Cannot create secret cert-manager-approver-policy-tls #667
Description
I'm installing cert-manager and cert-manager-approver-policy freshly into a brand new cluster, and cert-manager approver policy spits this error in it's logs:
time=2025-08-13T21:13:22.947Z level=ERROR msg="error ensuring CA" logger=apiutil err="secrets is forbidden: User \"system:serviceaccount:cert-manager:cert-manager-approver-policy\" cannot create resource \"secrets\" in API group \"\" in the namespace \"cert-manager\""
Observing the rbac for approver-policy, we see:
- apiGroups:
- ''
resourceNames:
- cert-manager-approver-policy-tls
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
But there's a kubernetes issue (from 2019) stating create doesn't work with resourceNames (unless you're doing server-side apply)
kubernetes/kubernetes#80295 (comment)
Removing resourceNames from the role allows this to work, or manually creating that generic secret before first pod startup works.
This was dealt with for leases, I think the same needs to be replicated for secrets:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- policy.cert-manager.io
resources:
- leases
verbs:
- get
- update
e.g.
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- apiGroups:
- ''
resourceNames:
- cert-manager-approver-policy-tls
resources:
- secrets
verbs:
- get
- list
- watch
- update