Skip to content

Fix RBAC to support clusters with OwnerReferencesPermissionEnforcement enabled#8654

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:masterfrom
erikgb:fix-owner-ref-rbac
Mar 27, 2026
Merged

Fix RBAC to support clusters with OwnerReferencesPermissionEnforcement enabled#8654
cert-manager-prow[bot] merged 1 commit into
cert-manager:masterfrom
erikgb:fix-owner-ref-rbac

Conversation

@erikgb

@erikgb erikgb commented Mar 27, 2026
edited
Loading

Copy link
Copy Markdown
Member

Pull Request Motivation

This fixes RBAC to support clusters with the OwnerReferencesPermissionEnforcement admission controller enabled. OpenShift/OKD has this enabled by default, and using ACME in these clusters will not work for cert-manager 1.20.x without this fix.

Fixes #8636

Kind

/kind bug

Release Note

Add missing issuer finalizer RBAC to the order controller to support owner references

/cherrypick release-1.20

@erikgb
Fix RBAC to support clusters with OwnerReferencesPermissionEnforcemen…
b4009b8 
…t enabled

Signed-off-by: Erik Godding Boye <egboye@gmail.com>
@cert-manager-prow cert-manager-prow Bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/deploy Indicates a PR modifies deployment configuration size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 27, 2026
@erikgb erikgb changed the title Fix RBAC to support clusters with OwnerReferencesPermissionEnforcemen… Fix RBAC to support clusters with OwnerReferencesPermissionEnforcement enabled Mar 27, 2026
@erikgb

erikgb commented Mar 27, 2026

Copy link
Copy Markdown
Member Author

/cherrypick release-1.20

@cert-manager-bot

cert-manager-bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

@erikgb: once the present PR merges, I will cherry-pick it on top of release-1.20 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@erikgb

erikgb commented Mar 27, 2026

Copy link
Copy Markdown
Member Author

/retest

@erikgb

erikgb commented Mar 27, 2026

Copy link
Copy Markdown
Member Author

/cc @inteon @SgtCoDFish

SgtCoDFish
SgtCoDFish approved these changes Mar 27, 2026
View reviewed changes

@SgtCoDFish SgtCoDFish left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@cert-manager-prow cert-manager-prow Bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 27, 2026
lunarwhite
lunarwhite approved these changes Mar 27, 2026
View reviewed changes

@lunarwhite lunarwhite left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@cert-manager-prow

cert-manager-prow Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

@lunarwhite: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow

cert-manager-prow Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lunarwhite, SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot merged commit a69eb16 into cert-manager:master Mar 27, 2026
6 checks passed
@cert-manager-bot

cert-manager-bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

@erikgb: new pull request created: #8655

Details

In response to this:

/cherrypick release-1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-bot cert-manager-bot mentioned this pull request Mar 27, 2026
Merged
@inteon

inteon commented Mar 28, 2026

Copy link
Copy Markdown
Member

Thanks @erikgb for fixing this issue I created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

@inteon inteon Awaiting requested review from inteon

+1 more reviewer

@lunarwhite lunarwhite lunarwhite approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Challenge creation fails on OpenShift after #7286 — missing issuers/finalizers RBAC

5 participants

@erikgb @cert-manager-bot @inteon @SgtCoDFish @lunarwhite