-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add design for allowing all signers by default #415
Conversation
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I am completely in favour of this, but for clarity could we add the intended outcome of this proposal in terms of actions / YAML?
I will take a stab here at what I think this means for someone installing / setting up approver-policy:
-
The helm chart will now default
app.approveSignerNames: - "*"
to indicate all signers from any api group? -
RBAC will then by default allow all signers by filtering through to here?
-
Assuming this is not overridden by a user (they use the default), they can new create
CertificateRequestPolicy
resource without additional RBAC requirements?
In terms of upgrade then, we might find that existing users would either want to:
- not use the default value and continue with restricted RBAC
- Use the new default and review their existing RBAC with CRP resources as potentally unecessary?
Signed-off-by: Ashley Davis <ashley.davis@venafi.com>
Thanks @hawksight - I've updated to include a bit more detail on what exactly users would have to do. |
/test pull-cert-manager-approver-policy-test |
@SgtCoDFish - I thought this might make more sense for readers to indicate when action was needed, in this PR. Please feel free to ignore or do other things, merely a suggestion. |
/lgtm |
That's awesome! The only thing I'd say about that is it feels more like a documentation / release note thing than a design doc thing. I wouldn't expect most users to ever see this doc - this is more for devs and maintainers interested in why the change was made. As such, I'll absolutely take the notes you've written - but I'll use them in release notes and docs instead, because they'll be awesome there! Thank you 😁 /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This has been discussed in various cert-manager meetings already. I'm adding this lightweight design to allow the conversation to be captured here in the repo and to provide a point of reference as we make this change.