rancher: Unable to install cert-manager v0.11 via Rancher 2.3.2
What kind of request is this (question/bug/enhancement/feature request): Bug?
Steps to reproduce (least amount of steps as possible):
- Add jetstack ( https://charts.jetstack.io ) repository as app catalog via rancher ui.
- Install cert-manager CRDs:
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml - Create “cert-manager” namespace in System project.
- Launch “cert-manager” app from catalog with name “cert-manager” and in existing namespace “cert-manager”
Result:
Error: resource’s namespace kube-system doesn’t match the current namespace cert-manager
[main] 2019/11/02 11:47:05 Starting Tiller v2.14+unreleased (tls=false)
[main] 2019/11/02 11:47:05 GRPC listening on :47978
[main] 2019/11/02 11:47:05 Probes listening on :36421
[main] 2019/11/02 11:47:05 Storage driver is ConfigMap
[main] 2019/11/02 11:47:05 Max history per release is 10
[tiller] 2019/11/02 11:47:06 getting history for release cert-manager
[storage] 2019/11/02 11:47:06 getting release history for "cert-manager"
Release "cert-manager" does not exist. Installing it now.
[tiller] 2019/11/02 11:47:06 preparing install for cert-manager
[storage] 2019/11/02 11:47:06 getting release history for "cert-manager"
[tiller] 2019/11/02 11:47:06 rendering cert-manager chart using values
2019/11/02 11:47:06 info: manifest "cert-manager/charts/cainjector/templates/psp-clusterrolebinding.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/templates/servicemonitor.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/templates/psp.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/templates/psp-clusterrolebinding.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/charts/cainjector/templates/psp.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/templates/psp-clusterrole.yaml" is empty. Skipping.
2019/11/02 11:47:06 info: manifest "cert-manager/charts/cainjector/templates/psp-clusterrole.yaml" is empty. Skipping.
[tiller] 2019/11/02 11:47:06 performing install for cert-manager
[tiller] 2019/11/02 11:47:06 executing 0 crd-install hooks for cert-manager
[tiller] 2019/11/02 11:47:06 hooks complete for crd-install cert-manager
[tiller] 2019/11/02 11:47:06 executing 0 pre-install hooks for cert-manager
[tiller] 2019/11/02 11:47:06 hooks complete for pre-install cert-manager
[storage] 2019/11/02 11:47:06 getting release history for "cert-manager"
[storage] 2019/11/02 11:47:06 creating release "cert-manager.v1"
[storage] 2019/11/02 11:47:06 getting release history for "cert-manager"
[kube] 2019/11/02 11:47:06 building resources from manifest
[tiller] 2019/11/02 11:47:06 warning: Release "cert-manager" failed: resource's namespace kube-system doesn't match the current namespace cert-manager
[storage] 2019/11/02 11:47:06 updating release "cert-manager.v1"
[tiller] 2019/11/02 11:47:06 failed install perform step: release cert-manager failed: resource's namespace kube-system doesn't match the current namespace cert-manager
2019/11/02 11:47:07 [ERROR] AppController p-sv954/cert-manager [helm-controller] failed with : failed to install app cert-manager. Error: release cert-manager failed: resource's namespace kube-system doesn't match the current namespace cert-manager
Other details that may be helpful:
Environment information Rancher 2.3.2 single instance, aks 1.14.7 cluster
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 6
- Comments: 21
My work solution is:
Install the custom resource definition before the helm app:
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.0/deploy/manifests/00-crds.yamlInstall the helm app with values:
It’s not uncommon for a single Helm chart to need to deploy resources into more than once namespace, although it isn’t necessarily ‘expected’. In this instance, it is required as we need to ensure that leader election is performed between all installations of cert-manager, to prevent two instances running in a single cluster due to being installed multiple times via app catalogs etc.
It seems like Rancher has a Helm operator of some description that is responsible for applying/installing things from the catalog - IMO, this should be extended to not fail/error in cases where resources need to go in other namespaces, as it is an arbitrary restriction and cert-manager will not be the only tool that requires this.
@dnauck I used this technique this afternoon. Added the catalog, then create the App from this catalog with the given option and everything is deployed properly.
If you want to use the catalog, you can add the following option:
global.leaderElection.namespace = cert-managercert-manager allow us to override the second destination namespace.
It seems kind of surprising how challenging it is to get letsencrypt running on Rancher. We’ve got great out of the box support for nginx ingress controllers on RKE clusters… I feel like letsencrypt is another part of that puzzle that could be a first class integration. To do that this needs to be wayyyyy more smooth and without issues like this one.
I’m only offering this as a friendly beginners perspective feedback 😁 I imagine this is seems a bit more of a trivial issue from an experts perspective but the overall “OK I’ve got an ingress, how do I get certificates?” has been a multi-hour task for someone with less kubernetes background.
It only works with
webhook.enabled = false@blackholegalaxy thanks!!