Prevent the addition of certification annotation into the CRD YAML (!150) · Merge requests · GitLab.org / OpenShift / GitLab Runner Operator

Romuald Atchadé requested to merge add-certificate-name-namespace-in-crd into master Jan 24, 2024

Status Update - 2024-05-10

The changes implemented in !152 (merged) include the ones made in this MR making it not needed anymore. I am therefore going to close it.

Status Update - 2024-02-13

The new implementation prevent the addition of cert-manager.io/inject-ca-from annotation on the CRD during the install.

Status Update - 2024-01-26

Regarding the ability to somehow update the CERTIFICATE_NAMESPACE and CERTIFICATE_NAME when creating a CR, unfortunately, it doesn't seem possible. 🙁

We utilize kustomize to generate all the required manifests for the Operator. In one of the kustomization.yaml files, the variables for namespace and namePrefix are provided. These variables are initialized through the certificate object, as specified in these instructions
operator-sdk, during the process of generating and bundling the Operator manifests, ignore both the Certificate and the Issuer. Consequently, after installation of GitLab Runner Operator, attempts to create a new CR fail because the kube-api cannot find the non-existent certificate/issuer.

This MR will update the installation documentation by providing the following details:

For users with their own certificate provider, the ability to set custom CERTIFICATE_NAMESPACE / CERTIFICATE_NAME
For other users, the manual creation of the necessary Kubernetes objects (Certificate and Issuer)

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: gitlab-runner-serving-cert
  namespace: gitlab-runner-system
spec:
  dnsNames:
  - gitlab-runner-webhook-service.gitlab-runner-system.svc
  - gitlab-runner-webhook-service.gitlab-runner-system.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: gitlab-runner-selfsigned-issuer
  secretName: webhook-server-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: gitlab-runner-selfsigned-issuer
  namespace: gitlab-runner-system
spec:
  selfSigned: {}

MR Description

When deploying the GitLab Runner Operator in a Kubernetes Cluster, the CERTIFICATE_NAMESPACE and CERTIFICATE_NAME variables default to the values set in the kustomization.yaml (namespace, name prefix).

However, if the certificate used is in a different namespace and has a different name, the operator installation fails with an error similar to the following:

kubectl create -f https://operatorhub.io/install/gitlab-runner-operator.yaml
Error from server (InternalError): error when retrieving the current configuration of:
Resource: "apps.gitlab.com/v1beta2, Resource=runners", GroupVersionKind: "apps.gitlab.com/v1beta2, Kind=Runner"
Name: "gitlab-runner", Namespace: "default"
from the server for: "gitlab-runner.yaml": Internal error occurred: error resolving resource

To avoid this issue, users should have the ability to configure the CERTIFICATE_NAMESPACE and the CERTIFICATE_NAME to be set in the CRDs

How to test this MR

TBD

Linked issue

fixes #194

Edited May 10, 2024 by Romuald Atchadé

Prevent the addition of certification annotation into the CRD YAML