Cert-manager: Allowing specifying ACME solver pod template

Created on 21 Nov 2018  路  8Comments  路  Source: jetstack/cert-manager

Is your feature request related to a problem? Please describe.

There have been various requests for the ability to specify fields such as labels, annotations, resource sizes/requests, taints & tolerations etc. to the ACME solver pods that cert-manager creates.

Describe the solution you'd like

I propose we add a podTemplate field to the issuer.spec.acme.http01 structure.

Similar to ReplicaSets/Deployments, this would allow users to specify a base template that will be used when creating the pod.

cert-manager would need to be modified to 'merge' the provided config so that it matches its own requirements (i.e. injecting in container images/arguments).

This could look something like:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    http01:
      podTemplate:
        metadata:
          # name & generateName fields are not allowed
          labels:
            my-custom-label: label-value
        spec:
          containers:
          - name: acmesolver
            resources:
              requests:
                cpu: 250m

The partial ContainerSpec provided would be supplemented by cert-manager with the image and args required, as well as any additional default resource request/limits.

Users would be able to provide additional initContainers/normal containers too.

Describe alternatives you've considered

Exposing more and more configuration for this via flags, or some form of Configuration CRD

Additional context

Related #672 #892 #923 #1096

/kind feature

areacme good first issue help wanted kinfeature prioritimportant-longterm
Source
picture munnerz
👍12

Most helpful comment

Hi,

Thanks for your job, but a part of the query is not implemented: we can't define container params like nodeSelector or tolerations.

Following an example:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: ***@***.net
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-key
      namespace: cert-manager
    solvers:
    - http01:
        ingress:
          podTemplate:
            metadata:
              namespace: cert-manager
            spec:
              nodeSelector:
                kubernetes.io/arch: amd64
              tolerations:
                - key: "node-role.kubernetes.io/master"
                  operator: "Exists"
                  effect: "NoSchedule"

Currently (with the version 93faf9c1) i get:
Error from server (NotAcceptable): error when creating "03-cert-manager.yaml": admission webhook "clusterissuers.admission.certmanager.k8s.io" denied the request: spec.acme.solver.http01.ingress.podTemplate.metadata: Invalid value: "": only labels and annotations may be set on podTemplate

Any way to add that in an other PR?

Thanks!

picture rclsilver on 12 Jun 2019
👍5

All 8 comments

This issue is in the v0.7 milestone, but we don't currently have someone triaged to work on it.

If someone has some time and a desire to get this feature merged, that'd be great, and please mark this issue with /lifecycle active so others are aware 馃槃

If not, we will attempt to staff this in time for v0.7, or perhaps v0.8.

munnerz picture munnerz on 7 Feb 2019
👀3

@munnerz Any clue on timeline for this feature?
We would really like Kong's Ingress Controller to work together with cert-manager.
Is there any way to work around this problem meanwhile?

hbagdi picture hbagdi on 20 Mar 2019
👀3 👍3

@munnerz and @hbagdi
Currently, I've found acme-kong-kube-helper acme-kong-kube-helper in order to solve the http01 validation problem in staging environment, and all it's works. He also has a reference to here, to this issue.

bgarcial picture bgarcial on 22 Mar 2019

@bgarcial your path seems to be broken. https://github.com/ollystephens/acme-kong-kube-helper

thedumbtechguy picture thedumbtechguy on 22 Mar 2019

@thedumbtechguy Yes, it was broken. I've already fixed the link, thanks.

bgarcial picture bgarcial on 25 Mar 2019

/assign

JoshVanL picture JoshVanL on 5 Jun 2019
👍1

Hi,

Thanks for your job, but a part of the query is not implemented: we can't define container params like nodeSelector or tolerations.

Following an example:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: ***@***.net
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging-key
      namespace: cert-manager
    solvers:
    - http01:
        ingress:
          podTemplate:
            metadata:
              namespace: cert-manager
            spec:
              nodeSelector:
                kubernetes.io/arch: amd64
              tolerations:
                - key: "node-role.kubernetes.io/master"
                  operator: "Exists"
                  effect: "NoSchedule"

Currently (with the version 93faf9c1) i get:
Error from server (NotAcceptable): error when creating "03-cert-manager.yaml": admission webhook "clusterissuers.admission.certmanager.k8s.io" denied the request: spec.acme.solver.http01.ingress.podTemplate.metadata: Invalid value: "": only labels and annotations may be set on podTemplate

Any way to add that in an other PR?

Thanks!

rclsilver picture rclsilver on 12 Jun 2019
👍5

I am seeing the same limitations as @rclsilver - is this by design or should the issue be reopened? My scenario is specificly #1770.

TripleEmcoder picture TripleEmcoder on 9 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

f-f picture f-f  路  4Comments
jakubknejzlik picture jakubknejzlik  路  3Comments
dontreboot picture dontreboot  路  3Comments
jbouzekri picture jbouzekri  路  4Comments
munnerz picture munnerz  路  4Comments