cert-manager: Fix incorrect leader election namespace lead to insufficient permission

[rtsp]

What type of PR is this?

/kind bug

What this PR does / why we need it:

My last PR #8424 fix the GKE Autopilot problem but not the original problem reported in #8393 (at least it didn't break anything).

kubespray/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2

Lines 629 to 633 in cee481f

	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: cert-manager-cainjector:leaderelection
	namespace: {{ cert_manager_namespace }}

Referring to official cert-manager manifest. The leader election namespace is kube-system, not cert-manager. so the metadata.namespace here (and other 3 places) should be the cert_manager_leader_election_namespace (which I introduced in #8424) instead of cert_manager_namespace.

This PR change namespace configurations in cert-manager.yml.j2 to match the upstream cert-manager manifests which use kube-system by default and allow overriding with cert_manager_leader_election_namespace variable.

Which issue(s) this PR fixes:

Fixes #8393

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix incorrect leader election namespace with cert-manager leading to insufficient permission

[k8s-ci-robot]

Hi @rtsp. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cristicalin]

Thanks @rtsp for following up on this!

/ok-to-test
/lgtm

[floryut]

@rtsp 👍

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, rtsp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[red55]

Hi everyone, @rtsp
Tryied on clean k8s still getting errors:

[leaderelection.go:325] error retrieving resource lock kube-system/cert-manager-cainjector-leader-election: configmaps "cert-manager-cainjector-leader-election" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-cainjector" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

I guess there are some permissions missing

diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 036f55cd..6f5827af 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -106,6 +106,12 @@ rules:
   - apiGroups: ["auditregistration.k8s.io"]
     resources: ["auditsinks"]
     verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "get", "update"]
 ---

[rtsp]

@red55 Which kubespray branch or commit you're using?

Try updating to the latest commit, if the problem still occur please open new issue and provide information as much as possible. Feel tree to mention me or this PR from those new issue.

[red55]

@rtsp hi,
im on this one cc45e36

commit cc45e365ae9e45bfd7e3d56120a5743c8e870822 (HEAD -> master, origin/master, origin/HEAD)
Author: Kenichi Omichi <[email protected]>
Date:   Thu Feb 17 13:57:03 2022 -0800

    Fix print_hostnames of inventory.py (#8554)
    
    When trying to run print_hostnames of inventory.py, it outputs the following
    error:
    
     $ CONFIG_FILE=./test-hosts.yaml python3 ./inventory.py print_hostnames
     Traceback (most recent call last):
       File "./inventory.py", line 472, in <module>
         sys.exit(main())
       File "./inventory.py", line 467, in main
         KubesprayInventory(argv, CONFIG_FILE)
       File "./inventory.py", line 92, in __init__
         self.parse_command(changed_hosts[0], changed_hosts[1:])
       File "./inventory.py", line 415, in parse_command
         self.print_hostnames()
       File "./inventory.py", line 455, in print_hostnames

[rtsp]

@red55 I didn't test the latest commit yet but it seems to sync with upstream cert-manager manifest.

I'm not sure which system you're running. May be you don't have permission on kube-system namespace on your system? You clould try changing cert_manager_leader_election_namespace (in your inventory group_vars) to cert-manager instead of kube-system (default).

Anyway please open a bug report and provide more information here https://github.com/kubernetes-sigs/kubespray/issues/new?assignees=&labels=kind%2Fbug&template=bug-report.md Thanks