Support setting resources limit/request for ACME HTTP01 solver pod via podTemplate

[lunarwhite]

Is your feature request related to a problem? Please describe.

As a user, I'd like to set the ACME HTTP01 solver pod's resources limit/request via podTemplate stanza: https://cert-manager.io/docs/configuration/acme/http01/#podtemplate. But the container resources is not one of the currently supported fields: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01IngressPodTemplate

There are already relevant controller flags which can be set globally:

cert-manager/cmd/controller/app/options/options.go

Lines 110 to 125 in 63b4706

	// HTTP-01 solver pod configuration via flags is a now deprecated
	// mechanism - please use pod template instead when adding any new
	// configuration options
	// https://github.com/cert-manager/cert-manager/blob/f1d7c432763100c3fb6eb6a1654d29060b479b3c/pkg/apis/acme/v1/types_issuer.go#L270
	// These flags however will not be deprecated for backwards compatibility purposes.
	fs.StringVar(&c.ACMEHTTP01Config.SolverResourceRequestCPU, "acme-http01-solver-resource-request-cpu", c.ACMEHTTP01Config.SolverResourceRequestCPU, ""+
	"Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods.")
	fs.StringVar(&c.ACMEHTTP01Config.SolverResourceRequestMemory, "acme-http01-solver-resource-request-memory", c.ACMEHTTP01Config.SolverResourceRequestMemory, ""+
	"Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods.")
	fs.StringVar(&c.ACMEHTTP01Config.SolverResourceLimitsCPU, "acme-http01-solver-resource-limits-cpu", c.ACMEHTTP01Config.SolverResourceLimitsCPU, ""+
	"Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods.")
	fs.StringVar(&c.ACMEHTTP01Config.SolverResourceLimitsMemory, "acme-http01-solver-resource-limits-memory", c.ACMEHTTP01Config.SolverResourceLimitsMemory, ""+
	"Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods.")

But:

• It can only be set globally to a common value, not allowed to configure at issuer/solver level.
• While the comments describe the flag-based configuration as "a now deprecated mechanism," the podTemplate does not provide equivalent support, which may confuse users (i.e. make http01 solver pod resource request/limits configurable, refs #892 #923 (comment))

Describe the solution you'd like

Follow #1097, to add resources field in HTTP01 solver podTemplate.

(Linked similar issues for reference: #2770, #3108, #3853)

Describe alternatives you've considered

Additional context

We should both support acme-http01-solver-* flags and podTemplate.spec.resources for backwards compatibility. As for the precedence , I would prefer that if an Issuer/ClusterIssuer specifies resource settings via podTemplate, those values should override the ones set/defaulted by the acme-http01-solver-* flags.

/kind feature

[erikgb]

There is already a PR to fix this, I think: #6902

[erikgb]

What is the use case for configuring this per issuer/solver, @lunarwhite?

[lunarwhite]

@erikgb We've ever received this request from one of our OpenShift customers. Also based on PR #6902 and the community's reactions, this doesn’t seem to be just a one-off user request. After doing some research, I ended up leaning toward implementing it upstream, since it should be fairly straightforward with the existing PodTemplate

[erikgb]

@lunarwhite, we (the company where I work) are also OpenShift customers. 😆 And we are often banging our heads against the wall because the OLM installations provide little room for customization. Is your customer technically able to set/override our default/global solver pod resource requirements or not?

[unreturned]

Hello there! Our use case that we have shared-clusters with limited namespaces with some Operation Policies that limiting some resources and users can't edit global settings per shared cert-manager for all users of shared-cluster. Problem like this

"cert-manager/challenges: re-queuing item due to error processing" err="pods \"cm-acme-http-solver-lcbkg\" is forbidden: minimum cpu usage per Container is 100m, but request is 0"

[erikgb]

@unreturned, thanks for the feedback. I have a follow-up question: Why doesn't cluster-admin configure cert-manager to use solver pod requests/limits aligned with cluster policies?

[unreturned]

@unreturned, thanks for the feedback. I have a follow-up question: Why doesn't cluster-admin configure cert-manager to use solver pod requests/limits aligned with cluster policies?

Hey @erikgb ! Thanks for your question:
We have different policies per-namespace cause it shared multi-tenant cluster and unfortunately cluster-admin cannot configure cert-manager global pod requests/limits

[wallrj-cyberark]

@lunarwhite @unreturned We have fixed this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1