Skip to content

Commit

Permalink
Merge pull request #1497 from inteon/new_helm_options
Browse files Browse the repository at this point in the history
Update documentation with new approval Helm chart options
  • Loading branch information
cert-manager-prow[bot] authored Jun 6, 2024
2 parents 5726233 + 8da1e0b commit 94db0d9
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 51 deletions.
23 changes: 9 additions & 14 deletions content/docs/policy/approval/approver-policy/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,37 +17,32 @@ If you install cert-manager using `helm install` or `helm upgrade`,
you can disable the default approver by [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) using the `--set` or `--values` command line flags:

```
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.
# Example --set value
--set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver
--set disableAutoApproval=true
```

```yaml
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.

# Example --values file content
extraArgs:
- "--controllers=*,-certificaterequests-approver" # ⚠ Disable cert-manager's built-in approver
disableAutoApproval: true
```
Here's a example which reconfigure an installed cert-manager to run without auto-approver:
```terminal
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.

existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }')
helm upgrade cert-manager jetstack/cert-manager \
--reuse-values \
--namespace cert-manager \
--version $existing_cert_manager_version \
--set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver
--set disableAutoApproval=true
```

> ℹ️ Be sure to customize the cert-manager controller `extraArgs`,
> which are at the top level of the values file.
> *Do not* change the `webhook.extraArgs`, `startupAPICheck.extraArgs` or `cainjector.extraArgs` settings.
>
> ⚠️ If you are reconfiguring an already installed cert-manager,
> check whether the original installation already customized the `extraArgs` value
> by running `helm get values cert-manager --namespace cert-manager`.
> If there are already `extraArgs` values, merge those with the extra `--controllers` value.
> Otherwise your original `extraArgs` values will be overwritten.
### 2. Install approver-policy

To install approver-policy:
Expand Down
52 changes: 17 additions & 35 deletions content/docs/usage/certificaterequest.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,47 +162,29 @@ automatically approve _all_ CertificateRequests that reference any internal
issuer type in any namespace: `cert-manager.io/Issuer`,
`cert-manager.io/ClusterIssuer`.

To disable this controller, add the following argument to the
cert-manager-controller: `--controllers=*,-certificaterequests-approver`. This
can be achieved with helm by appending:
**Disabling the internal auto approver:**

To disable this controller, in the Helm chart set the `disableAutoApproval` value to `true`:

```bash
--set extraArgs={--controllers='*\,-certificaterequests-approver'}
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.
--set disableAutoApproval=true
```

**Approving additional issuers using the internal auto approver:**

Alternatively, in order for the internal approver controller to approve
CertificateRequests that reference an external issuer, add the following RBAC to
the cert-manager-controller Service Account. Please replace the given resource
names with the relevant names:
CertificateRequests that reference an external issuer, in the Helm chart add the
issuers to the `approveSignerNames` list, or set the `approveSignerNames` value
to an empty list to approve all issuers (internal and external).

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-approve:my-issuer-example-com # edit
rules:
- apiGroups:
- cert-manager.io
resources:
- signers
verbs:
- approve
resourceNames:
- issuers.my-issuer.example.com/* # edit
- clusterissuers.my-issuer.example.com/* # edit
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-approve:my-issuer-example-com # edit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-approve:my-issuer-example-com # edit
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
```bash
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.
--set approveSignerNames[0]="issuers.cert-manager.io/*" \
--set approveSignerNames[1]="clusterissuers.cert-manager.io/*" \
\
--set approveSignerNames[2]="issuers.my-issuer.example.com/*" \
--set approveSignerNames[3]="clusterissuers.my-issuer.example.com/*"
```

#### RBAC Syntax
Expand Down
6 changes: 4 additions & 2 deletions content/docs/usage/csi-driver-spiffe/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,17 @@ race with cert-manager and policy enforcement will become useless.
Policy enforcement is absolutely critical for using csi-driver-spiffe safely. See
the [security considerations](./README.md#security-considerations) section for more details.

Here's a example which reconfigure an installed cert-manager to run without auto-approver:
Here's a example which reconfigure an installed cert-manager (v1.15.0+) to run without auto-approver:

```terminal
# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.
existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }')
helm upgrade cert-manager jetstack/cert-manager \
--reuse-values \
--namespace cert-manager \
--version $existing_cert_manager_version \
--set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver
--set disableAutoApproval=true
```

### 2. Configure an Issuer / ClusterIssuer
Expand Down

0 comments on commit 94db0d9

Please sign in to comment.