Merge pull request #7049 from inteon/add_approveSignerNames

Add Helm options to extend auto-approval or disable it

cmd/controller/app/options/options.go

@@ -243,6 +243,11 @@ func EnabledControllers(o *config.ControllerConfiguration) sets.Set[string] {
 		}
 	}
 
+	// Detect if "*" was implied (in case only disabled controllers were specified)
+	if len(disabled) > 0 && len(enabled) == 0 {
+		enabled = enabled.Insert(defaults.DefaultEnabledControllers...)
+	}
+
 	enabled = enabled.Delete(disabled...)
 
 	if utilfeature.DefaultFeatureGate.Enabled(feature.ExperimentalCertificateSigningRequestControllers) {

cmd/controller/app/options/options_test.go

@@ -50,6 +50,14 @@ func TestEnabledControllers(t *testing.T) {
 			controllers: []string{"*", "-clusterissuers", "-issuers"},
 			expEnabled:  sets.New(defaults.DefaultEnabledControllers...).Delete("clusterissuers", "issuers"),
 		},
+		"if only disabled controllers are specified, implicitly enable all default controllers": {
+			controllers: []string{"-clusterissuers", "-issuers"},
+			expEnabled:  sets.New(defaults.DefaultEnabledControllers...).Delete("clusterissuers", "issuers"),
+		},
+		"if both enabled and disabled controllers are specified, return specified controllers": {
+			controllers: []string{"foo", "-bar"},
+			expEnabled:  sets.New("foo"),
+		},
 	}
 
 	for name, test := range tests {

deploy/charts/cert-manager/README.template.md

@@ -387,6 +387,23 @@ A comma-separated string with the host and port of the recursive nameservers cer
 > ```
 
 Forces cert-manager to use only the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
+#### **disableAutoApproval** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Option to disable cert-manager's build-in auto-approver. The auto-approver approves all CertificateRequests that reference issuers matching the 'approveSignerNames' option. This 'disableAutoApproval' option is useful when you want to make all approval decisions using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy).
+#### **approveSignerNames** ~ `array`
+> Default value:
+> ```yaml
+> - issuers.cert-manager.io/*
+> - clusterissuers.cert-manager.io/*
+> ```
+
+List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.  
+ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
+
 #### **extraArgs** ~ `array`
 > Default value:
 > ```yaml

deploy/charts/cert-manager/templates/deployment.yaml

@@ -137,6 +137,9 @@ spec:
           {{- with .Values.dns01RecursiveNameservers }}
           - --dns01-recursive-nameservers={{ . }}
           {{- end }}
+          {{- if .Values.disableAutoApproval }}
+          - --controllers=-certificaterequests-approver
+          {{- end }}
           ports:
           - containerPort: 9402
             name: http-metrics

deploy/charts/cert-manager/templates/rbac.yaml

@@ -474,6 +474,8 @@ rules:
 
 ---
 
+{{- if not .Values.disableAutoApproval -}}
+
 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -489,7 +491,12 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["signers"]
     verbs: ["approve"]
-    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    {{- with .Values.approveSignerNames }}
+    resourceNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end  }}
+    {{- end }}
 
 ---
 
@@ -514,6 +521,8 @@ subjects:
 
 ---
 
+{{- end -}}
+
 # Permission to:
 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers

deploy/charts/cert-manager/values.yaml

@@ -241,6 +241,23 @@ dns01RecursiveNameservers: ""
 # Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
 dns01RecursiveNameserversOnly: false
 
+# Option to disable cert-manager's build-in auto-approver. The auto-approver
+# approves all CertificateRequests that reference issuers matching the 'approveSignerNames'
+# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions
+# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy).
+disableAutoApproval: false
+
+# List of signer names that cert-manager will approve by default. CertificateRequests
+# referencing these signer names will be auto-approved by cert-manager. Defaults to just
+# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
+# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
+# because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
+# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
+# +docs:property
+approveSignerNames:
+- issuers.cert-manager.io/*
+- clusterissuers.cert-manager.io/*
+
 # Additional command line flags to pass to cert-manager controller binary.
 # To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
 #