Skip to content

Grant cert-manager RBAC to use all policies by default #628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Grant cert-manager RBAC to use all policies by default #628

wants to merge 1 commit into from

Conversation

erikgb
Copy link
Contributor

@erikgb erikgb commented Apr 27, 2025
edited by inteon
Loading

This PR should make it a bit easier to use approver-policy with cert-manager. By default, it will now grant RBAC permissions to use all CertificateRequestPolicies.

Close #216

/cc @hawksight @inteon @SgtCoDFish

@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Apr 27, 2025
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wallrj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 27, 2025
@erikgb
Grant cert-manager RBAC to use all policies by default
e31b9f7 
Signed-off-by: Erik Godding Boye <egboye@gmail.com>
@erikgb erikgb force-pushed the grant-cert-manager-use-rbac branch from 5d1c937 to e31b9f7 Compare April 27, 2025 13:10
@inteon
Copy link
Member

inteon commented Apr 27, 2025

I think this might be something for a v2 of this component.
Also, I would rather just drop the RBAC logic.

@erikgb
Copy link
Contributor Author

erikgb commented Apr 27, 2025

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

@inteon
Copy link
Member

inteon commented Apr 27, 2025

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

Instead of using RBAC to link CertificateRequests with CertificateRequestPolicies, we can use the .spec.selector instead.

@erikgb
Copy link
Contributor Author

erikgb commented Apr 27, 2025
edited
Loading

I think this might be something for a v2 of this component. Also, I would rather just drop the RBAC logic.

Could you elaborate? Especially on the last part. "RBAC logic"?

Instead of using RBAC to link CertificateRequests with CertificateRequestPolicies, we can use the .spec.selector instead.

But why did you create the referenced issue? The selector is already in use, but that connects the CertificateRequestPolicy to Issuers. Not to who created the CertificateRequest. AFAIK, RBAC isn't able to use selectors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawksight hawksight Awaiting requested review from hawksight

@inteon inteon Awaiting requested review from inteon

@SgtCoDFish SgtCoDFish Awaiting requested review from SgtCoDFish

Assignees
No one assigned
Labels
dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Simplify configuration by creating RBAC by default
2 participants
@erikgb @inteon