Skip to content

Fix KEDA crashes when using cert-manager certificates and restricted secret access#518

Merged
JorTurFer merged 10 commits into
kedacore:mainfrom
gjacquet:cert-manager-restricted-secret-access
Sep 25, 2023
Merged

Fix KEDA crashes when using cert-manager certificates and restricted secret access#518
JorTurFer merged 10 commits into
kedacore:mainfrom
gjacquet:cert-manager-restricted-secret-access

Conversation

@gjacquet

@gjacquet gjacquet commented Sep 8, 2023

Copy link
Copy Markdown
Contributor

Allow KEDA operator to get, list and watch secrets in its own namespace when restricted mode and certmanager are enabled.

Checklist

  • I have verified that my change is according to the deprecations & breaking changes policy
  • Commits are signed with Developer Certificate of Origin (DCO - learn more)
  • README is updated with new configuration values (if applicable) learn more
  • A PR is opened to update KEDA core (repo) (if applicable, ie. when deployment manifests are modified)

Fixes #505

…secret access

Allow KEDA operator to get, list and watch secrets in its own namespace
when restricted mode and certmanager are enabled.

Signed-off-by: Guillaume Jacquet <[email protected]>
@gjacquet gjacquet force-pushed the cert-manager-restricted-secret-access branch from c48465c to 84a116d Compare September 8, 2023 18:05
@gjacquet gjacquet marked this pull request as ready for review September 8, 2023 18:11
@gjacquet gjacquet requested a review from a team as a code owner September 8, 2023 18:11
Comment thread keda/Chart.yaml Outdated
@zroubalik zroubalik requested a review from JorTurFer September 13, 2023 11:26
Signed-off-by: Guillaume Jacquet <[email protected]>

@JorTurFer JorTurFer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!
I think that we be more fine to not deploy the Role if it's needed (it's not a pain, but if we don't deploy not required Roles is always better). WDYT?

@@ -1,4 +1,4 @@
{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should check if the restrict access is set instead of adding the role always. I mean, if this manifest has to be deployed if we are using self generated certs without cert manager OR if we set restricted access. But if I set cert manager and I don't set restricted access, this role isn't required as it's covered by the ClusterRole

Comment thread keda/templates/manager/role.yaml Outdated
resources:
- secrets
verbs:
{{- if not .Values.certificates.certManager.enabled }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that with my previous comment, the condition here should be if self generated AND NOT cert manager

Comment thread keda/templates/manager/rolebinding.yaml Outdated
@@ -1,4 +1,4 @@
{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
{{- if or .Values.certificates.autoGenerated .Values.certificates.certManager.enabled }}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as the other file comment for the condition

@JorTurFer

Copy link
Copy Markdown
Member

Hi @gjacquet
We aim to cut a release this week, could you address the comments?

Signed-off-by: Guillaume Jacquet <[email protected]>
Signed-off-by: Guillaume Jacquet <[email protected]>
Signed-off-by: Guillaume Jacquet <[email protected]>
@gjacquet

Copy link
Copy Markdown
Contributor Author

@JorTurFer this should be good now.

Comment thread keda/templates/manager/role.yaml Outdated
Comment thread keda/templates/manager/role.yaml Outdated
Comment thread keda/templates/manager/rolebinding.yaml Outdated
gjacquet and others added 3 commits September 25, 2023 16:09
Co-authored-by: Jorge Turrado Ferrero <[email protected]>
Signed-off-by: Guillaume Jacquet <[email protected]>
Co-authored-by: Jorge Turrado Ferrero <[email protected]>
Signed-off-by: Guillaume Jacquet <[email protected]>
Signed-off-by: Guillaume Jacquet <[email protected]>
@gjacquet

Copy link
Copy Markdown
Contributor Author

applied suggestions

@JorTurFer JorTurFer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

KEDA crashes when using cert-manager certificates and restricted secret access

3 participants