approver-policy icon indicating copy to clipboard operation
approver-policy copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

BUG: issuerRef `group: "cert-manager.io"` does not match CertificateRequest with no group.

Open inteon opened this issue 10 months ago • 2 comments

approver-policy does not seem to be issuerRef group defaulting aware.

eg. the following policy will not match the example certificate request

apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: selfsigned-policy
spec:
  ...
  selector:
    issuerRef:
      name: "internal-ca"
      kind: "ClusterIssuer"
      group: "cert-manager.io"
---
apiVersion: cert-manager.io/v1
kind: CertificateRequest
metadata:
  name: test123
spec:
  ...
  issuerRef:
    kind: ClusterIssuer
    name: internal-ca

inteon avatar Apr 15 '24 09:04 inteon

We have also been hit by this. As an alternative solution, we could set the group default (cert-manager.io) in cert-manager resources. IMO this would be a cleaner solution - instead of duplicating the cert-manager group default in approver-policy.

erikgb avatar Apr 15 '24 11:04 erikgb

Related code that @inteon mentioned in today's standup

hawksight avatar Apr 16 '24 09:04 hawksight