-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a new key acme-http01-solver-service-account
to provide a se…
#3817
Conversation
…rvice account Signed-off-by: Primaël Bruant <primael.bruant@gmail.com>
@primael: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: primael The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @primael. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thanks for the PR! Could you fill out the required fields in the PR description like the release-note that would help us a lot :) /ok-to-test |
Hi, As James mentioned in #3852, would it rather make more sense to have this as a field on the Issuer API instead of a flag? |
cert-manager create the HTTP01 ACME solver pod, when can specify: The image: --acme-http01-solver-image The serviceAccount (#cert-manager#3817): --acme-http01-solver-service-account The resources But we can't specify the imagePullSecret to use. This is an issue for: Air gapped environments with private registries Docker Hub rate limits for anonymous pulls It is currently possible to use the serviceAccount with an attached imagePullSecret, but it is not always convenient because it requires to update the serviceAccount of every namespace in the cluster to link the imagePullsecret. Signed-off-by: primael <primael.bruant@gmail.com>
@primael: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi! I will close this PR for the time being since it has not been worked on since March 2021. Please feel free to either re-open when you want to resume working on it. /close |
@maelvls: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…rvice account
Signed-off-by: Primaël Bruant primael.bruant@gmail.com
When deploying cert-manager using the Helm chart, we can specify the serviceAccount to use for:
the Webohook
the CA injector
the deployment
But we can't specify it for the HTTP01 ACME solver pod.
The problems with this are:
If the default serviceAccount is disabled, we need to provide a custom one
We can't use a serviceAccount with linked imagePullSecrets to be able to pull the solver image from private registries in air gapped environments
We can't apply PSPs to the solver pod.
To solve this, we propose to add a parameter --acme-http01-solver-service-account to cert-manager deployment to specify the serviceAccount to use in every namespace.
/kind feature