Grant cert-manager RBAC to use all policies by default

erikgb · erikgb · commit e31b9f7f9f8d · 2025-04-27T15:10:11.000+02:00
Signed-off-by: Erik Godding Boye &lt;egboye@gmail.com&gt;
diff --git a/deploy/charts/approver-policy/README.md b/deploy/charts/approver-policy/README.md
diff --git a/deploy/charts/approver-policy/templates/use-policies-clusterrole.yaml b/deploy/charts/approver-policy/templates/use-policies-clusterrole.yaml
@@ -0,0 +1,18 @@
+{{ if .Values.app.usePoliciesRbac.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "cert-manager-approver-policy.labels" . | nindent 4 }}
+  name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }}
+rules:
+- apiGroups: ["policy.cert-manager.io"]
+  resources: ["certificaterequestpolicies"]
+  verbs: ["use"]
+  {{- with .Values.app.usePoliciesRbac.policyNames }}
+  resourceNames:
+  {{- range . }}
+  - "{{ . }}"
+  {{- end  }}
+  {{- end }}
+{{ end }}
diff --git a/deploy/charts/approver-policy/templates/use-policies-clusterrolebinding.yaml b/deploy/charts/approver-policy/templates/use-policies-clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{ if .Values.app.usePoliciesRbac.enabled }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    {{- include "cert-manager-approver-policy.labels" . | nindent 4 }}
+  name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.app.usePoliciesRbac.serviceAccount.name }}
+  namespace: {{ .Values.app.usePoliciesRbac.serviceAccount.namespace }}
+{{ end }}
diff --git a/deploy/charts/approver-policy/values.schema.json b/deploy/charts/approver-policy/values.schema.json
@@ -104,6 +104,9 @@
         "readinessProbe": {
           "$ref": "#/$defs/helm-values.app.readinessProbe"
         },
+        "usePoliciesRbac": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac"
+        },
         "webhook": {
           "$ref": "#/$defs/helm-values.app.webhook"
         }
@@ -234,6 +237,54 @@
       "description": "The container port to expose approver-policy HTTP readiness probe on default network interface.",
       "type": "number"
     },
+    "helm-values.app.usePoliciesRbac": {
+      "additionalProperties": false,
+      "properties": {
+        "enabled": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac.enabled"
+        },
+        "policyNames": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac.policyNames"
+        },
+        "serviceAccount": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.app.usePoliciesRbac.enabled": {
+      "default": true,
+      "description": "Create RBAC to grant permission to use policies.",
+      "type": "boolean"
+    },
+    "helm-values.app.usePoliciesRbac.policyNames": {
+      "default": [],
+      "description": "List of policies that the referenced service account will be given permission to use. Defaults to an empty array, allowing use of all policies.",
+      "items": {},
+      "type": "array"
+    },
+    "helm-values.app.usePoliciesRbac.serviceAccount": {
+      "additionalProperties": false,
+      "properties": {
+        "name": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount.name"
+        },
+        "namespace": {
+          "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount.namespace"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.app.usePoliciesRbac.serviceAccount.name": {
+      "default": "cert-manager",
+      "description": "Name of ServiceAccount.",
+      "type": "string"
+    },
+    "helm-values.app.usePoliciesRbac.serviceAccount.namespace": {
+      "default": "cert-manager",
+      "description": "Namespace of ServiceAccount.",
+      "type": "string"
+    },
     "helm-values.app.webhook": {
       "additionalProperties": false,
       "properties": {
diff --git a/deploy/charts/approver-policy/values.yaml b/deploy/charts/approver-policy/values.yaml
@@ -75,6 +75,19 @@ app:
   # +docs:property
   approveSignerNames: []
 
+  usePoliciesRbac:
+    # Create RBAC to grant permission to use policies.
+    enabled: true
+    # List of policies that the referenced service account will be given permission to
+    # use. Defaults to an empty array, allowing use of all policies.
+    policyNames: []
+    # The ServiceAccount granted permission to use policies.
+    serviceAccount:
+      # Name of ServiceAccount.
+      name: cert-manager
+      # Namespace of ServiceAccount.
+      namespace: cert-manager
+
   metrics:
     # Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
     port: 9402
