts/cert-manager/templates/rbac.yaml   | 31 +++++++++++-
 deploy/charts/cert-manager/values.yaml        |  2 +-
 6 files changed, 79 insertions(+), 13 deletions(-)

diff --git a/deploy/charts/cert-manager/README.md b/deploy/charts/cert-manager/README.md
index c77ca8ad1..ecec761e0 100644
--- a/deploy/charts/cert-manager/README.md
+++ b/deploy/charts/cert-manager/README.md
@@ -77,7 +77,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
 | `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
 | `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
-| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | Same namespace as cert-manager pod |
+| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
 | `image.tag` | Image tag | `v0.11.0-beta.0` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
diff --git a/deploy/charts/cert-manager/cainjector/templates/deployment.yaml b/deploy/charts/cert-manager/cainjector/templates/deployment.yaml
index 0d3e918f1..0fd28fd9b 100644
--- a/deploy/charts/cert-manager/cainjector/templates/deployment.yaml
+++ b/deploy/charts/cert-manager/cainjector/templates/deployment.yaml
@@ -46,11 +46,7 @@ spec:
           {{- if .Values.global.logLevel }}
           - --v={{ .Values.global.logLevel }}
           {{- end }}
-          {{- if .Values.global.leaderElection.namespace }}
           - --leader-election-namespace={{ .Values.global.leaderElection.namespace }}
-          {{- else }}
-          - --leader-election-namespace=$(POD_NAMESPACE)
-          {{- end }}
           {{- if .Values.extraArgs }}
 {{ toYaml .Values.extraArgs | indent 10 }}
           {{- end }}
diff --git a/deploy/charts/cert-manager/cainjector/templates/rbac.yaml b/deploy/charts/cert-manager/cainjector/templates/rbac.yaml
index b2a95ff95..c446d8a86 100644
--- a/deploy/charts/cert-manager/cainjector/templates/rbac.yaml
+++ b/deploy/charts/cert-manager/cainjector/templates/rbac.yaml
@@ -17,7 +17,7 @@ rules:
     resources: ["secrets"]
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
-    resources: ["configmaps", "events"]
+    resources: ["events"]
     verbs: ["get", "create", "update", "patch"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
@@ -47,4 +47,51 @@ subjects:
   - name: {{ include "cainjector.fullname" . }}
     namespace: {{ .Release.Namespace | quote }}
     kind: ServiceAccount
+
+---
+# leader election rules
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ template "cainjector.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ template "cainjector.name" . }}
+    app.kubernetes.io/name: {{ template "cainjector.name" . }}
+    app.kubernetes.io/instance:  {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ template "cainjector.chart" . }}
+rules:
+  # Used for leader election by the controller
+  # TODO: refine the permission to *just* the leader election configmap
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "create", "update", "patch"]
+
+---
+
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ include "cainjector.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance:  {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "cainjector.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cainjector.fullname" . }}:leaderelection
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cainjector.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+
+
 {{- end -}}
diff --git a/deploy/charts/cert-manager/templates/deployment.yaml b/deploy/charts/cert-manager/templates/deployment.yaml
index d8b021885..64c9ee84a 100644
--- a/deploy/charts/cert-manager/templates/deployment.yaml
+++ b/deploy/charts/cert-manager/templates/deployment.yaml
@@ -64,11 +64,7 @@ spec:
         {{- else }}
           - --cluster-resource-namespace=$(POD_NAMESPACE)
         {{- end }}
-        {{- if .Values.global.leaderElection.namespace }}
           - --leader-election-namespace={{ .Values.global.leaderElection.namespace }}
-        {{- else }}
-          - --leader-election-namespace=$(POD_NAMESPACE)
-        {{- end }}
         {{- if .Values.extraArgs }}
 {{ toYaml .Values.extraArgs | indent 10 }}
         {{- end }}
diff --git a/deploy/charts/cert-manager/templates/rbac.yaml b/deploy/charts/cert-manager/templates/rbac.yaml
index 0cb21bf70..a69ac72e9 100644
--- a/deploy/charts/cert-manager/templates/rbac.yaml
+++ b/deploy/charts/cert-manager/templates/rbac.yaml
@@ -1,9 +1,10 @@
 {{- if .Values.global.rbac.create -}}
 
 apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: {{ template "cert-manager.fullname" . }}-leaderelection
+  name: {{ template "cert-manager.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
   labels:
     app: {{ template "cert-manager.name" . }}
     app.kubernetes.io/name: {{ template "cert-manager.name" . }}
@@ -12,12 +13,38 @@ metadata:
     helm.sh/chart: {{ template "cert-manager.chart" . }}
 rules:
   # Used for leader election by the controller
+  # TODO: refine the permission to *just* the leader election configmap
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get", "create", "update", "patch"]
 
 ---
 
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance:  {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "cert-manager.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cert-manager.fullname" . }}:leaderelection
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+
+---
+
 # Issuer controller role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index 79306fca0..e3afffec3 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -21,7 +21,7 @@ global:
 
   leaderElection:
     # Override the namespace used to store the ConfigMap for leader election
-    namespace: ""
+    namespace: "kube-system"
 
 replicaCount: 1