Skip to content

Update NetworkPolicy guidelines to reflect the correct namespace #1827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update NetworkPolicy guidelines to reflect the correct namespace #1827

wants to merge 1 commit into from

Conversation

@sztyup
Copy link

@sztyup sztyup commented Nov 2, 2025

Fix the misleading statement about namespaces for the HTTP01 solver pods.

The solver pods are always created in the namespace of the Challange resource (which is in the namespace of the Ingress/Certificate)
This can be verified in the code: https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/http/pod.go#L180

@cert-manager-prow cert-manager-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 2, 2025
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Nov 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign thatsmrtalbot for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@netlify
Copy link

netlify bot commented Nov 2, 2025

Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit f08bf18
🔍 Latest deploy log https://app.netlify.com/projects/cert-manager/deploys/6906a8e694f29300084c2e4a
😎 Deploy Preview https://deploy-preview-1827--cert-manager.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@sztyup sztyup marked this pull request as ready for review November 2, 2025 00:46
@cert-manager-prow cert-manager-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 2, 2025
@erikgb erikgb requested a review from Copilot November 2, 2025 20:05
Copilot AI reviewed Nov 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR corrects inaccurate documentation about where cert-manager creates acmesolver resources for ACME HTTP01 challenges. The documentation previously incorrectly stated that these resources are created in the cert-manager namespace when using a ClusterIssuer.

  • Updated the description of where acmesolver resources are created during ACME HTTP01 challenges

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

content/docs/installation/best-practice.md
cert-manager will deploy an `acmesolver` Pod, a Service and an Ingress (or Gateway API) resource
in the namespace of the Issuer
or in the cert-manager namespace if it is a ClusterIssuer.
in the namespace of the Challenge resource.
Copy link

Copilot AI Nov 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] While technically correct, 'in the namespace of the Challenge resource' is somewhat circular. Consider clarifying this to 'in the same namespace as the Certificate resource' since Challenge resources are created in the same namespace as their parent Certificate, which is more immediately useful information for users planning network policies.

Suggested change
in the namespace of the Challenge resource.
in the same namespace as the Certificate resource.

Copilot uses AI. Check for mistakes.
Copy link
Author

@sztyup sztyup Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think this change would make it more clear, because the Certificate resource is not necessarily created by the user (Ingress, Gateway, etc.) or it may not even be created, if directly using CertificateRequest. I think the Challenge is the most appropriate for this documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sztyup