From 842a3abf2aba89ece6158b72619bdf7a423ca13f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20W=C3=B6hrl?= Date: Thu, 16 Feb 2023 14:47:38 +0100 Subject: [PATCH 1/2] feat: Restrict to namespace from the controller level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Lukas Wöhrl --- charts/aws-pca-issuer/values.yaml | 1 - main.go | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/aws-pca-issuer/values.yaml b/charts/aws-pca-issuer/values.yaml index e93ec97e..747cc4b2 100644 --- a/charts/aws-pca-issuer/values.yaml +++ b/charts/aws-pca-issuer/values.yaml @@ -31,7 +31,6 @@ service: type: ClusterIP port: 8080 - # Options for configuring a target ServiceAccount with the role to approve # all awspca.cert-manager.io requests. approverRole: diff --git a/main.go b/main.go index 0c4b6d8a..da5f1920 100644 --- a/main.go +++ b/main.go @@ -53,6 +53,7 @@ func init() { func main() { var metricsAddr string + var restrictToNamespace string var enableLeaderElection bool var probeAddr string var disableApprovedCheck bool @@ -64,6 +65,8 @@ func main() { "Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false, "Disables waiting for CertificateRequests to have an approved condition before signing.") + flag.StringVar(&restrictToNamespace, "restrict-to-namespace", os.Getenv("RESTRICT_TO_NAMESPACE"), + "Restrict the controller to only process CertificateRequests in a specific namespace.") opts := zap.Options{ Development: false, @@ -80,6 +83,7 @@ func main() { HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, LeaderElectionID: "b858308c.awspca.cert-manager.io", + Namespace: restrictToNamespace, }) if err != nil { setupLog.Error(err, "unable to start manager") From cbb6f1125fe97d70f76d19bba8a1f6cce269f1b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20W=C3=B6hrl?= Date: Fri, 17 Feb 2023 08:39:01 +0100 Subject: [PATCH 2/2] disable AWSPCAClusterIssuer if namespace restriction MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Lukas Wöhrl --- main.go | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/main.go b/main.go index da5f1920..80365e24 100644 --- a/main.go +++ b/main.go @@ -97,6 +97,7 @@ func main() { Recorder: mgr.GetEventRecorderFor("awspcaissuer-controller"), GetCallerIdentity: true, } + if err = (&controllers.AWSPCAIssuerReconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("AWSPCAIssuer"), @@ -106,15 +107,21 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "AWSPCAIssuer") os.Exit(1) } - if err = (&controllers.AWSPCAClusterIssuerReconciler{ - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("AWSPCAClusterIssuer"), - Scheme: mgr.GetScheme(), - GenericController: genericIssuerController, - }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "AWSPCAClusterIssuer") - os.Exit(1) + + if restrictToNamespace != "" { + setupLog.Info("restricting controller to namespace, disable AWSPCAClusterIssuer controller", "namespace", restrictToNamespace) + } else { + if err = (&controllers.AWSPCAClusterIssuerReconciler{ + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("AWSPCAClusterIssuer"), + Scheme: mgr.GetScheme(), + GenericController: genericIssuerController, + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "AWSPCAClusterIssuer") + os.Exit(1) + } } + if err = (&controllers.CertificateRequestReconciler{ Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("CertificateRequest"),