Merge pull request #131 from SgtCoDFish/allowallsigners

Allow use of all signers by default
cert-manager · Apr 29, 2024 · c5f8bac · c5f8bac
2 parents a8c5e22 + a0e56b4
commit c5f8bac
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 6 deletions.
diff --git a/deploy/charts/csi-driver-spiffe/README.md b/deploy/charts/csi-driver-spiffe/README.md
@@ -326,10 +326,10 @@ Number of replicas of the approver to run.
 #### **app.approver.signerName** ~ `string`
 > Default value:
 > ```yaml
-> clusterissuers.cert-manager.io/*
+> ""
 > ```
 
-The signer name that csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: https://cert-manager.io/docs/concepts/certificaterequest/#approval
+A signer name that the csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: https://cert-manager.io/docs/concepts/certificaterequest/#approval. Defaults to empty which allows approval for all signers
 #### **app.approver.readinessProbe.port** ~ `number`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/csi-driver-spiffe/templates/clusterrole.yaml b/deploy/charts/csi-driver-spiffe/templates/clusterrole.yaml
@@ -23,10 +23,16 @@ rules:
   resources: ["certificaterequests/status"]
   verbs: ["update"]
 
+{{- if .Values.app.approver.signerName }}
 - apiGroups: ["cert-manager.io"]
   resources: ["signers"]
   verbs: ["approve"]
   resourceNames: ["{{.Values.app.approver.signerName}}"]
+{{- else }}
+- apiGroups: ["cert-manager.io"]
+  resources: ["signers"]
+  verbs: ["approve"]
+{{- end }}
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["create", "patch"]
diff --git a/deploy/charts/csi-driver-spiffe/values.schema.json b/deploy/charts/csi-driver-spiffe/values.schema.json
@@ -188,8 +188,8 @@
       "type": "object"
     },
     "helm-values.app.approver.signerName": {
-      "default": "clusterissuers.cert-manager.io/*",
-      "description": "The signer name that csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: https://cert-manager.io/docs/concepts/certificaterequest/#approval",
+      "default": "",
+      "description": "A signer name that the csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: https://cert-manager.io/docs/concepts/certificaterequest/#approval. Defaults to empty which allows approval for all signers",
       "type": "string"
     },
     "helm-values.app.certificateRequestDuration": {

diff --git a/deploy/charts/csi-driver-spiffe/values.yaml b/deploy/charts/csi-driver-spiffe/values.yaml
@@ -165,11 +165,14 @@ app:
   approver:
     # Number of replicas of the approver to run.
     replicaCount: 1
-    # The signer name that csi-driver-spiffe approver will be given
+
+    # A signer name that the csi-driver-spiffe approver will be given
     # permission to approve and deny. CertificateRequests referencing this
     # signer name can be processed by the SPIFFE approver. See:
     # https://cert-manager.io/docs/concepts/certificaterequest/#approval
-    signerName: "clusterissuers.cert-manager.io/*"
+    # Defaults to empty which allows approval for all signers
+    signerName: ""
+
     readinessProbe:
       # Container port to expose csi-driver-spiffe-approver HTTP readiness
       # probe on default network interface.