cert-manager · poponealex · Jun 16, 2023 · Jun 16, 2023 · Jun 16, 2023 · Jun 16, 2023
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ OpenShift routes from any cert-manager Issuer.
 ## Prerequisites:
 
 1) Ensure you have [cert-manager](https://github.com/cert-manager/cert-manager) installed
-through the method of your choice. But make sure you install cert-manager and openshift-routes-deployment in the same namespace. By default this is in the namespace **cert-manager**.
+through the method of your choice. But make sure you install cert-manager and openshift-routes-deployment in the same namespace. By default this is in the namespace **cert-manager**. You may change the default namespace by setting the `CERT_MANAGER_NAMESPACE` when processing the the static manifest.
 For example, with the regular manifest:
 ```sh
 oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.8.0/cert-manager.yaml
@@ -55,8 +55,14 @@ CNAME:
 
 Install in your cluster using the static manifests:
 
+To install in the default `cert-manager` namespace, run the following:
 ```shell
-oc apply -f https://github.com/cert-manager/openshift-routes/releases/latest/download/cert-manager-openshift-routes.yaml
+oc process -f https://github.com/cert-manager/openshift-routes/releases/latest/download/cert-manager-openshift-routes.yaml | oc create -f -
+```
+
+To install in a custom namespace, replace <NAMESPACE_NAME> and run the following:
+```shell
+oc process -f https://github.com/cert-manager/openshift-routes/releases/latest/download/cert-manager-openshift-routes.yaml -p CERT_MANAGER_NAMESPACE=<NAMESPACE_NAME> | oc create -f -
 ```
 
 If you follow the above prerequisites, use this annotations below

diff --git a/deploy/static/cert-manager-openshift-routes.yaml b/deploy/static/cert-manager-openshift-routes.yaml
@@ -1,130 +1,144 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+apiVersion: template.openshift.io/v1
+kind: Template
 metadata:
-  name: cert-manager-openshift-routes
-rules:
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes
-  verbs:
-  - get
-  - list
-  - watch
-  - patch
-  - update
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes/custom-host
-  verbs:
-  - create
-  - update
-- apiGroups:
-  - cert-manager.io
-  resources:
-  - certificaterequests
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-- apiGroups:
-    - cert-manager.io
-  resources:
-    - certificaterequests/status
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - list
-  - update
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: cert-manager-openshift-routes
-  namespace: cert-manager
-automountServiceAccountToken: false
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cert-manager-openshift-routes
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-openshift-routes
-subjects:
-- kind: ServiceAccount
-  name: cert-manager-openshift-routes
-  namespace: cert-manager
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cert-manager-openshift-routes
-  namespace: cert-manager
-  labels:
-    app.kubernetes.io/name: cert-manager-openshift-routes
-    app.kubernetes.io/version: "$RELEASED_VERSION"
-    app.kubernetes.io/component: controller
-    app.kubernetes.io/part-of: cert-manager
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: cert-manager-openshift-routes
-      app.kubernetes.io/version: "$RELEASED_VERSION"
-      app.kubernetes.io/component: controller
-      app.kubernetes.io/part-of: cert-manager
-  template:
+  name: cert-manager-openshift-routes-deploy
+objects:
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: cert-manager-openshift-routes
+    rules:
+    - apiGroups:
+      - route.openshift.io
+      resources:
+      - routes
+      verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+    - apiGroups:
+      - route.openshift.io
+      resources:
+      - routes/finalizers
+      verbs:
+      - update
+    - apiGroups:
+      - route.openshift.io
+      resources:
+      - routes/custom-host
+      verbs:
+      - create
+      - update
+    - apiGroups:
+      - cert-manager.io
+      resources:
+      - certificaterequests
+      verbs:
+      - create
+      - get
+      - list
+      - watch
+    - apiGroups:
+        - cert-manager.io
+      resources:
+        - certificaterequests/status
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+      - ""
+      resources:
+      - events
+      verbs:
+      - create
+      - patch
+    - apiGroups:
+      - coordination.k8s.io
+      resources:
+      - leases
+      verbs:
+      - create
+      - get
+      - list
+      - update
+
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: cert-manager-openshift-routes
+      namespace: ${CERT_MANAGER_NAMESPACE}
+    automountServiceAccountToken: false
+
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: cert-manager-openshift-routes
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: cert-manager-openshift-routes
+    subjects:
+    - kind: ServiceAccount
+      name: cert-manager-openshift-routes
+      namespace: ${CERT_MANAGER_NAMESPACE}
+
+  - apiVersion: apps/v1
+    kind: Deployment
     metadata:
+      name: cert-manager-openshift-routes
+      namespace: ${CERT_MANAGER_NAMESPACE}
       labels:
         app.kubernetes.io/name: cert-manager-openshift-routes
         app.kubernetes.io/version: "$RELEASED_VERSION"
         app.kubernetes.io/component: controller
-        app.kubernetes.io/part-of: cert-manager
+        app.kubernetes.io/part-of: ${CERT_MANAGER_NAMESPACE}
     spec:
-      serviceAccountName: cert-manager-openshift-routes
-      automountServiceAccountToken: true
-      containers:
-        - name: cert-manager-openshift-routes
-          image: "ghcr.io/cert-manager/cert-manager-openshift-routes:$RELEASED_VERSION"
-          args:
-          - -v=5
-          ports:
-          - containerPort: 6060
-            name: readiness
-            protocol: TCP
-          - containerPort: 9402
-            name: metrics
-            protocol: TCP
-          readinessProbe:
-            httpGet:
-              port: readiness
-              path: "/readyz"
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 3
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/name: cert-manager-openshift-routes
+          app.kubernetes.io/version: "$RELEASED_VERSION"
+          app.kubernetes.io/component: controller
+          app.kubernetes.io/part-of: ${CERT_MANAGER_NAMESPACE}
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: cert-manager-openshift-routes
+            app.kubernetes.io/version: "$RELEASED_VERSION"
+            app.kubernetes.io/component: controller
+            app.kubernetes.io/part-of: ${CERT_MANAGER_NAMESPACE}
+        spec:
+          serviceAccountName: cert-manager-openshift-routes
+          automountServiceAccountToken: true
+          containers:
+            - name: cert-manager-openshift-routes
+              image: "ghcr.io/cert-manager/cert-manager-openshift-routes:$RELEASED_VERSION"
+              args:
+              - -v=5
+              ports:
+              - containerPort: 6060
+                name: readiness
+                protocol: TCP
+              - containerPort: 9042
+                name: metrics
+                protocol: TCP
+              readinessProbe:
+                httpGet:
+                  port: readiness
+                  path: "/readyz"
+                initialDelaySeconds: 3
+                periodSeconds: 5
+                timeoutSeconds: 3
+              env:
+                - name: CERT_MANAGER_NAMESPACE
+                  value: ${CERT_MANAGER_NAMESPACE}
+
+parameters:
+  - name: CERT_MANAGER_NAMESPACE
+    description: Namespace where cert-manager is installed
+    value: cert-manager
+    required: true
diff --git a/hack/generate-static-manifest.sh b/hack/generate-static-manifest.sh
@@ -5,5 +5,5 @@ if [ $# -ne 1 ]; then
     exit 1
 fi
 export RELEASED_VERSION="$1"
-envsubst < "./deploy/static/cert-manager-openshift-routes.yaml" > "cert-manager-openshift-routes-$RELEASED_VERSION.yaml"
+envsubst '${RELEASED_VERSION}' < "./deploy/static/cert-manager-openshift-routes.yaml" > "cert-manager-openshift-routes-$RELEASED_VERSION.yaml"
 exit 0
diff --git a/internal/cmd/app/options/options.go b/internal/cmd/app/options/options.go
@@ -19,6 +19,7 @@ package options
 import (
 	"flag"
 	"fmt"
+	"os"
 
 	"github.com/go-logr/logr"
 	"github.com/spf13/cobra"
@@ -132,6 +133,6 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) {
 		"Whether to enable leader election on the controller.")
 
 	fs.StringVar(&o.LeaderElectionNamespace,
-		"leader-election-namespace", "cert-manager",
+		"leader-election-namespace", os.Getenv("CERT_MANAGER_NAMESPACE"),
 		"Namespace to create leader election resources in.")
 }