refnie

Signed-off-by: kangclzjc <[email protected]>

Author: kangclzjc

docs/api-reference/operator-api.md

@@ -815,7 +815,8 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `secretName` _string_ | SecretName is the name of the secret containing the webhook server certificate.<br />Default: grove-webhook-server-cert |  |  |
-| `certManagerEnabled` _boolean_ | CertManagerEnabled indicates whether to use cert-manager for certificate management.<br />When true, the operator waits for cert-manager to provide certificates.<br />When false, the operator checks if certificates exist and auto-generates them if not.<br />This requires cert-manager to be installed in the cluster when set to true.<br />Default: false |  |  |
+| `certManagerEnabled` _boolean_ | CertManagerEnabled indicates whether to use cert-manager for certificate management.<br />When true, the operator waits for cert-manager to provide certificates.<br />When false, behavior depends on AutoProvision.<br />This requires cert-manager to be installed in the cluster when set to true.<br />Default: false |  |  |
+| `autoProvision` _boolean_ | AutoProvision indicates whether to use cert-controller for automatic certificate generation.<br />When true, cert-controller generates and manages certificates automatically.<br />When false, certificates are expected to be provided externally (e.g., via Helm chart or manual Secret creation).<br />This field is ignored when CertManagerEnabled is true.<br />Default: true |  |  |
 
 
 #### WebhookServer

operator/api/config/v1alpha1/zz_generated.deepcopy.go

@@ -46,7 +46,7 @@ config:
   server:
     webhooks:
       port: 9443
-      # certDir is the directory path where certificate files are located.
+      # serverCertDir is the directory path where certificate files are located.
       # The operator will look for tls.crt and tls.key in this directory.
       # Default: /etc/grove-operator/webhook-certs
       serverCertDir: /etc/grove-operator/webhook-certs

operator/charts/values.yaml

@@ -18,54 +18,13 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-source $(dirname $0)/openssl-utils.sh
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 OPERATOR_GO_MODULE_ROOT="$(dirname "$SCRIPT_DIR")"
 PROJECT_ROOT="$(dirname "$OPERATOR_GO_MODULE_ROOT")"
 SCHEDULER_GO_MODULE_ROOT="${PROJECT_ROOT}/scheduler"
 CHARTS_DIR="${OPERATOR_GO_MODULE_ROOT}/charts"
 
-function initialize_pki_resources() {
-  if [[ $# -ne 2 ]]; then
-    echo -e "${FUNCNAME[0]} requires 2 arguments: namespace and cert-expiry"
-    exit 1
-  fi
-
-  local namespace="$1"
-  local cert_expiry="$2"
-  local generation_required=false
-
-  target_path="${OPERATOR_GO_MODULE_ROOT}/charts/pki-resources"
-  if [ ! -d ${target_path} ]; then
-    mkdir -p ${target_path}
-    generation_required=true
-  fi
-
-  if ${generation_required} || ! all_pki_resources_exist; then
-    echo "Generating PKI resources..."
-    rm -rf ${target_path}/*
-    pki::generate_resources "${target_path}" "${namespace}"
-  fi
-}
-
-function all_pki_resources_exist() {
-  sourceDir="${OPERATOR_GO_MODULE_ROOT}/charts/pki-resources/"
-  PKI_RESOURCES=(
-   "ca.crt"
-   "ca.key"
-   "server.crt"
-   "server.key"
-  )
-  for resource in "${PKI_RESOURCES[@]}"; do
-    local resourcePath="${sourceDir}/${resource}"
-    if [ ! -f ${resourcePath} ]; then
-      return 1
-    fi
-  done
-  return 0
-}
-
 function copy_crds() {
   target_path="${OPERATOR_GO_MODULE_ROOT}/charts/crds"
   echo "Creating ${target_path} to copy the CRDs if not present..."
@@ -97,8 +56,4 @@ function copy_crds() {
 }
 
 echo "Copying CRDs to helm charts..."
-copy_crds
-
-# Allow namespace override via environment variable, default to grove-system
-GROVE_NAMESPACE="${GROVE_NAMESPACE:-grove-system}"
-initialize_pki_resources "${GROVE_NAMESPACE}" 365
+copy_crds

operator/hack/prepare-charts.sh

@@ -17,12 +17,9 @@
 package cert
 
 import (
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/ai-dynamo/grove/operator/internal/constants"
 	authorizationwebhook "github.com/ai-dynamo/grove/operator/internal/webhook/admission/pcs/authorization"
@@ -54,19 +51,15 @@ func ManageWebhookCerts(mgr ctrl.Manager, certDir string, secretName string, aut
 
 	logger := ctrl.Log.WithName("cert-management")
 
-	// If cert-manager is enabled, wait for it to provide certificates
 	if certManagerEnabled {
 		logger.Info("Using cert-manager for certificate management",
 			"secretName", secretName, "certDir", certDir)
-		go waitForExternalCerts(logger, certDir, certsReadyCh)
 		return nil
 	}
 
-	// If auto-provision is disabled, wait for externally provided certificates
 	if !autoProvision {
 		logger.Info("Using externally provided certificates",
 			"certDir", certDir, "secretName", secretName)
-		go waitForExternalCerts(logger, certDir, certsReadyCh)
 		return nil
 	}
 
@@ -142,82 +135,3 @@ func getOperatorNamespace() (string, error) {
 	}
 	return namespace, nil
 }
-
-// certsExist checks if both certificate and key files exist and have content in the specified directory
-func certsExist(certDir string) bool {
-	certPath := fmt.Sprintf("%s/tls.crt", certDir)
-	keyPath := fmt.Sprintf("%s/tls.key", certDir)
-	return fileExistsWithContent(certPath) && fileExistsWithContent(keyPath)
-}
-
-// waitForExternalCerts waits for externally managed certificates to be available
-// in the specified directory. This is used when cert-manager is enabled.
-func waitForExternalCerts(logger logr.Logger, certDir string, certsReadyCh chan struct{}) {
-	const (
-		maxRetries    = 30
-		retryInterval = 2 * time.Second
-		certFileName  = "tls.crt"
-		keyFileName   = "tls.key"
-	)
-
-	certPath := fmt.Sprintf("%s/%s", certDir, certFileName)
-	keyPath := fmt.Sprintf("%s/%s", certDir, keyFileName)
-
-	for i := 0; i < maxRetries; i++ {
-		// Check if both certificate and key files exist
-		certExists := fileExists(certPath)
-		keyExists := fileExists(keyPath)
-
-		if certExists && keyExists {
-			logger.Info("External certificates found and ready",
-				"certPath", certPath, "keyPath", keyPath)
-			close(certsReadyCh)
-			return
-		}
-
-		if i < maxRetries-1 {
-			logger.Info("Waiting for external certificates to be mounted",
-				"attempt", i+1, "maxRetries", maxRetries,
-				"certExists", certExists, "keyExists", keyExists)
-			time.Sleep(retryInterval)
-		}
-	}
-
-	logger.Error(fmt.Errorf("timeout waiting for external certificates"),
-		"Failed to find certificates after maximum retries",
-		"certPath", certPath, "keyPath", keyPath)
-	// Don't close the channel - this will cause the readiness check to fail
-}
-
-// fileExists checks if a file exists and is not a directory
-func fileExists(path string) bool {
-	info, err := os.Stat(path)
-	if err != nil {
-		return false
-	}
-	return !info.IsDir()
-}
-
-// fileExistsWithContent checks if a file exists and contains valid PEM data
-func fileExistsWithContent(path string) bool {
-	data, err := os.ReadFile(path)
-	if err != nil || len(data) == 0 {
-		return false
-	}
-
-	// Try to decode PEM block to verify it's valid
-	block, _ := pem.Decode(data)
-	if block == nil || len(block.Bytes) == 0 {
-		return false
-	}
-
-	// For certificate files, try to parse as X.509
-	// For key files, just having valid PEM is enough
-	if strings.Contains(path, "tls.crt") || strings.Contains(path, "ca.crt") {
-		_, err := x509.ParseCertificate(block.Bytes)
-		return err == nil
-	}
-
-	// For key files (tls.key), valid PEM block is sufficient
-	return true
-}