-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: POC of dynamic authority #468
base: main
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all |
0e09db6
to
9facda4
Compare
/test all |
9facda4
to
6154a90
Compare
/test pull-trust-manager-smoke |
6154a90
to
92fec0b
Compare
/test pull-trust-manager-smoke |
92fec0b
to
e907b19
Compare
/test pull-trust-manager-smoke |
e907b19
to
864356b
Compare
/test pull-trust-manager-smoke |
864356b
to
fe195af
Compare
/test pull-trust-manager-smoke |
1 similar comment
/test pull-trust-manager-smoke |
fe195af
to
398edd9
Compare
/test pull-trust-manager-smoke |
398edd9
to
00f1d68
Compare
/test pull-trust-manager-smoke |
e67c46a
to
55cec37
Compare
/test pull-trust-manager-smoke |
55cec37
to
d5b8143
Compare
/test pull-trust-manager-smoke |
2212acd
to
1d48d46
Compare
/test pull-trust-manager-smoke |
/hold |
1d48d46
to
c21290a
Compare
c21290a
to
0bb9749
Compare
Signed-off-by: Erik Godding Boye <[email protected]>
0bb9749
to
64bfd23
Compare
@SgtCoDFish I have now reconfigured the RBAC to (almost) least-privilege, as you commented in one of our stand-ups where we discussed this PR. The new control loops still need RBAC to read all validation webhook configurations (cluster-wide) and secrets in the controller namespace (it already has this permission). But the create/patch permissions are now targeted on resources by name. I personally don't see a big benefit of narrowing it even more, as I have a feeling controller-runtime doesn't support watching resources by name out-of-the-box and will require even more complex code in the new module. |
This PR was created to show how trust-manager could look like without a requirement for cert-manager to be pre-installed. It is not supposed to be merged - at least not in the present state.
Inspired by the bootstrap mechanism cert-manager uses to bootstrap it's webhooks, I created https://github.com/erikgb/dynamic-authority. I have no plans to maintain such a project alone, and most of the code comes from cert-manager, so I hope this eventually could become a new project under the cert-manager org. 😺
I also had to copy some awesome PKI code from cert-manager into the new project. IMO we should create a dedicated cert-manager PKI project with all the nice PKI helpers battle-tested as part of cert-manager. This could allow reuse across other cert-manager projects without the unfortunate dependency to cert-manager/cert-manager.