Better support multi-namespace & single-namespace deployments #2525
Description
Is your feature request related to a problem? Please describe.
I'm not owner of the cluster and have limited permissions at cluster scope level.
Currently, I am able to run cert-manager with reduced permissions at cluster scope level as well as --namespace option, to prevent launching the clusterIssuer controller.
But then, I'm limited to a single namespace. It seems there is no option to process multiple namespaces without some cluster permissions.
Describe the solution you'd like
Be able to give a list of namespaces, either explicit or implicit (ie all namespaces but ..., or regexp).
My cluster provider or myself could initiate a PR for supporting it but we would be sure to agree on the design with Jetstack team ;)
Describe alternatives you've considered
Using clusterIssuer is not possible and not a good alternative since it would allow us to get some permissions on namespaces (like kube-system) we should not have
Alternative considered is to launch one instance of cert-manager per namespace, but this is weird :(
Additional context
Some links about multiple namespaces support on controllers:
https://github.com/kubernetes/client-go/issues/580
kubernetes/ingress-nginx#732 (comment)
kubernetes/ingress-nginx#1225
Some links about kind of implementation on other controllers:
traefik/traefik#1895
https://github.com/coreos/prometheus-operator/blob/master/pkg/prometheus/operator.go#L254
Environment details (if applicable):
- Kubernetes version (e.g. v1.10.2): v1.16.3 (Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-11-13T11:13:49Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"})
- Cloud-provider/provisioner: Rancher
- cert-manager version (e.g. v0.4.0): master
- Install method (e.g. helm or static manifests): patched Helm chart from master. I would be happy to provide it if requested.
/kind feature