Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add design for allowing all signers by default #415

Merged
merged 2 commits into from
Apr 9, 2024
Merged

Add design for allowing all signers by default #415

merged 2 commits into from
Apr 9, 2024

Conversation

SgtCoDFish
Copy link
Member

This has been discussed in various cert-manager meetings already. I'm adding this lightweight design to allow the conversation to be captured here in the repo and to provide a point of reference as we make this change.

@SgtCoDFish
add design for allowing all signers by default
16cc88b 
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 4, 2024
@SgtCoDFish SgtCoDFish mentioned this pull request Apr 4, 2024
Merged
hawksight
hawksight reviewed Apr 4, 2024
View reviewed changes
Copy link
Member

@hawksight hawksight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I am completely in favour of this, but for clarity could we add the intended outcome of this proposal in terms of actions / YAML?

I will take a stab here at what I think this means for someone installing / setting up approver-policy:

  1. The helm chart will now default app.approveSignerNames: - "*" to indicate all signers from any api group?

  2. RBAC will then by default allow all signers by filtering through to here?

  3. Assuming this is not overridden by a user (they use the default), they can new create CertificateRequestPolicy resource without additional RBAC requirements?

In terms of upgrade then, we might find that existing users would either want to:

  1. not use the default value and continue with restricted RBAC
  2. Use the new default and review their existing RBAC with CRP resources as potentally unecessary?

@SgtCoDFish
add more detail on the exact proposed change and upgrade guide
9e015fe 
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 8, 2024
@SgtCoDFish
Copy link
Member Author

Thanks @hawksight - I've updated to include a bit more detail on what exactly users would have to do.

@SgtCoDFish
Copy link
Member Author

/test pull-cert-manager-approver-policy-test

@hawksight
Copy link
Member

@SgtCoDFish - I thought this might make more sense for readers to indicate when action was needed, in this PR. Please feel free to ignore or do other things, merely a suggestion.

@ThatsMrTalbot
Copy link
Contributor

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 8, 2024
@SgtCoDFish
Copy link
Member Author

@SgtCoDFish - I thought this might make more sense for readers to indicate when action was needed, SgtCoDFish#1. Please feel free to ignore or do other things, merely a suggestion.

That's awesome! The only thing I'd say about that is it feels more like a documentation / release note thing than a design doc thing. I wouldn't expect most users to ever see this doc - this is more for devs and maintainers interested in why the change was made.

As such, I'll absolutely take the notes you've written - but I'll use them in release notes and docs instead, because they'll be awesome there! Thank you 😁

/approve

@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 9, 2024
@jetstack-bot jetstack-bot merged commit 52cdbb7 into cert-manager:main Apr 9, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawksight hawksight hawksight left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@SgtCoDFish @hawksight @ThatsMrTalbot @jetstack-bot