diff --git a/content/docs/policy/approval/approver-policy/installation.md b/content/docs/policy/approval/approver-policy/installation.md index 3d2f506d551..9204c454217 100644 --- a/content/docs/policy/approval/approver-policy/installation.md +++ b/content/docs/policy/approval/approver-policy/installation.md @@ -17,37 +17,32 @@ If you install cert-manager using `helm install` or `helm upgrade`, you can disable the default approver by [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) using the `--set` or `--values` command line flags: ``` +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. + # Example --set value ---set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver +--set disableAutoApproval=true ``` ```yaml +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. + # Example --values file content -extraArgs: - - "--controllers=*,-certificaterequests-approver" # ⚠ Disable cert-manager's built-in approver +disableAutoApproval: true ``` Here's a example which reconfigure an installed cert-manager to run without auto-approver: ```terminal +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. + existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }') helm upgrade cert-manager jetstack/cert-manager \ --reuse-values \ --namespace cert-manager \ --version $existing_cert_manager_version \ - --set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver + --set disableAutoApproval=true ``` -> ℹ️ Be sure to customize the cert-manager controller `extraArgs`, -> which are at the top level of the values file. -> *Do not* change the `webhook.extraArgs`, `startupAPICheck.extraArgs` or `cainjector.extraArgs` settings. -> -> ⚠️ If you are reconfiguring an already installed cert-manager, -> check whether the original installation already customized the `extraArgs` value -> by running `helm get values cert-manager --namespace cert-manager`. -> If there are already `extraArgs` values, merge those with the extra `--controllers` value. -> Otherwise your original `extraArgs` values will be overwritten. - ### 2. Install approver-policy To install approver-policy: diff --git a/content/docs/usage/certificaterequest.md b/content/docs/usage/certificaterequest.md index 2b5a27c927c..7afa1087e92 100644 --- a/content/docs/usage/certificaterequest.md +++ b/content/docs/usage/certificaterequest.md @@ -162,47 +162,29 @@ automatically approve _all_ CertificateRequests that reference any internal issuer type in any namespace: `cert-manager.io/Issuer`, `cert-manager.io/ClusterIssuer`. -To disable this controller, add the following argument to the -cert-manager-controller: `--controllers=*,-certificaterequests-approver`. This -can be achieved with helm by appending: +**Disabling the internal auto approver:** + +To disable this controller, in the Helm chart set the `disableAutoApproval` value to `true`: ```bash ---set extraArgs={--controllers='*\,-certificaterequests-approver'} +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. +--set disableAutoApproval=true ``` +**Approving additional issuers using the internal auto approver:** + Alternatively, in order for the internal approver controller to approve -CertificateRequests that reference an external issuer, add the following RBAC to -the cert-manager-controller Service Account. Please replace the given resource -names with the relevant names: +CertificateRequests that reference an external issuer, in the Helm chart add the +issuers to the `approveSignerNames` list, or set the `approveSignerNames` value +to an empty list to approve all issuers (internal and external). -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cert-manager-controller-approve:my-issuer-example-com # edit -rules: -- apiGroups: - - cert-manager.io - resources: - - signers - verbs: - - approve - resourceNames: - - issuers.my-issuer.example.com/* # edit - - clusterissuers.my-issuer.example.com/* # edit ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cert-manager-controller-approve:my-issuer-example-com # edit -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-controller-approve:my-issuer-example-com # edit -subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager +```bash +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. +--set approveSignerNames[0]="issuers.cert-manager.io/*" \ +--set approveSignerNames[1]="clusterissuers.cert-manager.io/*" \ +\ +--set approveSignerNames[2]="issuers.my-issuer.example.com/*" \ +--set approveSignerNames[3]="clusterissuers.my-issuer.example.com/*" ``` #### RBAC Syntax diff --git a/content/docs/usage/csi-driver-spiffe/installation.md b/content/docs/usage/csi-driver-spiffe/installation.md index 37da788847c..c2244c8d30d 100644 --- a/content/docs/usage/csi-driver-spiffe/installation.md +++ b/content/docs/usage/csi-driver-spiffe/installation.md @@ -18,15 +18,17 @@ race with cert-manager and policy enforcement will become useless. Policy enforcement is absolutely critical for using csi-driver-spiffe safely. See the [security considerations](./README.md#security-considerations) section for more details. -Here's a example which reconfigure an installed cert-manager to run without auto-approver: +Here's a example which reconfigure an installed cert-manager (v1.15.0+) to run without auto-approver: ```terminal +# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later. + existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }') helm upgrade cert-manager jetstack/cert-manager \ --reuse-values \ --namespace cert-manager \ --version $existing_cert_manager_version \ - --set extraArgs={--controllers='*\,-certificaterequests-approver'} # ⚠ Disable cert-manager's built-in approver + --set disableAutoApproval=true ``` ### 2. Configure an Issuer / ClusterIssuer