Expose pod tempting on acme http issuer

[JoshVanL]

Signed-off-by: JoshVanL vleeuwenjoshua@gmail.com

What this PR does / why we need it:
Exposes a core.PodTemplate resource for the ACME HTTP issuer config.
This enables one to change values around the solver pod, i.e. labels and annotations.
It uses the current cert-manager values as a default and "merges" custom values ontop.

fixes #1097

Special notes for your reviewer:

Expose pod template for the ACME issuer solver pod

/assign

[munnerz]

Looks good. I've added a few comments, notably I'm starting to think we should be more and more careful with the fields we do allow users to set.

This could be used as a privilege escalation point if we are not careful, as lower-privileged users are able to configure cert-manager to create resources that they otherwise may not be able to create.

I'm beginning to think we may be best off creating our own PodTemplateSpec like structure that for the time being only contains ObjectMeta, and then setting the "fields allowed to be overridden" to be a whitelist instead of a blacklist (i.e. we only allow labels & annotations initially). This would at least prevent any new fields that we aren't currently aware of being utilised by an attacker/evil user 😄

[munnerz]

This should be a field under ingress, as it is specifically a configuration option that the Ingress based HTTP01 solver uses (which is coincidentally the only HTTP01 solver type we support).

We should also make this a *corev1.PodTemplateSpec, as a user may omit this field altogether, and we can then identify 'not set' values.

[munnerz]

(based on previous experience in these docs) - we should include the full YAML structure here else it confuses users. If there are extra verbose parts that aren't relevant when doing so, you can replace the irrelevant fields with ... so long as you keep the indentation correct

[munnerz]

will remain the default for each unedited field when a podTemplate is specified. can you reword this? I'm a bit lost as to what you're trying to convey. Maybe: If not specified, a default set of metadata will be applied to the generated solver pod.?

[munnerz]

It also looks like you are missing the metadata field here. Perhaps this is why you were having issues in your tests? I'd expect it to look something like:

           podTemplate:
             metadata:
               namespace: default
               labels:
                 environment: production
                 foo: bar

[munnerz]

Could you expand this comment out some more?

Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
Setting this option could lead to unintended side-effects, however it may be necessary when running
in certain network restricted environments (e.g. Istio).
Only `metadata` fields can be set here. All other fields will be ignored.
The `metadata.name` and `metadata.namespace` fields cannot be overridden.

[munnerz]

😬 this seems awkward. Can we instead compare if sol.PodTemplate.Spec != corev1.PodSpec{}? I think that'll work as expected, because if both are not set then they will both have empty values set for all of their fields.

[munnerz]

Deep copy shouldn't be needed here as we don't actually modify podTempl in the mergePodObjectMetaWithPodTemplate method

[JoshVanL]

Thanks for the comments @munnerz, really useful. Will get to making changes now

[JoshVanL]

/unassign
/assign @munnerz

[munnerz]

Just a few final comments.. all looks good to me 😄

[JoshVanL]

Thanks @munnerz, back to you :)

[munnerz]

/lgtm
/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL, munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [munnerz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment