Allowing specifying ACME solver pod template

[munnerz]

Is your feature request related to a problem? Please describe.

There have been various requests for the ability to specify fields such as labels, annotations, resource sizes/requests, taints & tolerations etc. to the ACME solver pods that cert-manager creates.

Describe the solution you'd like

I propose we add a podTemplate field to the issuer.spec.acme.http01 structure.

Similar to ReplicaSets/Deployments, this would allow users to specify a base template that will be used when creating the pod.

cert-manager would need to be modified to 'merge' the provided config so that it matches its own requirements (i.e. injecting in container images/arguments).

This could look something like:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    http01:
      podTemplate:
        metadata:
          # name & generateName fields are not allowed
          labels:
            my-custom-label: label-value
        spec:
          containers:
          - name: acmesolver
            resources:
              requests:
                cpu: 250m

The partial ContainerSpec provided would be supplemented by cert-manager with the image and args required, as well as any additional default resource request/limits.

Users would be able to provide additional initContainers/normal containers too.

Describe alternatives you've considered

Exposing more and more configuration for this via flags, or some form of Configuration CRD

Additional context

Related #672 #892 #923 #1096

/kind feature

[munnerz]

This issue is in the v0.7 milestone, but we don't currently have someone triaged to work on it.

If someone has some time and a desire to get this feature merged, that'd be great, and please mark this issue with /lifecycle active so others are aware 😄

If not, we will attempt to staff this in time for v0.7, or perhaps v0.8.