Adding read perms for pods and services to DNS01 ClusterRole

[ali-hamza-noor]

Pull Request Motivation

The DNS01 role needs the read perms as there was a bug (#7827) reported whenever the users were disabling the HTTP01 role

TODO @ali-hamza-noor : add reference to #7666

Kind

/kind bug

Release Note

Fix for disabling the HTTP01 role

[cert-manager-prow]

@ali-hamza-noor: The label(s) kind/release, kind/note cannot be applied, because the repository doesn't have them.

Details

In response to this:

Pull Request Motivation

Kind

/kind

Release Note

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign erikgb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ali-hamza-noor]

/ok-to-test

[inteon]

I think there are some other permissions missing still:

  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [ "gateway.networking.k8s.io" ]
    resources: [ "httproutes" ]
    verbs: ["get", "list", "watch"]

Anyway, I think it would be better to revert this in v1.18 and include a fixed version in v1.19 instead.
Ideally, we could eg. stop these informers.

[ali-hamza-noor]

Yeah sure. With regards to additional perms for ingresses and httproutes, I think we agreed on not needing those in one of the stand-ups before. Let's talk more on this in the stand-up. I do like the idea of stopping informers.

[wallrj]

@ali-hamza-noor We discussed this at stand up this morning and I agree with @inteon that we should revert this feature and try again in 1.19.

Let's try and figure out a better UX for this feature; something like global.disableHTTP01 and figure out how to disable the Pod informer. That would have an added benefit of saving some memory in the controller because it would no longer need to cache all the Pods in the cluster.

[cert-manager-prow]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cert-manager-prow]

@ali-hamza-noor: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-master-e2e-v1-34-upgrade	d068684	link	true	/test pull-cert-manager-master-e2e-v1-34-upgrade
pull-cert-manager-master-e2e-v1-35-upgrade	d068684	link	true	/test pull-cert-manager-master-e2e-v1-35-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.