Deploy cert manager using the flag approveSignerNames

Products

Tanzu Kubernetes Runtime VMware vSphere Kubernetes Service

Issue/Introduction

If using an external certificate issuer and have a requirement to add it in the certmanager config to allow auto approval. You would need to added the following flags.

- issuers.cert-manager.io/*
- clusterissuers.cert-manager.io/*
- clusterissuers.ejbca-issuer.keyfactor.com/*

Environment

vSphere Supervisor

Cause

As per https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml#L287 says, when set disableAutoApproval: false, the default two values "issuers.cert-manager.io/*" and "clusterissuers.cert-manager.io/*" are set as approveSignerNames.

When using 'tanzu' command install cert-manager, all CRDs are defined in https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml,

# Source: cert-manager/templates/rbac.yaml
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-controller-approve:cert-manager-io
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: "cert-manager"
    app.kubernetes.io/version: "v1.16.1"
rules:
  - apiGroups: ["cert-manager.io"]
    resources: ["signers"]
    verbs: ["approve"]
    resourceNames:
    - "issuers.cert-manager.io/*"
    - "clusterissuers.cert-manager.io/*"

Resolution

In order to add new name as clusterissuers.ejbca-issuer.keyfactor.com/*, patch overlay-file patch.yaml as below:

cat patch.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind":"ClusterRole","metadata":{"name":"cert-manager-controller-approve:cert-manager-io"}}), expects="1+"
---
rules:
  #@overlay/match by=overlay.index(0)
  - resourceNames:
      #@overlay/append
      - "clusterissuers.ejbca-issuer.keyfactor.com/*"

To update run blow command. :

tanzu package installed update cert-manager -p cert-manager.tanzu.vmware.com -n default --version 1.16.1+vmware.1-tkg.1 --dangerous-allow-use-of-shared-namespace --ytt-overlay-file patch.yaml

You would see entries like below confirming update

logs:
2:13:36PM: Pausing reconciliation for package installation 'cert-manager' in namespace 'default'
2:13:37PM: Creating overlay secrets
2:13:38PM: Resuming reconciliation for package installation 'cert-manager' in namespace 'default'
2:13:38PM: Waiting for PackageInstall reconciliation for 'cert-manager'
2:13:38PM: Waiting for generation 8 to be observed
2:13:39PM: Fetch started
2:13:39PM: Fetching
     | apiVersion: vendir.k14s.io/v1alpha1
     | directories:
     | - contents:
     | - imgpkgBundle:
     | image: #####/#####/packages/#######@sha256:d#####
     | path: .
     | path: "0"
     | kind: LockConfig
     |
2:13:39PM: Fetch succeeded
2:13:41PM: Template succeeded
2:13:41PM: Deploy started (1s ago)
2:13:43PM: Deploying
     | Target cluster 'https://<IP>:443' (nodes: <node name>, 1+)
     | Changes
     | Namespace Name Kind Age Op Op st. Wait to Rs Ri
     | (cluster) cert-manager-controller-approve:cert-manager-io ClusterRole 3h update - reconcile ok -
     | Op: 0 create, 0 delete, 1 update, 0 noop, 0 exists
     | Wait to: 1 reconcile, 0 delete, 0 noop
     | 2:13:43PM: ---- applying 1 changes [0/1 done] ----
2:13:43PM: Deploy succeeded

Can be confirmed using below commad

kubectl -n cert-manager get ClusterRole cert-manager-controller-approve:cert-manager-io -oyaml

rules:
- apiGroups:
  - cert-manager.io
  resourceNames:
  - issuers.cert-manager.io/*
  - clusterissuers.cert-manager.io/*
  - clusterissuers.ejbca-issuer.keyfactor.com/*
  resources:
  - signers
  verbs:
  - approve

the new line "- clusterissuers.ejbca-issuer.keyfactor.com/* "