Missing RBAC for cert-manager default serviceaccount

[Jasper-Ben]

Describe the bug:

Looking at the documentation for using the cert-managers default Serviceaccount for Route53 configuration (https://cert-manager.io/docs/configuration/acme/dns01/route53/#using-the-cert-manager-serviceaccount) it should not be necessary to manually create the RBAC for creating service account tokens, only when using a separately defined Serviceaccount (https://cert-manager.io/docs/configuration/acme/dns01/route53/#rbac).

However, when using the default Serviceaccount issues with RBAC still occur until the Role and Rolebinding are manually created:

"re-queuing item due to error processing" err="error getting service account token: failed to request token for cert-manager/cert-manager: serviceaccounts \"cert-manager\" is forbidden: Use
r \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"serviceaccounts/token\" in API group \"\" in the namespace \"cert-manager\"" logger="cert-manager.controller" key="foo/foo-1-423214965-
2925438771"

Expected behaviour:

RBAC definitions for creating service account tokens should be included in the helm chart for the default cert-manager Serviceaccount

Steps to reproduce the bug:

Follow the documentation for Route53 with IRSA authentication while using the default cert-manager Serviceaccount

Anything else we need to know?:

Environment details::

• Kubernetes version: v1.29.6-eks-db838b0
• Cloud-provider/provisioner: AWS
• cert-manager version: v1.15.2
• Install method: helm

/kind bug

[wallrj]

@Jasper-Ben When using IRSA, you annotate the cert-manager ServiceAccount with the eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXXXXXXX:role/cert-manager-route53 and that causes the IRSA webhook to inject the ServiceAccountToken into the cert-manager Pod as a projected volume.
cert-manager will find the token at a well known path in the filesystem.
The kublet will be responsible for refreshing the token.
In this mode, cert-manager will not attempt to create ServiceAccountToken requests so extra RBAC is not necessary.

This should be made clearer in the documentation.

[Jasper-Ben]

@wallrj I see. So we would want to revert the change and update the docs instead?

[wallrj]

I'm on the fence. Theoretically, your PR allows people to use the cert-manager ServiceAccount without having to have IRSA webhook installed, which might be desirable for some people.

I'm happy to leave the extra RBAC, because I don't think it does any harm, but we should also improve the docs, and I've started on that in the following PR, but I got bogged down trying to explain all the authentication options:

• Update AWS Route53 documentation to better explain the authentication options website#1555