feat: Add resource requirements support to ACME HTTP01 solver pod templates

[lunarwhite]

This PR enables users to specify custom resource requirements for ACME HTTP01 solver pods through the issuer configuration. It provides granular per-issuer/solver resource settings and allows users to override global --acme-http01-solver-resource-* controller flags.

• Adds Resources field to ACMEChallengeSolverHTTP01IngressPodSpec in both internal and public APIs.
• Updates CRDs and generates corresponding client code, etc.
• Updates ACME HTTP01 pod mergePodObjectMetaWithPodTemplate logic to use issuer-specific resource values when available, falling back to ACMEOptions values derived from global flags.
• Adds unit tests to verify the precedence is correctly handled in common and edge situations.

Pull Request Motivation

Closes #7825

E2E Verification

pod template with non-default resource requirements set

$ k create -f - << EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01-resources
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-http01-resources
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx
          podTemplate:
            spec:
              resources:
                requests:
                  cpu: "50m"
                  memory: "32Mi"
                limits:
                  cpu: "150m"
                  memory: "128Mi"
EOF

$ k get clusterissuer
NAME                           READY   AGE
letsencrypt-http01-resources   True    9s

$ k apply -f - << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-http01-resources
  name: pebble
  namespace: pebble
spec:
  ingressClassName: nginx
  rules:
  - host: pebble.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: pebble
            port:
              number: 443
  tls:
  - hosts:
    - pebble.com
    secretName: pebble-cert
EOF

$ k get pod -l acme.cert-manager.io/http01-solver -n pebble
NAME                        READY   STATUS    RESTARTS   AGE
cm-acme-http-solver-pbtc9   1/1     Running   0          2m15s

# values should completely match what are defined in 'http01.podTemplate.spec.resources'
$ k get pod -l acme.cert-manager.io/http01-solver -n pebble -o jsonpath='{range .items[*]}{.metadata.name}{": CPU Limits="}{.spec.containers[0].resources.limits.cpu}{", Memory Limits="}{.spec.containers[0].resources.limits.memory}{", CPU Requests="}{.spec.containers[0].resources.requests.cpu}{", Memory Requests="}{.spec.containers[0].resources.requests.memory}{"\n"}{end}'
cm-acme-http-solver-pbtc9: CPU Limits=150m, Memory Limits=128Mi, CPU Requests=50m, Memory Requests=32Mi

$ k delete ingress pebble -n pebble

pod template with partial resource requirements set

$ k apply -f - << EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-http01-partial-resources
  namespace: pebble
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-http01-partial-resources
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx
          podTemplate:
            spec:
              resources:
                requests:
                  cpu: "30m"
EOF

$ k get issuer -n pebble
NAME                                   READY   AGE
letsencrypt-http01-partial-resources   True    14s

$ k apply -f - << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: letsencrypt-http01-partial-resources
  name: pebble
  namespace: pebble
spec:
  ingressClassName: nginx
  rules:
  - host: pebble.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: pebble
            port:
              number: 443
  tls:
  - hosts:
    - pebble.com
    secretName: pebble-cert
EOF

$ k get pod -l acme.cert-manager.io/http01-solver -n pebble
NAME                        READY   STATUS    RESTARTS   AGE
cm-acme-http-solver-gkz4r   1/1     Running   0          11s

# value should match what is defined in 'http01.podTemplate.spec.resources.requests.cpu', rest of them should still match the values from the flags (default or customized)
$ k get pod -l acme.cert-manager.io/http01-solver -n pebble -o jsonpath='{range .items[*]}{.metadata.name}{": CPU Limits="}{.spec.containers[0].resources.limits.cpu}{", Memory Limits="}{.spec.containers[0].resources.limits.memory}{", CPU Requests="}{.spec.containers[0].resources.requests.cpu}{", Memory Requests="}{.spec.containers[0].resources.requests.memory}{"\n"}{end}'
cm-acme-http-solver-gkz4r: CPU Limits=100m, Memory Limits=64Mi, CPU Requests=30m, Memory Requests=64Mi

$ k delete ingress pebble -n pebble

pod template with empty resource requirements set

$ k create -f - << EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-http01-empty-resources
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-http01-empty-resources
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx
          podTemplate:
            spec:
              resources: {}
EOF

$ k get clusterissuer
NAME                                 READY   AGE
letsencrypt-http01-empty-resources   True    18s

$ k apply -f - << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-http01-empty-resources
  name: pebble
  namespace: pebble
spec:
  ingressClassName: nginx
  rules:
  - host: pebble.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: pebble
            port:
              number: 443
  tls:
  - hosts:
    - pebble.com
    secretName: pebble-cert
EOF

$ k get pod -l acme.cert-manager.io/http01-solver -n pebble
NAME                        READY   STATUS    RESTARTS   AGE
cm-acme-http-solver-6rvwx   1/1     Running   0          4s

# value should match the values from the flags (default or customized), rather than empty
$ k get pod -l acme.cert-manager.io/http01-solver -n pebble -o jsonpath='{range .items[*]}{.metadata.name}{": CPU Limits="}{.spec.containers[0].resources.limits.cpu}{", Memory Limits="}{.spec.containers[0].resources.limits.memory}{", CPU Requests="}{.spec.containers[0].resources.requests.cpu}{", Memory Requests="}{.spec.containers[0].resources.requests.memory}{"\n"}{end}'
cm-acme-http-solver-6rvwx: CPU Limits=100m, Memory Limits=64Mi, CPU Requests=10m, Memory Requests=64Mi

$ k delete ingress pebble -n pebble

Same tests were conducted with relevant flags configured explicitly:

--set "extraArgs={--acme-http01-solver-resource-limits-cpu=200m,--acme-http01-solver-resource-limits-memory=512Mi,--acme-http01-solver-resource-request-cpu=180m,--acme-http01-solver-resource-request-memory=256Mi}" \

Kind

/kind feature

Release Note

Support configurable resource requests and limits for ACME HTTP01 solver pods through ClusterIssuer and Issuer specifications, allowing granular resource management that overrides global `--acme-http01-solver-resource-*` settings.

[cert-manager-prow]

Hi @lunarwhite. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[erikgb]

Why do we need API support for this? Wouldn't the requirements be the same for all solvers pods?

[lunarwhite]

@erikgb Thanks for looking into this. I think you are sharing the same concern with @SgtCoDFish: https://kubernetes.slack.com/archives/CDEQJ0Q8M/p1754994793323799?thread_ts=1754971216.744569&cid=CDEQJ0Q8M.

I still believe it's a good-to-have capability that brings more flexibility.

Apart from what I documented in #7825, here are other points that I can think of:

• Although in most cases setting global values works pretty well, some organizations still have more fine-grained resource sizing requirements, especially in multi-tenant environments
• Setting it through a pod template will not cause controller restarts

I understand it may seem overkill, but other common pod template fields (nodeSelector, tolerations, etc) are already configurable per-issuer/solver. I'm also open to any feedback

[erikgb]

/ok-to-test

[Copilot]

Pull Request Overview

This PR enables users to specify custom resource requirements for ACME HTTP01 solver pods through the issuer configuration. It provides granular per-issuer/solver resource settings and allows users to override global --acme-http01-solver-resource-* controller flags.

• Adds a new Resources field to ACMEChallengeSolverHTTP01IngressPodSpec API structures
• Updates resource merging logic to prioritize issuer-specific values over global defaults
• Includes comprehensive unit tests to verify precedence handling

Reviewed Changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/apis/acme/v1/types_issuer.go	Adds Resources field to public API spec
internal/apis/acme/types_issuer.go	Adds Resources field to internal API spec and updates documentation
pkg/issuer/acme/http/pod.go	Implements resource merging logic with precedence handling
pkg/issuer/acme/http/pod_test.go	Adds comprehensive unit tests for resource precedence scenarios
Multiple CRD files	Updates CRDs to include the new resources field schema
Generated files	Auto-generated deepcopy, conversion, and client code updates

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[erikgb]

This looks really good! I am just not sure if I understand the rationale for having this as part of the API. Shouldn't the solver pod have the same resource requirements for any issuer? The change increases the API surface considerably, which scares me a bit. I will discuss this with others joining our stand-up today. Feel free to join if you can, @lunarwhite!

/lgtm

[erikgb]

I still think this feature makes sense. 🚀 I've added some serialization nit comments.

[Copilot]

Pull Request Overview

Copilot reviewed 17 out of 18 changed files in this pull request and generated 1 comment.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[erikgb]

/lgtm

But I still need support from at least one other maintainer to merge this.

[erikgb]

/hold

[lunarwhite]

Re: @erikgb As per your suggestion here.

This is a valid scenario exactly (e.g. the resource limit of 32Mi set in the pod template is lower than the request value of 64Mi set in the global flag, which would result in a solver pod creation failure). IIUC, you are suggesting adding validations to detect such invalid combinations during the Issuer/ClusterIssuer creation phase, correct?

I tried to implement this with minimal changes, but I found that we cannot avoid duplicating what the K8s native API validation already handles. A more complex issue is that the cert-manager webhook validation framework does not have access to the controller config (global defaults) as per current design. We may also not really want to introduce any non-trivial arch changes to pass the config context through the validation chain.

So I end up making this trade-off - just added above "Note that ..." in the API fields, to guide users to configure carefully and avoid conflicts or violations in such scenarios. What do you think?

[erikgb]

I think this is good for the initial PR. We probably have more potential "footgun" solutions hiding in dark corners. Can be improved later on, and is a known issue with resource requirements in general.

[wallrj-cyberark]

Thanks @lunarwhite for persevering with this.
And thanks for taking the time to show how you've tested this E2E.

[wallrj]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb, wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb,wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[erikgb]

/unhold

Since @wallrj has also reviewed this now.

[wallrj-cyberark]

@lunarwhite We have released this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1