Merge pull request #416 from SgtCoDFish/allow-all-signers

Default to allowing all signers for approval
cert-manager · Apr 18, 2024 · 8b591a5 · 8b591a5
2 parents 1877d65 + 8cd1aa7
commit 8b591a5
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 15 deletions.
diff --git a/deploy/charts/approver-policy/README.md b/deploy/charts/approver-policy/README.md
diff --git a/deploy/charts/approver-policy/templates/clusterrole.yaml b/deploy/charts/approver-policy/templates/clusterrole.yaml
@@ -24,10 +24,12 @@ rules:
 - apiGroups: ["cert-manager.io"]
   resources: ["signers"]
   verbs: ["approve"]
+  {{- with .Values.app.approveSignerNames }}
   resourceNames:
-  {{- range .Values.app.approveSignerNames }}
+  {{- range . }}
    - "{{ . }}"
   {{- end  }}
+  {{- end }}
 
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings"]

diff --git a/deploy/charts/approver-policy/values.schema.json b/deploy/charts/approver-policy/values.schema.json
@@ -108,11 +108,8 @@
       "type": "object"
     },
     "helm-values.app.approveSignerNames": {
-      "default": [
-        "issuers.cert-manager.io/*",
-        "clusterissuers.cert-manager.io/*"
-      ],
-      "description": "List of signer names that approver-policy will be given permission to approve and deny. CertificateRequests referencing these signer names can be processed by approver-policy.\n\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval",
+      "default": [],
+      "description": "List of signer names that approver-policy will be given permission to approve and deny. CertificateRequests referencing these signer names can be processed by approver-policy. Defaults to an empty array, allowing approval for all signers.\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval",
       "items": {},
       "type": "array"
     },

diff --git a/deploy/charts/approver-policy/values.yaml b/deploy/charts/approver-policy/values.yaml
@@ -67,13 +67,11 @@ app:
 
   # List of signer names that approver-policy will be given permission to
   # approve and deny. CertificateRequests referencing these signer names can be
-  # processed by approver-policy.
-  #
+  # processed by approver-policy. Defaults to an empty array, allowing approval
+  # for all signers.
   # ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
   # +docs:property
-  approveSignerNames:
-  - "issuers.cert-manager.io/*"
-  - "clusterissuers.cert-manager.io/*"
+  approveSignerNames: []
 
   metrics:
     # Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.