docs/doc/source/security/kubernetes/enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace.rst


.. mid1588344357117
.. _enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace:

=====================================================================
Enable Use of cert-manager-acmesolver Image in a Particular Namespace
=====================================================================

When an arbitrary user creates a certificate with an external |CA|,
cert-manager dynamically creates the cert-manager-acmesolver pod and an
ingress in the user-specified namespace in order to handle the http01
challenge from the external CA.

.. rubric:: |context|

In order to pull the
registry.local:9001:/public/cert-manager-acmesolver:|v_jetstack-cert-manager-acmesolver| image from the
local registry, the credentials for the public repository must be in a
secret and referenced in an ImagePullSecret in the **default**
serviceAccount of that user-specified namespace.

.. rubric:: |proc|

#.  Execute the following commands, substituting your deployment-specific
    value for <USERNAMESPACE>.

    .. code-block:: none

        % kubectl get secret registry-local-public-key -n kube-system -o yaml | grep -v '^\s*namespace:\s'  | kubectl apply --namespace=<USERNAMESPACE> -f -

        % kubectl patch serviceaccount default  -p "{\"imagePullSecrets\": [{\"name\": \"registry-local-public-key\"}]}" -n <USERNAMESPACE>
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. mid1588344357117`
			`.. _enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace:`

			`=====================================================================`
			`Enable Use of cert-manager-acmesolver Image in a Particular Namespace`
			`=====================================================================`

			`When an arbitrary user creates a certificate with an external \|CA\|,`
			`cert-manager dynamically creates the cert-manager-acmesolver pod and an`
			`ingress in the user-specified namespace in order to handle the http01`
			`challenge from the external CA.`

			`.. rubric:: \|context\|`

			`In order to pull the`
Replace container tags Replace hard coded tag values with subsitutions Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I76aa5e8dc1870f5496b303f482a651d524fea3ce 2023-01-30 10:19:18 -05:00			`registry.local:9001:/public/cert-manager-acmesolver:\|v_jetstack-cert-manager-acmesolver\| image from the`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`local registry, the credentials for the public repository must be in a`
			`secret and referenced in an ImagePullSecret in the default`
			`serviceAccount of that user-specified namespace.`

			`.. rubric:: \|proc\|`

			`#. Execute the following commands, substituting your deployment-specific`
			`value for <USERNAMESPACE>.`

			`.. code-block:: none`

			`% kubectl get secret registry-local-public-key -n kube-system -o yaml \| grep -v '^\s*namespace:\s' \| kubectl apply --namespace=<USERNAMESPACE> -f -`

			`% kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"registry-local-public-key\"}]}" -n <USERNAMESPACE>`