Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Helm options to extend auto-approval or disable it #7049

Merged
merged 3 commits into from
May 28, 2024

Conversation

inteon
Copy link
Member

@inteon inteon commented May 23, 2024

This PR adds Helm options to simplify configuring the build-in cert-manager auto-approver.

  1. It adds the option to approve external issuers (including an "approve all external issuers" options)
  2. It adds the option to easily disable the auto-approver

This will simplify installing cert-manager combined with an external issuer or in combination with approver-policy (https://cert-manager.io/docs/policy/approval/approver-policy/installation/).

Fixes #6521

NOTE: We will keep the default "only approve cert-manager.io Issuer and ClusterIssuer" rule. In approver-policy and csi-driver-spiffe, we removed this constraint. The reason we keep the constraint here is because cert-manager's auto-approver will automatically approve all CertificateRequests that it can approve (which is not the case for approver-policy and csi-driver-spiffe). To prevent breaking existing setups (prevent two approvers from racing to approve the same resource), we will not expand the default set of issuers.

Kind

/kind feature

Release Note

If the `--controllers` flag only specifies disabled controllers, the default controllers are now enabled implicitly.
Added `disableAutoApproval` and `approveSignerNames` Helm chart options.

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@cert-manager-prow cert-manager-prow bot added kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/deploy Indicates a PR modifies deployment configuration size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 23, 2024
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@ThatsMrTalbot
Copy link
Contributor

/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 23, 2024
@SgtCoDFish
Copy link
Member

/test pull-cert-manager-master-make-test

Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of bits - what do you think?

deploy/charts/cert-manager/values.yaml Show resolved Hide resolved
Comment on lines +140 to +142
{{- if .Values.disableAutoApproval }}
- --controllers=-certificaterequests-approver
{{- end }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: I think this could use manual testing to confirm that it does what's expected. Notably this looks different to how we set this in docs which is usually --controllers=*\,-certificaterequests-approver'

I'm not saying this is wrong, but I think it would be helpful to show that it's right in the PR description!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, how does this interact with someone setting the --controllers flag through extraArgs in the chart?

Copy link
Member Author

@inteon inteon May 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was just testing this and there seems to be an issue still:

This table describes the current behavior:

input controllers
flags:
*
--controllers=
--controllers=-certificaterequests-approver
--controllers= --controllers=-certificaterequests-approver
--controllers=test --controllers=-certificaterequests-approver test
--controllers=* --controllers=-certificaterequests-approver * - certificaterequests-approver
--controllers=* --controllers=test --controllers=-certificaterequests-approver * + test - certificaterequests-approver
configfile:
{} *
{controllers: []} *
{controllers: [ "*" ]} *
{controllers: [ "-certificaterequests-approver" ]}
{controllers: [ "test", "-certificaterequests-approver" ]} test

It is clear that there is no way to specify that the certificaterequests-approver controller should be disabled regardless of the other values passed to --controllers (if nothing is passed to --controllers, setting --controllers=-certificaterequests-approver disables all controllers).

I wonder if we should change the logic behind --controllers and make it behave as follows:

input controllers
flags:
*
--controllers=
--controllers=-certificaterequests-approver *
--controllers= --controllers=-certificaterequests-approver *
--controllers=test --controllers=-certificaterequests-approver test
--controllers=* --controllers=-certificaterequests-approver * - certificaterequests-approver
--controllers=* --controllers=test --controllers=-certificaterequests-approver * + test - certificaterequests-approver
configfile:
{} *
{controllers: []} *
{controllers: [ "*" ]} *
{controllers: [ "-certificaterequests-approver" ]} *
{controllers: [ "test", "-certificaterequests-approver" ]} test

This would allow us to specify flags more independently.
Additionally, this should cause minimal breakage since it is currently not useful to specify just --controllers=-certificaterequests-approver.

Copy link
Member

@SgtCoDFish SgtCoDFish May 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what you propose is pretty unsurprising for a user, and it wouldn't be bad. In a different place you said that our current logic is mirroring k8s - it'd be good to know if there's a reason they chose to do it the way they did.

I think an alternative approach (given that the only controller regularly disabled this way) is to add an entirely new flag, --disable-default-approver.

Obviously that's making a special case out of the default approver, but I think it is a special case.

I'd envision that first we'd parse the --controllers flag, and then afterwards if --disable-default-approver is set, remove the defeault approver from the list of controllers if it's present.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upstream implementation has not changed much since its introduction in 2017: kubernetes/kubernetes#39740.
I don't think they specifically looked at this specific situation (a setup with only negative controller selectors).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented the proposed change in this commit: 985607b

@cert-manager-prow cert-manager-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 23, 2024
… enable all default controllers

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@cert-manager-prow cert-manager-prow bot removed the lgtm Indicates that a PR is ready to be merged. label May 24, 2024
@inteon inteon added this to the 1.15 milestone May 24, 2024
@inteon inteon requested a review from SgtCoDFish May 27, 2024 07:31
@inteon inteon dismissed SgtCoDFish’s stale review May 28, 2024 10:07

Fixed/ addressed

@ThatsMrTalbot
Copy link
Contributor

I think the new option behaviour makes sense. I think a dedicated flag would be nice long term, but this is a good start for install UX.
/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 28, 2024
@inteon
Copy link
Member Author

inteon commented May 28, 2024

/approve

@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 28, 2024
@inteon
Copy link
Member Author

inteon commented May 28, 2024

/unhold

@cert-manager-prow cert-manager-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 28, 2024
@cert-manager-prow cert-manager-prow bot merged commit c7f1ba7 into cert-manager:master May 28, 2024
6 checks passed
@inteon
Copy link
Member Author

inteon commented May 28, 2024

/cherrypick release-1.15

@cert-manager-bot
Copy link
Contributor

@inteon: failed to push cherry-picked changes in GitHub: error pushing "cherry-pick-7049-to-release-1.15": exit status 1 To https://github.com/cert-manager-bot/cert-manager
! [remote rejected] cherry-pick-7049-to-release-1.15 -> cherry-pick-7049-to-release-1.15 (refusing to allow a Personal Access Token to create or update workflow .github/workflows/govulncheck.yaml without workflow scope)
error: failed to push some refs to 'https://github.com/cert-manager-bot/cert-manager'

In response to this:

/cherrypick release-1.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@inteon
Copy link
Member Author

inteon commented May 28, 2024

/cherrypick release-1.15

@cert-manager-bot
Copy link
Contributor

@inteon: new pull request created: #7054

In response to this:

/cherrypick release-1.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add an approveSignerNames install option
4 participants