Add configuration field to Helm chart that changes the scope of the ServiceAccount to grant cluster access to the K8s Secrets API.
secretConfig:
# If true, when using Issuer resources, the credential secret must be created in the same namespace as the
# Issuer resource. This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret
# API at the cluster level.
#
# If false, both Issuer and ClusterIssuer must reference a secret in the same namespace as the chart/reconciler.
# This access is facilitated by granting the ServiceAccount [get, list, watch] for the secret API only for the
# namespace the chart is deployed in.
useClusterRoleForSecretAccess: false
v1.0.5 Changelog
Features
feat(controller): Implement Kubernetes client-go REST client for Secret/ConfigMap retrieval to bypass controller-runtime caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.
Fixes
fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.
Add configuration field to Helm chart that changes the scope of the ServiceAccount to grant cluster access to the K8s Secrets API.
v1.0.5 Changelog
Features
client-goREST client for Secret/ConfigMap retrieval to bypasscontroller-runtimecaching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.Fixes