Prevent the addition of certification annotation into the CRD YAML
Status Update - 2024-05-10
The changes implemented in !152 (merged) include the ones made in this MR making it not needed anymore. I am therefore going to close it.
Status Update - 2024-02-13
The new implementation prevent the addition of cert-manager.io/inject-ca-from
annotation on the CRD during the install.
Status Update - 2024-01-26
Regarding the ability to somehow update the CERTIFICATE_NAMESPACE
and CERTIFICATE_NAME
when creating a CR
, unfortunately, it doesn't seem possible.
- We utilize
kustomize
to generate all the required manifests for the Operator. In one of the kustomization.yaml files, the variables for namespace and namePrefix are provided. These variables are initialized through the certificate object, as specified in these instructions -
operator-sdk
, during the process of generating and bundling the Operator manifests, ignore both theCertificate
and theIssuer
. Consequently, after installation of GitLab Runner Operator, attempts to create a new CR fail because thekube-api
cannot find the non-existent certificate/issuer.
This MR will update the installation documentation by providing the following details:
- For users with their own certificate provider, the ability to set custom
CERTIFICATE_NAMESPACE
/CERTIFICATE_NAME
- For other users, the manual creation of the necessary Kubernetes objects (
Certificate
andIssuer
)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gitlab-runner-serving-cert
namespace: gitlab-runner-system
spec:
dnsNames:
- gitlab-runner-webhook-service.gitlab-runner-system.svc
- gitlab-runner-webhook-service.gitlab-runner-system.svc.cluster.local
issuerRef:
kind: Issuer
name: gitlab-runner-selfsigned-issuer
secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: gitlab-runner-selfsigned-issuer
namespace: gitlab-runner-system
spec:
selfSigned: {}
MR Description
When deploying the GitLab Runner Operator in a Kubernetes Cluster, the CERTIFICATE_NAMESPACE
and CERTIFICATE_NAME
variables default to the values set in the kustomization.yaml
(namespace, name prefix).
However, if the certificate used is in a different namespace
and has a different name
, the operator installation fails with an error similar to the following:
kubectl create -f https://operatorhub.io/install/gitlab-runner-operator.yaml
Error from server (InternalError): error when retrieving the current configuration of:
Resource: "apps.gitlab.com/v1beta2, Resource=runners", GroupVersionKind: "apps.gitlab.com/v1beta2, Kind=Runner"
Name: "gitlab-runner", Namespace: "default"
from the server for: "gitlab-runner.yaml": Internal error occurred: error resolving resource
To avoid this issue, users should have the ability to configure the CERTIFICATE_NAMESPACE
and the CERTIFICATE_NAME
to be set in the CRDs
How to test this MR
TBD
Linked issue
fixes #194