approver-policy icon indicating copy to clipboard operation
approver-policy copied to clipboard
verified publisher icon cert-manager

Approver cannot find applicable policy

Open tjungbauer opened this issue 10 months ago • 3 comments

Hello,

I am somehow stuck in the configuration of Cert-Manager and the Approver. We would like to use the OpenShift Cert-Manager Operator to work with certificates. The approver shall approve requests accordingly. For testing I have created a policy that should allow everything:

apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: test
spec:
  allowed:
    commonName:
      value: '*'
    dnsNames:
      values:
        - '*'
    emailAddresses:
      values:
        - '*'
    ipAddresses:
      values:
        - '*'
    subject:
      countries:
        values:
          - '*'
      localities:
        values:
          - '*'
      organizationalUnits:
        values:
          - '*'
      organizations:
        values:
          - '*'
      postalCodes:
        values:
          - '*'
      provinces:
        values:
          - '*'
      serialNumber:
        value: '*'
      streetAddresses:
        values:
          - '*'
    uris:
      values:
        - '*'
    usages:
      - signing
      - digital signature
      - content commitment
      - key encipherment
      - key agreement
      - data encipherment
      - cert sign
      - crl sign
      - encipher only
      - decipher only
      - any
      - server auth
      - client auth
      - code signing
      - email protection
      - s/mime
      - ipsec end system
      - ipsec tunnel
      - ipsec user
      - timestamping
      - ocsp signing
      - microsoft sgc
      - netscape sgc
  selector:
    issuerRef: {}
status:
  conditions:
    - lastTransitionTime: '2025-04-29T09:11:49Z'
      message: CertificateRequestPolicy is ready for approval evaluation
      observedGeneration: 3
      reason: Ready
      status: 'True'
      type: Ready

When I try to create a Certificate such as:

... 
spec:
  commonName: cert30.apps.dev.my-cluster.com
  dnsNames:
    - cert30.apps.dev.my-cluster.com
  issuerRef:
    group: ejbca-issuer.keyfactor.com
    kind: ClusterIssuer
    name: clusterissuer-ejbca
  privateKey:
    algorithm: RSA
    size: 4096
  secretName: test-cert-30
  subject:
    countries:
      - AT
    organizations:
      - ORG
  usages:
    - server auth

I would assume that the approver should approve the request, but it does not. The approver pod sees the request but complains that the request is not applicable for any policy:

time=2025-05-22T08:24:05.069Z level=DEBUG+3 msg="Request is not applicable for any policy so ignoring" logger=controller-manager/events type=Normal object="{Kind:CertificateRequest Namespace:openshift-gitops Name:test-cert-30-1 UID:ab934861-efe0-4831-9aa8-9bf5fb7d0929 APIVersion:cert-manager.io/v1 ResourceVersion:427974104 FieldPath:}" reason=Unprocessed

Roles should be fine, if I change something there, the Pod immediately complains that permissions are missing.

Do I miss anything in the configuration? Is there a way to debug the policy evaluation?

many thanks in advance for your help!

tjungbauer avatar May 22 '25 08:05 tjungbauer