fix: allow job point to the default sa to get priviledges and perform…

… task

staging/cert-manager-setup/requirements.yaml

@@ -3,4 +3,3 @@ dependencies:
     version: 0.10.1
     repository: https://charts.jetstack.io
     condition: installCertManager
-

staging/cert-manager-setup/templates/clusterrole.yaml

@@ -1,12 +1,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: read-apiservices
+  name: cert-manager-setup-apiservices
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: "before-hook-creation"
-    "helm.sh/hook-weight": "-4"
+    helm.sh/hook-delete-policy: before-hook-creation
+    "helm.sh/hook-weight": "-7"
 rules:
-- apiGroups: ["apiregistration.k8s.io"]
-  resources: ["apiservices"]
-  verbs: ["get", "watch", "list"]
+- apiGroups:
+  - "apiregistration.k8s.io"
+  resources:
+  - "apiservices"
+  verbs:
+  - "get"
+  - "watch"
+  - "list"

staging/cert-manager-setup/templates/clusterrolebinding.yaml

@@ -1,17 +1,17 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: read-apiservices-rolebinding
+  name: cert-manager-setup-apiservices
   namespace: {{ .Release.Namespace }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: "before-hook-creation"
-    "helm.sh/hook-weight": "-3"
+    helm.sh/hook-delete-policy: before-hook-creation
+    "helm.sh/hook-weight": "-7"
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
   name: default
 roleRef:
   kind: ClusterRole
-  name: read-apiservices
+  name: cert-manager-setup-apiservices
   apiGroup: rbac.authorization.k8s.io

staging/cert-manager-setup/templates/post-install-hook-job.yaml

@@ -2,6 +2,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ include "cert-manager-setup.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
 {{ include "cert-manager-setup.labels" . | indent 4 }}
   annotations:
@@ -13,31 +14,10 @@ spec:
     metadata:
       name: "wait-for-cert-manager-webhook"
     spec:
+      serviceAccountName: default
       restartPolicy: Never
       containers:
       - name: {{ .Chart.Name }}
         image: bitnami/kubectl:latest
         imagePullPolicy: IfNotPresent
-        command: ["kubectl", "wait", "--for=condition=Available", "--timeout=300s", "apiservice", "v1beta1.webhook.certmanager.k8s.io"]
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "cert-manager-setup.fullname" . }}-sleep
-  labels:
-{{ include "cert-manager-setup.labels" . | indent 4 }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
-spec:
-  template:
-    metadata:
-      name: "sleep"
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: {{ .Chart.Name }}
-        image: ubuntu:xenial
-        imagePullPolicy: IfNotPresent
-        command: ["sleep", "30"]
+        command: ["kubectl", "wait", "--for=condition=Available", "--timeout=360s", "apiservice", "v1beta1.webhook.certmanager.k8s.io"]

staging/cert-manager-setup/values.yaml

@@ -12,7 +12,7 @@ issuers: []
 certificates: []
 #  - name: kubernetes-intermediate-ca
 #    # where to store this certificate
-#    secretName: my-certificate-secret
+#    secretName: kubernetes-intermediate-ca
 #    issuerRef:
 #      name: kubernetes-root-issuer
 #      kind: Issuer