From 388162cd5413d6ad386ab8caafe00a15f7cba4e1 Mon Sep 17 00:00:00 2001 From: Spyros Synodinos <138458697+ssyno@users.noreply.github.com> Date: Tue, 3 Dec 2024 14:54:06 +0200 Subject: [PATCH] Additional `approveSignerNames` fix (#494) * rbac-fix * add approveSignerNames * schema update --- helm/cert-manager/templates/rbac.yaml | 60 +++++++++++++++++++++++++-- helm/cert-manager/values.schema.json | 16 +++++++ helm/cert-manager/values.yaml | 17 ++++++++ 3 files changed, 89 insertions(+), 4 deletions(-) diff --git a/helm/cert-manager/templates/rbac.yaml b/helm/cert-manager/templates/rbac.yaml index 94b0950b..baae425f 100644 --- a/helm/cert-manager/templates/rbac.yaml +++ b/helm/cert-manager/templates/rbac.yaml @@ -39,13 +39,56 @@ roleRef: kind: Role name: {{ template "cert-manager.fullname" . }}:leaderelection subjects: - - apiGroup: "" - kind: ServiceAccount + - kind: ServiceAccount name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} --- +{{- if .Values.serviceAccount.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["serviceaccounts/token"] + resourceNames: ["{{ template "cert-manager.serviceAccountName" . }}"] + verbs: ["create"] + +--- + +# grant cert-manager permission to create tokens for the serviceaccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "cert-manager.fullname" . }}-{{ template "cert-manager.serviceAccountName" . }}-tokenrequest + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cert-manager.serviceAccountName" . }}-tokenrequest +subjects: + - kind: ServiceAccount + name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} + +--- + # Issuer controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -474,6 +517,8 @@ rules: --- +{{- if not .Values.disableAutoApproval -}} + # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -489,7 +534,12 @@ rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] verbs: ["approve"] - resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] + {{- with .Values.approveSignerNames }} + resourceNames: + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} --- @@ -514,8 +564,10 @@ subjects: --- +{{- end -}} + # Permission to: -# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers +# - Update and sign CertificateSigningRequests referencing cert-manager.io Issuers and ClusterIssuers # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm/cert-manager/values.schema.json b/helm/cert-manager/values.schema.json index 693c9f41..f7cce8d5 100644 --- a/helm/cert-manager/values.schema.json +++ b/helm/cert-manager/values.schema.json @@ -260,6 +260,22 @@ "deploymentAnnotations": { "type": "object" }, + "disableAutoApproval": { + "type": "boolean", + "default": false, + "description": "Option to disable cert-manager's built-in auto-approver. Useful when using a different approver like approver-policy." + }, + "approveSignerNames": { + "type": "array", + "items": { + "type": "string" + }, + "default": [ + "issuers.cert-manager.io/*", + "clusterissuers.cert-manager.io/*" + ], + "description": "List of signer names that cert-manager will approve by default. Empty array means ALL issuers will be auto-approved." + }, "dns01RecursiveNameservers": { "type": "string" }, diff --git a/helm/cert-manager/values.yaml b/helm/cert-manager/values.yaml index 28a01e81..835aaf65 100644 --- a/helm/cert-manager/values.yaml +++ b/helm/cert-manager/values.yaml @@ -153,6 +153,23 @@ dns01RecursiveNameservers: "" # Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers dns01RecursiveNameserversOnly: false +# Option to disable cert-manager's build-in auto-approver. The auto-approver +# approves all CertificateRequests that reference issuers matching the 'approveSignerNames' +# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions +# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy). +disableAutoApproval: false + +# List of signer names that cert-manager will approve by default. CertificateRequests +# referencing these signer names will be auto-approved by cert-manager. Defaults to just +# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty +# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, +# because eg. you are using approver-policy, you can enable 'disableAutoApproval'. +# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval +# +docs:property +approveSignerNames: +- issuers.cert-manager.io/* +- clusterissuers.cert-manager.io/* + # Additional command line flags to pass to cert-manager controller binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help extraArgs: []