Enable Public Use of the cert-manager-acmesolver ImageΒΆ

When an arbitrary non-admin user creates a certificate with an external CA, cert-manager dynamically creates a pod (image=cert-manager-acmesolver) and an ingress in the user-specified namespace in order to handle the http01 challenge from the external CA.

About this task

As part of the application-apply of cert-manager at bootstrap time, the cert-manager-acmesolver image has been pulled from an external registry and pushed to registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:v1.15.3. However, this repository within registry.local is secured such that only admin can access these images.

The registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver:v1.15.3 image needs to be copied by admin into a public repository, registry.local:9001:/public. If you have not yet set up a public repository, see StarlingX Administrator Tasks: Set up a Public Repository in Local Docker Registry.

Procedure

  1. Determine the image tag of cert-manager-acmesolver image.

    ~(keystone_admin)]$ system registry-image-tags quay.io/jetstack/cert-manager-acmesolver
    
  2. Copy the cert-manager-acmesolver image.

    $ sudo docker login registry.local:9001
    username: admin
    password: <admin-password>
    $
    $ sudo docker pull registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:v1.15.3
    $ sudo docker tag registry.local:9001/quay.io/jetstack/cert-manager-acmesolver:v1.15.3 registry.local:9001/public/cert-manager-acmesolver:v1.15.3
    $ sudo docker push registry.local:9001/public/cert-manager-acmesolver:v1.15.3
  3. Update the cert-manager application to use this public image.

    1. Create an overrides file.

      ~(keystone_admin)]$ cat <<EOF > cm-override-values.yaml
      acmesolver:
        image:
          repository: registry.local:9001/public/cert-manager-acmesolver
      EOF
      
    2. Apply the overrides.

      ~(keystone_admin)]$ system helm-override-update --reuse-values --values cm-override-values.yaml cert-manager cert-manager cert-manager
      
    3. Reapply cert-manager.

      ~(keystone_admin)]$ system application-apply cert-manager