Limit the controller-manager to access secrets only from specific namespace #62
Description
Hi,
Is it possible to use provide access of secrets only from specific namespace who want to use the external issuer? As of now, external issuer require access to all the secrets in cluster.
I understand it is required by cert-manager but I don't understand why external issuer-controller also need to list all the secrets on cluster. As per my understanding its cert-manager role to check for the all the secrets and then invoke particular issuer (depends on gvk).
I tested by modifying the RBAC to provide secret access of only required namespace but I am getting below error.
2025-06-05T08:32:13Z INFO pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:251: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:cmp-external-issuer-system:cmp-external-issuer-controller-manager" cannot list resource "secrets" in API group "" at the cluster scope
2025-06-05T08:32:13Z ERROR Unhandled Error {"logger": "UnhandledError", "error": "pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:251: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:cmp-external-issuer-system:cmp-external-issuer-controller-manager\" cannot list resource \"secrets\" in API group \"\" at the cluster scope"}