Add minimal cert-manager addon

[olemarkus]

There are several images involved here, so dropped the usual Image field until we have a better understanding how to handle this. Making at minimum the version configurable can be done well in time for 1.20 alpha anyway.

Adding this PR is a prereq for some other addons + the kops-controller issuer.

[hakman]

I am a bit concerned about the 1.6 MB template that is being pulled into bindata.go also.

[olemarkus]

Pretty huge CRDs. But can we do much about that?

[hakman]

Not sure what can be done about it, but probably something should be done.

[olemarkus]

cert-manager/cert-manager#3299

They are what they are. I can't think of a reason this would cause any harm.

[hakman]

A few Q:

1. Why switch from the cert-manager namespace to kube-system?
2. Why limit running on master nodes?

[olemarkus]

Why switch from the cert-manager namespace to kube-system?

Kops could technically have its own namespace for addons that doesn't strictly need to be in kube-system. But we don't have anything like this. So when it comes to PSPs and such, we don't have much choice but to deploy it to kube-system.

Why limit running on master nodes?

A lot of users run cert-manager on masters to leverage DNS ACME authentication. If/when we get IRSA more mature (and if this doesn't end up in a circular dependency) it could run on normal nodes using a dedicated IAM role.

[hakman]

Thanks for the explanation.
/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman, olemarkus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [hakman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment