Cert-manager: Custom labels for the cm-acme-http-solver pod
Feature request: Add custom labels for the cm-acme-http-solver pod to be able to use service selector. e.g.: https://github.com/yacut/istio/blob/ee1d8071675fc038038698e357282e0731309f2e/samples/bookinfo/kube/cert-manager.yaml#L101-L114
/kind feature
Related to https://github.com/istio/istio/issues/6486
yacut
All 7 comments
This would also be useful for me: I have a network policy that only allows ingress connections to pods with a specific label. I had to add a hackish exception to that network policy as a workaround for now.
albertvaka
on 6 Jul 2018
@yacut FWIW, we do now add the auth.istio.io/8089: NONE label/annotation to the solver pod which should help in your particular example here.
Do you have a requirement for completely arbitrary labels being added to the solver pods? If so, could you expand on your use-case further? 馃槃
munnerz
on 7 Sep 2018
@albertvaka NetworkPolicy is definitely something that we should consider with these pods - what is the bare minimum we can do to support your use-case without allowing completely arbitrary configuration here? (i.e. if we commit to ensuring that all solver pods have a particular label, can you utilise that in your policies?)
munnerz
on 7 Sep 2018
If all the pods have the label "auth.istio.io/8089", I can use that. Eg: I can write a network policy that allows ingress connections to pods with that label.
Custom, arbitrary labels are not a requirement for me.
albertvaka
on 8 Sep 2018
I'd like to add my vote on having custom, arbitrary labels applied to the acme solvers. (really all resources created by cert-manager). Labels are a pretty fundamental filtering and selection method in Kubernetes.
My particular use-case is itemizing CPU/memory utilization and identifying what pods in what environment from each app are utilizing resources.
jwalker343
on 5 Oct 2018
hey everyone, i just found this issue while looking for a solution to a problem i'm facing.
we have a loadbalancer service (ambassador) that maps routes to different services. i've created the mapping for /.well-known/acme-challenge/ and my first thought was to select the solver service, but the name is random so thats a problem. so i've created a service that should select the solver pods with a selector certmanager.k8s.io/acme-http-domain:
having the option to customize the labels of the solver pods or a label that could be used in templates would help a lot. regarding the auth.istio.io/8089, if i'm not mistaken than this is only a annotation to the service not the pods
l1v3
on 10 Oct 2018
Thanks for the feature request. I've opened #1097 which proposes a solution to this issue and others like it 馃槃
munnerz
on 21 Nov 2018
Related issues
jakubknejzlik
路
3Comments
munnerz
路
4Comments
matthew-muscat
路
4Comments
howardjohn
路
3Comments
jbouzekri
路
4Comments
Most helpful comment
I'd like to add my vote on having custom, arbitrary labels applied to the acme solvers. (really all resources created by cert-manager). Labels are a pretty fundamental filtering and selection method in Kubernetes.
My particular use-case is itemizing CPU/memory utilization and identifying what pods in what environment from each app are utilizing resources.