chore: document skip-deny-step and add helm parameter

Signed-off-by: Clément Nussbaumer <clement.nussbaumer@postfinance.ch>

README.md

@@ -57,6 +57,9 @@ it permits having a DNS name that differs (i.e. isn't prefixed) by the hostname
   with a _Username_ different than `system:node:......`. \
   the default value of the boolean is false, and if you want to use this feature
   you need to set this flag to `true`
+* `--skip-deny-step` or `SKIP_DENY_STEP` permits skipping denial of CSRs. when
+  set to true, kubelet-csr-approver will only ever approve a CSR, never deny
+  it.
 * `--allowed-dns-names` or `ALLOWED_DNS_NAMES` permits allowing more than one
   DNS name in the certificate request. the default value is set to 1.
 * `--leader-election` or `LEADER_ELECTION` permits enabling leader election

charts/kubelet-csr-approver/templates/deployment.yaml

@@ -78,6 +78,10 @@ spec:
             - name: IGNORE_NON_SYSTEM_NODE
               value: {{ .Values.ignoreNonSystemNode | quote }}
           {{- end }}
+          {{- if .Values.skipDenyStep }}
+            - name: SKIP_DENY_STEP
+              value: {{ .Values.skipDenyStep | quote }}
+          {{- end }}
           {{- if .Values.allowedDnsNames}}
             - name: ALLOWED_DNS_NAMES
               value: {{ .Values.allowedDnsNames | quote }}

charts/kubelet-csr-approver/values.yaml

@@ -8,6 +8,8 @@ bypassDnsResolution: false
 allowedDnsNames: 1
 # optional, permits ignoring CSRs with another Username than `system:node:...`
 ignoreNonSystemNode: false
+# optional, prevents csr denial, i.e. only lets kubelet-csr-approver approve valid CSRs but ignore other CSRs
+skipDenyStep: false
 # set this parameter to true to ignore mismatching DNS name and hostname
 bypassHostnameCheck: false
 # optional, list of IP (IPv4, IPv6) subnets that are allowed to submit CSRs