Adding a new key acme-http01-solver-service-account to provide a se…#3817
Adding a new key acme-http01-solver-service-account to provide a se…#3817primael wants to merge 1 commit intocert-manager:masterfrom primael:service-account-on-solver
acme-http01-solver-service-account to provide a se…#3817Conversation
…rvice account Signed-off-by: Primaël Bruant <primael.bruant@gmail.com>
|
@primael: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: primael The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @primael. Thanks for your PR. I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks for the PR! Could you fill out the required fields in the PR description like the release-note that would help us a lot :) /ok-to-test |
|
Hi, As James mentioned in #3852, would it rather make more sense to have this as a field on the Issuer API instead of a flag? |
cert-manager create the HTTP01 ACME solver pod, when can specify: The image: --acme-http01-solver-image The serviceAccount (#cert-manager#3817): --acme-http01-solver-service-account The resources But we can't specify the imagePullSecret to use. This is an issue for: Air gapped environments with private registries Docker Hub rate limits for anonymous pulls It is currently possible to use the serviceAccount with an attached imagePullSecret, but it is not always convenient because it requires to update the serviceAccount of every namespace in the cluster to link the imagePullsecret. Signed-off-by: primael <primael.bruant@gmail.com>
|
@primael: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hi! I will close this PR for the time being since it has not been worked on since March 2021. Please feel free to either re-open when you want to resume working on it. /close |
|
@maelvls: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…rvice account
Signed-off-by: Primaël Bruant primael.bruant@gmail.com
When deploying cert-manager using the Helm chart, we can specify the serviceAccount to use for:
the Webohook
the CA injector
the deployment
But we can't specify it for the HTTP01 ACME solver pod.
The problems with this are:
If the default serviceAccount is disabled, we need to provide a custom one
We can't use a serviceAccount with linked imagePullSecrets to be able to pull the solver image from private registries in air gapped environments
We can't apply PSPs to the solver pod.
To solve this, we propose to add a parameter --acme-http01-solver-service-account to cert-manager deployment to specify the serviceAccount to use in every namespace.
/kind feature