Enable Public Use of the cert-manager-acmesolver ImageΒΆ

When an arbitrary non-admin user creates a certificate with an external CA, cert-manager dynamically creates a pod (image=cert-manager-acmesolver) and an ingress in the user-specified namespace in order to handle the http01 challenge from the external CA.

About this task

As part of the application-apply of cert-manager at bootstrap time, the cert-manager-acmesolver image has been pulled from an external registry and pushed to registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:v1.13.1. However, this repository within registry.local is secured such that only admin can access these images.

The registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:v1.13.1 image needs to be copied by admin into a public repository, registry.local:9001:/public. If you have not yet set up a public repository, see StarlingX Administrator Tasks: Set up a Public Repository in Local Docker Registry.

Procedure

  1. Determine the image tag of cert-manager-acmesolver image.

    ~(keystone_admin)]$ system registry-image-tags quay.io/jetstack/cert-manager-acmesolver

  2. Copy the cert-manager-acmesolver image.

    $ sudo docker login registry.local:9001
username: admin
password: <admin-password>
$
$ sudo docker pull registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:v1.13.1
$ sudo docker tag registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:v1.13.1 registry.local:9001/public/cert-manager-acmesolver:v1.13.1
$ sudo docker push registry.local:9001/public/cert-manager-acmesolver:v1.13.1

  3. Update the cert-manager application to use this public image.

    1. Create an overrides file.

      ~(keystone_admin)]$ cat <<EOF > cm-override-values.yaml
acmesolver:
  image:
    repository: registry.local:9001/public/cert-manager-acmesolver
EOF

    2. Apply the overrides.

      ~(keystone_admin)]$ system helm-override-update --reuse-values --values cm-override-values.yaml cert-manager cert-manager cert-manager

    3. Reapply cert-manager.

      ~(keystone_admin)]$ system application-apply cert-manager