Skip to content

Grant cert-manager RBAC to use all policies by default #628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Grant cert-manager RBAC to use all policies by default #628

wants to merge 1 commit into from
+126 −0

Conversation

@erikgb
Copy link
Member

@erikgb erikgb commented Apr 27, 2025
edited by inteon
Loading

This PR should make it a bit easier to use approver-policy with cert-manager. By default, it will now grant RBAC permissions to use all CertificateRequestPolicies.

Close #216

/cc @hawksight @inteon @SgtCoDFish

@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Apr 27, 2025
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Apr 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wallrj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 27, 2025
@erikgb erikgb force-pushed the grant-cert-manager-use-rbac branch from 5d1c937 to e31b9f7 Compare April 27, 2025 13:10
@inteon
Copy link
Member

inteon commented Apr 27, 2025

I think this might be something for a v2 of this component.
Also, I would rather just drop the RBAC logic.

@erikgb
Copy link
Member Author

erikgb commented Apr 27, 2025

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

@inteon
Copy link
Member

inteon commented Apr 27, 2025

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

Instead of using RBAC to link CertificateRequests with CertificateRequestPolicies, we can use the .spec.selector instead.

@erikgb
Copy link
Member Author

erikgb commented Apr 27, 2025
edited
Loading

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

Instead of using RBAC to link CertificateRequests with CertificateRequestPolicies, we can use the .spec.selector instead.

But why did you create the referenced issue? The selector is already in use, but that connects the CertificateRequestPolicy to Issuers. Not to who created the CertificateRequest. AFAIK, RBAC isn't able to use selectors.

@erikgb
Copy link
Member Author

erikgb commented Jul 30, 2025

@github-copilot review

@hawksight
Copy link
Member

hawksight commented Oct 23, 2025

This certainly simplifies the existing setup process by wrapping it into the existing chart and on by default. On that basis I am in favour.

I don't think we should block an enhancement because we "might" do something better in the future.

The code look fine to me from a helm perspective but I have not tried it.

@hawksight
Copy link
Member

hawksight commented Oct 23, 2025

/lgtm

@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Oct 23, 2025

@hawksight: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hawksight hawksight Awaiting requested review from hawksight

@inteon inteon Awaiting requested review from inteon

@SgtCoDFish SgtCoDFish Awaiting requested review from SgtCoDFish

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Simplify configuration by creating RBAC by default

3 participants

@erikgb @inteon @hawksight