Adding a new key acme-http01-solver-service-account to provide a se…
#3817
Conversation
…rvice account Signed-off-by: Primaël Bruant <primael.bruant@gmail.com>
|
@primael: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
do-not-merge/work-in-progress
jetstack-bot
added
do-not-merge/release-note-label-needed
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: primael The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
area/acme/http01
|
Hi @primael. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
the
size/S
|
Thanks for the PR! Could you fill out the required fields in the PR description like the release-note that would help us a lot :) /ok-to-test |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
jetstack-bot
removed
the
do-not-merge/work-in-progress
|
Hi, As James mentioned in #3852, would it rather make more sense to have this as a field on the Issuer API instead of a flag? |
cert-manager create the HTTP01 ACME solver pod, when can specify: The image: --acme-http01-solver-image The serviceAccount (#cert-manager#3817): --acme-http01-solver-service-account The resources But we can't specify the imagePullSecret to use. This is an issue for: Air gapped environments with private registries Docker Hub rate limits for anonymous pulls It is currently possible to use the serviceAccount with an attached imagePullSecret, but it is not always convenient because it requires to update the serviceAccount of every namespace in the cluster to link the imagePullsecret. Signed-off-by: primael <primael.bruant@gmail.com>
|
@primael: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
the
needs-rebase
|
Hi! I will close this PR for the time being since it has not been worked on since March 2021. Please feel free to either re-open when you want to resume working on it. /close |
|
@maelvls: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…rvice account
Signed-off-by: Primaël Bruant primael.bruant@gmail.com
When deploying cert-manager using the Helm chart, we can specify the serviceAccount to use for:
the Webohook
the CA injector
the deployment
But we can't specify it for the HTTP01 ACME solver pod.
The problems with this are:
If the default serviceAccount is disabled, we need to provide a custom one
We can't use a serviceAccount with linked imagePullSecrets to be able to pull the solver image from private registries in air gapped environments
We can't apply PSPs to the solver pod.
To solve this, we propose to add a parameter --acme-http01-solver-service-account to cert-manager deployment to specify the serviceAccount to use in every namespace.
/kind feature