Kubernetes: fix cert-manager first installation (#1246)

YuryHrytsuk · web-flow · commit 3e9806dbbb78 · 2025-10-29T08:46:12.000+01:00
* Kubernetes: fix `cert-manager` first installation All resources that rely on `cert-manager` CRDs should be installed after 1) CRDs are installed (achieved via `helm.sh/hook: post-install,post-upgrade`) 2) webhook server is ready to accept connections (achieved via `helm.sh/hook-weight: "10"` which makes it wait until startupapicheck job is completed aka `cert-manager` is ready) Related issue/s * closes #1241 * Remove quotes around hook annotation
diff --git a/charts/cert-manager/templates/certificates.yaml b/charts/cert-manager/templates/certificates.yaml
@@ -3,6 +3,9 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ .certName }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "10"
 spec:
   # https://github.com/emberstack/kubernetes-reflector?tab=readme-ov-file#cert-manager-support
   secretTemplate:
diff --git a/charts/cert-manager/values.acme-dns.yaml.gotmpl b/charts/cert-manager/values.acme-dns.yaml.gotmpl
@@ -2,8 +2,6 @@ cert-manager:
   extraArgs:
   - --dns01-recursive-nameservers="8.8.8.8:53"
   - --dns01-recursive-nameservers-only
-  startupapicheck:
-    enabled: false
   skipDNSResolutionCheck: true
   maxConcurrentChallenges: 2
   extraObjects:
@@ -24,6 +22,13 @@ cert-manager:
     metadata:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
+      annotations:
+        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
+        helm.sh/hook: post-install,post-upgrade
+        # Run after startupapicheck job. Thus we ensure webhook server is ready
+        # See https://github.com/cert-manager/cert-manager/issues/4155
+        # and https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation
+        helm.sh/hook-weight: "10"
     spec:
       acme:
         email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
diff --git a/charts/cert-manager/values.common.yaml.gotmpl b/charts/cert-manager/values.common.yaml.gotmpl
@@ -19,3 +19,11 @@ cert-manager:
   replicaCount: 1
   webhook:
     replicaCount: 1
+
+  startupapicheck:
+    enabled: true
+
+    jobAnnotations:
+      # Explicitly set hook weight to have explicit reference.
+      # Needed to properly install cert-manager resources first time
+       helm.sh/hook-weight: "1"
diff --git a/charts/cert-manager/values.route53.yaml.gotmpl b/charts/cert-manager/values.route53.yaml.gotmpl
@@ -17,9 +17,8 @@ cert-manager:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # ClusterIssuer depends on cert-manager CRDs. We need to wait for them to be installed before creating the ClusterIssuer
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       acme:
         email: {{ requiredEnv "OSPARC_DEVOPS_MAIL_ADRESS" }}
diff --git a/charts/cert-manager/values.selfsigned.yaml.gotmpl b/charts/cert-manager/values.selfsigned.yaml.gotmpl
@@ -7,9 +7,8 @@ cert-manager:
       name: selfsigned-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       selfSigned: {}
   - |
@@ -19,9 +18,8 @@ cert-manager:
       name: local-ca
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       isCA: true
       commonName: local-ca
@@ -43,9 +41,8 @@ cert-manager:
       name: cert-issuer
       namespace: {{ .Release.Namespace }}
       annotations:
-        # It depends on cert-manager CRDs. We need to wait for CRDs to be installed
-        "helm.sh/hook": post-install,post-upgrade
-        "helm.sh/hook-weight": "1"
+        helm.sh/hook: post-install,post-upgrade
+        helm.sh/hook-weight: "10"
     spec:
       ca:
         secretName: local-ca-secret
