Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group 'cert-manager.io' does not work #179

Closed
leotomas837 opened this issue Dec 16, 2022 · 4 comments
Closed

group 'cert-manager.io' does not work #179

leotomas837 opened this issue Dec 16, 2022 · 4 comments

Comments

@leotomas837
Copy link

leotomas837 commented Dec 16, 2022
edited
Loading

Chart patch-operator install a self signed issuer here, yet the following policy is not considered by the approver policy (Request is not applicable for any policy so ignoring when describing the CR). It works by changing the group: cert-manager.io to group: '*'. It should work with group: cert-manager.io as described in the policy examples of your repository, is this due to the fact that is a self-signed issuer ?

And as you can see in the link of the patch-operator chart I put, the self-signed issuer is of type Issuer from group cert-manager.io.

Here is the policy:

apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: patch-operator
spec:
  allowed:
    isCA: false
    dnsNames:
      required: true
      values:
        - patch-operator-webhook-service.patch-operator.svc
        - patch-operator-webhook-service.patch-operator.svc.cluster.local
        - patch-operator-controller-manager-metrics-service.patch-operator.svc
        - patch-operator-controller-manager-metrics-service.patch-operator.svc.cluster.local
  constraints:
    minDuration: 2160h
    maxDuration: 2160h
    privateKey:
      algorithm: RSA
      minSize: 2048
      maxSize: 2048
  selector:
    issuerRef:
      name: selfsigned-issuer
      kind: Issuer
      group: cert-manager.io # needs to be '*' otherwise 'cert-manager.io' does not work, bug. Maybe specific to selfsigned issuers?
@sastorsl
Copy link

sastorsl commented Mar 29, 2023
edited
Loading

I see this happens if the Certificate does not contain a group at all.
I would expect the request policy to match the group anyway as long as it is there, so this behavior is a bit "off".

Policy fails to match the linked CertificateRequest

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: certificate-example
  namespace: test
spec:
  dnsNames:
  - name.local
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-issuer
    # group: cert-manager.io
  secretName: certificate-example

Policy will match the linked CertificateRequest

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: certificate-example
  namespace: test
spec:
  dnsNames:
  - name.local
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-issuer
    group: cert-manager.io
  secretName: certificate-example

@erikgb
Copy link
Contributor

erikgb commented Jun 18, 2023

@leotomas837 I think you are observing the same issue as @sastorsl. The problem with the patch-operator is that the issuerRef does not contain any group here and here.

Even if approver-policy is under the cert-manager umbrella, I think it doesn't make sense to require the issuer-matcher to match a blank issuer group with cert-manager.io group. This could be improved in cert-manager though, by defaulting the issuerRef.group to cert-manager.io. WDYT @inteon?

Suggest closing this issue.

@leotomas837
Copy link
Author

leotomas837 commented Jun 18, 2023
edited
Loading

@sastorsl @erikgb
Thank you both for jumping in! Awesome suggestion.

I am unable to test right now as we stopped using the patch-operator due to finding a better alternative and the patch-operator does not look maintain anymore.
I will have more time in 2 weeks to test on a Kind cluster and come back to you about this.

I am closing the issue for now and will re-open if the issue persists.

@erikgb erikgb mentioned this issue Sep 23, 2023
Merged
@ArsenyBelorukov
Copy link

I wanted to allow all certificaterequest with Issuers and had the same issue
Fields Kind and Group are frequently omitted because have Issuer and cert-manager.io values by default.
At first, I had an idea to create a simple patch ArsenyBelorukov@5a7f9b5
But then I just created several combinations of CertificateRequestPolicys:

kind: CertificateRequestPolicy
metadata:
  name: allow-all-issuers
...
  selector:
    issuerRef:
      kind: "Issuer"
      group: "cert-manager.io"
---
kind: CertificateRequestPolicy
metadata:
  name: allow-all-issuers-empty-kind
...
  selector:
    issuerRef:
      kind: ""
      group: "cert-manager.io"
---
kind: CertificateRequestPolicy
metadata:
  name: allow-all-issuers-empty-group
...
  selector:
    issuerRef:
      kind: "Issuer"
      group: ""
---
kind: CertificateRequestPolicy
metadata:
  name: allow-all-issuers-empty-kind-group
...
  selector:
    issuerRef:
      kind: ""
      group: ""
---

it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erikgb @sastorsl @ArsenyBelorukov @leotomas837