Merge branch 'master' into security

exoscale · Dec 7, 2023 · d169d4e · d169d4e
2 parents e4c30e3 + 3f5e40d
commit d169d4e
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## UNRELEASED
 
 - update go dependencies (#14)
+- bug: TXT content must be unquoted (#13)
 - feat(doc): Add the minimum requirements needed for the Exoscale Key in the documentation
 (#11)
 - Add Action to do releases (#8)

diff --git a/Makefile b/Makefile
@@ -47,7 +47,7 @@ rendered-manifest.yaml:
 	helm template \
 	    exoscale-webhook \
         --set image.repository=$(IMAGE_NAME) \
-        --set image.tag=$(VERSION) \
+        --set image.tag="latest" \
         --namespace cert-manager \
         ${DEPLOY_DIR} > "$(OUT)/rendered-manifest.yaml"
 	cp "${OUT}/rendered-manifest.yaml" "${DEPLOY_DIR}-kustomize/deploy.yaml"
diff --git a/README.md b/README.md
@@ -81,6 +81,14 @@ Here is an example of the minimal policy required for the IAM role:
           "expression": "resources.dns_domain.unicode_name != \"example.com\"",
           "action": "deny"
         },
+        {
+          "expression": "parameters.has('type') && parameters.type != 'TXT'",
+          "action": "deny"
+        },
+        {
+          "expression": "resources.has('dns_domain_record') && resources.dns_domain_record.has('type') && resources.dns_domain_record.type != 'TXT'",
+          "action": "deny"
+        },
         {
           "expression": "operation in ['list-dns-domains', 'list-dns-domain-records', 'get-dns-domain-record', 'create-dns-domain-record', 'delete-dns-domain-record']",
           "action": "allow"

diff --git a/deploy/exoscale-webhook-kustomize/deploy.yaml b/deploy/exoscale-webhook-kustomize/deploy.yaml
@@ -186,7 +186,7 @@ spec:
       serviceAccountName: cert-manager-webhook-exoscale
       containers:
         - name: exoscale-webhook
-          image: "exoscale/cert-manager-webhook-exoscale:dev"
+          image: "exoscale/cert-manager-webhook-exoscale:latest"
           imagePullPolicy: IfNotPresent
           args:
             - --tls-cert-file=/tls/tls.crt