diff --git a/deploy/charts/approver-policy/README.md b/deploy/charts/approver-policy/README.md index 10fd0617..2244c5f5 100644 --- a/deploy/charts/approver-policy/README.md +++ b/deploy/charts/approver-policy/README.md @@ -140,6 +140,34 @@ Extra CLI arguments that will be passed to the approver-policy process. List of signer names that approver-policy will be given permission to approve and deny. CertificateRequests referencing these signer names can be processed by approver-policy. Defaults to an empty array, allowing approval for all signers. ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval +#### **app.usePoliciesRbac.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Create RBAC to grant permission to use policies. +#### **app.usePoliciesRbac.policyNames** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +List of policies that the referenced service account will be given permission to use. Defaults to an empty array, allowing use of all policies. +#### **app.usePoliciesRbac.serviceAccount.name** ~ `string` +> Default value: +> ```yaml +> cert-manager +> ``` + +Name of ServiceAccount. +#### **app.usePoliciesRbac.serviceAccount.namespace** ~ `string` +> Default value: +> ```yaml +> cert-manager +> ``` + +Namespace of ServiceAccount. #### **app.metrics.port** ~ `number` > Default value: > ```yaml diff --git a/deploy/charts/approver-policy/templates/use-policies-clusterrole.yaml b/deploy/charts/approver-policy/templates/use-policies-clusterrole.yaml new file mode 100644 index 00000000..1702ecc8 --- /dev/null +++ b/deploy/charts/approver-policy/templates/use-policies-clusterrole.yaml @@ -0,0 +1,18 @@ +{{ if .Values.app.usePoliciesRbac.enabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "cert-manager-approver-policy.labels" . | nindent 4 }} + name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }} +rules: +- apiGroups: ["policy.cert-manager.io"] + resources: ["certificaterequestpolicies"] + verbs: ["use"] + {{- with .Values.app.usePoliciesRbac.policyNames }} + resourceNames: + {{- range . }} + - "{{ . }}" + {{- end }} + {{- end }} +{{ end }} diff --git a/deploy/charts/approver-policy/templates/use-policies-clusterrolebinding.yaml b/deploy/charts/approver-policy/templates/use-policies-clusterrolebinding.yaml new file mode 100644 index 00000000..987d506f --- /dev/null +++ b/deploy/charts/approver-policy/templates/use-policies-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{ if .Values.app.usePoliciesRbac.enabled }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "cert-manager-approver-policy.labels" . | nindent 4 }} + name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s:%s" (include "cert-manager-approver-policy.name" .) "use" }} +subjects: +- kind: ServiceAccount + name: {{ .Values.app.usePoliciesRbac.serviceAccount.name }} + namespace: {{ .Values.app.usePoliciesRbac.serviceAccount.namespace }} +{{ end }} diff --git a/deploy/charts/approver-policy/values.schema.json b/deploy/charts/approver-policy/values.schema.json index a428c8ba..fe487577 100644 --- a/deploy/charts/approver-policy/values.schema.json +++ b/deploy/charts/approver-policy/values.schema.json @@ -104,6 +104,9 @@ "readinessProbe": { "$ref": "#/$defs/helm-values.app.readinessProbe" }, + "usePoliciesRbac": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac" + }, "webhook": { "$ref": "#/$defs/helm-values.app.webhook" } @@ -234,6 +237,54 @@ "description": "The container port to expose approver-policy HTTP readiness probe on default network interface.", "type": "number" }, + "helm-values.app.usePoliciesRbac": { + "additionalProperties": false, + "properties": { + "enabled": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac.enabled" + }, + "policyNames": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac.policyNames" + }, + "serviceAccount": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount" + } + }, + "type": "object" + }, + "helm-values.app.usePoliciesRbac.enabled": { + "default": true, + "description": "Create RBAC to grant permission to use policies.", + "type": "boolean" + }, + "helm-values.app.usePoliciesRbac.policyNames": { + "default": [], + "description": "List of policies that the referenced service account will be given permission to use. Defaults to an empty array, allowing use of all policies.", + "items": {}, + "type": "array" + }, + "helm-values.app.usePoliciesRbac.serviceAccount": { + "additionalProperties": false, + "properties": { + "name": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount.name" + }, + "namespace": { + "$ref": "#/$defs/helm-values.app.usePoliciesRbac.serviceAccount.namespace" + } + }, + "type": "object" + }, + "helm-values.app.usePoliciesRbac.serviceAccount.name": { + "default": "cert-manager", + "description": "Name of ServiceAccount.", + "type": "string" + }, + "helm-values.app.usePoliciesRbac.serviceAccount.namespace": { + "default": "cert-manager", + "description": "Namespace of ServiceAccount.", + "type": "string" + }, "helm-values.app.webhook": { "additionalProperties": false, "properties": { diff --git a/deploy/charts/approver-policy/values.yaml b/deploy/charts/approver-policy/values.yaml index 5f7b4a68..945b6e1c 100644 --- a/deploy/charts/approver-policy/values.yaml +++ b/deploy/charts/approver-policy/values.yaml @@ -75,6 +75,19 @@ app: # +docs:property approveSignerNames: [] + usePoliciesRbac: + # Create RBAC to grant permission to use policies. + enabled: true + # List of policies that the referenced service account will be given permission to + # use. Defaults to an empty array, allowing use of all policies. + policyNames: [] + # The ServiceAccount granted permission to use policies. + serviceAccount: + # Name of ServiceAccount. + name: cert-manager + # Namespace of ServiceAccount. + namespace: cert-manager + metrics: # Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'. port: 9402