Add support for `extraContainers` to helm chart

[dancmeyers]

Is your feature request related to a problem? Please describe.

We are using AWS Route53 for our DNS. We are not using AWS Certificate Manager (with a private CA or otherwise) for our certificates, and we do want to use DNS01 validation for our LetsEncrypt certificates.

All our other systems are using AWS IAM Roles Anywhere for authentication into AWS, using our private PKI infrastructure. For this to work with the aws_signing_helper you have to be able to deploy a sidecar container alongside whatever container needs access to AWS.

Currently, this is not possible in the cert manager helm chart.

Describe the solution you'd like

I want the same solution as has already been implemented for cert-manager's aws-privateca-issuer, i.e. an extraContainers property on the helm chart that allows me to define arbitrary sidecar containers to be deployed in the main cert-manager operator pod.

Describe alternatives you've considered

There are various other AWS auth methods already supported, but they all either:

• only work within AWS, or
• require long-lived credentials

IAM Roles Anywhere has the advantage of being AWS' (relatively new) solution for how to securely get access to AWS from outside, without long-lived credentials.

/kind feature

[hawksight]

Just to check my understanding here. Basically add ability to inject a sidecar to the cert-manager-controller, so that it can use AWS's newest auth / workload identity solution.

This might help if for example you were using Route53 as a central DNS across cloud? Something deployed in GKE can offload auth needs for AWS to the sidecar, in a best practice short lived token.

[dancmeyers]

@hawksight Correct.

We can use AWS services, but we have a requirement is to not be (solely) dependent on AWS tooling for which there is no alternative or for which we do not have a tested mechanism to migrate to another provider if necessary. The combination of external-dns and cert-manager both supporting multiple underlying DNS providers (Google, Cloudflare, Amazon, etc) makes it trivial to migrate DNS hosting elsewhere should we need to.

As such, Route53 hosts our 'primary DNS' (dev.example.org, example.org etc), which is mostly CNAMEs to more specific per-provider/region hostnames (service.example.org -> service.eu-central-1.aws.prod.example.org, service.uk1.onprem.prod.example.org, or service.europe-west2.gcp.prod.example.org, depending on which is currently primary/active), but that means when using LetsEncrypt to generate certs we need to be able to insert DNS entries wherever that primary DNS is hosted.

There may well be other reasons to want to inject a sidecar to the cert-manager-controller, and this would be equally valid for them too. It's just that the only current need for us is IAM Roles Anywhere.

[wallrj-cyberark]

📢 The fix or feature is now available for testing in an alpha release

• https://github.com/cert-manager/cert-manager/releases/tag/v1.20.0-alpha.1

Please test and report back.