Be able to specify the imagePullSecret to use for the HTTP01 ACME solver pod

[captnbp]

When cert-manager create the HTTP01 ACME solver pod, when can specify:

• The image: --acme-http01-solver-image
• The serviceAccount (#Adding a new key acme-http01-solver-service-account to provide a se… #3817): --acme-http01-solver-service-account in the controller, or in the PodTemplate of the issuer.
• The resources

But we can't specify the imagePullSecret to use.

This is an issue for:

• Air gapped environments with private registries
• Docker Hub rate limits for anonymous pulls

It is currently possible to use the serviceAccount with an attached imagePullSecret, but it is not always convenient because it requires to update the serviceAccount of every namespace in the cluster to link the imagePullsecret.

With @primael we propose to add imagePullSecrets to the podTemplate options.

/kind feature

[munnerz]

Similar to #3852, this should be added as a field in our API rather than as a flag to the controller: https://github.com/jetstack/cert-manager/blob/2abafa18be128cd337ace1cc281ad1518a67b516/pkg/apis/acme/v1/types_issuer.go#L237-L251

[jakexks]

Echoing my comment on #3913

Is this a necessary feature? As we allow serviceAccounts to be specified a pull secret can be specified there

[captnbp]

Yes we could do it by updating the service account specs. But in some cases, we don't have the permissions in k8s to do so, we can only add a secret. This is why we want to be able to use it directly in the pod spec.

I updated the issue description to reflect the change proposed in #3913 as we were asked to move the option in the podTemplate instead of the controller options.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.