Description
We have a relatively unique set up. that until multiple namespaces are enabled, this may be a better solution.
Requirement:
We need to deploy trust-manager in a manner all the trust-manager resources are fully namespaced, or in a way that any deployments in other namespaces would not interfere with a deployment in another namespace.
Why?
The environment that we are deploying to only gives us access to a single namespace that we deploy to using Helm; we do not have access to the cert-manager namespace, and it is more ideal for us to deploy trust-manager as part of our namespace until it can support multiple namespaces (even if it could, we don't know how reconfiguring trust-manager for other namespaces after deployment would work).
Current Solution
I am using trust-manager as a dependent chart in our parent Helm chart, disabling CRDs, and have an edited Bundle CRD in the parent chart that is scoped to the namespace.
What I realize is that 3 resources will prevent deployments in other namespaces: validatingwebhookconfiguration,,clusterrole, and clusterrolebinding. So even if we deploy to our namespace, it will currently prevent other deployments.
Proposed Solution
- Add a configuration value boolean
namespacedOnly, which will allow for a fully namespaced deployment - If enabled, clusterrole and clusterrolebinding won't be installed (not sure if this is an issue), or the name will include a reference to the namespace it is in, i.e.
trust-manager-user-dev - The validatingwebhookconfiguraton would follow the same naming convention if enabled
Alternatively, configuration for multiple namespaces should be completed, and we can work around that.