3 methods done

kangclzjc · kangclzjc · commit fde47c4f3816 · 2025-11-04T09:56:14.000+08:00
Signed-off-by: kangclzjc &lt;kangz@nvidia.com&gt;
diff --git a/operator/api/config/v1alpha1/defaults.go b/operator/api/config/v1alpha1/defaults.go
@@ -85,6 +85,9 @@ func SetDefaults_ServerConfiguration(serverConfig *ServerConfiguration) {
 	if serverConfig.Webhooks.CertManagement.CertManagerEnabled == nil {
 		serverConfig.Webhooks.CertManagement.CertManagerEnabled = ptr.To(false)
 	}
+	if serverConfig.Webhooks.CertManagement.AutoProvision == nil {
+		serverConfig.Webhooks.CertManagement.AutoProvision = ptr.To(true)
+	}
 	if serverConfig.Webhooks.CertManagement.SecretName == "" {
 		serverConfig.Webhooks.CertManagement.SecretName = "grove-webhook-server-cert"
 	}
diff --git a/operator/api/config/v1alpha1/types.go b/operator/api/config/v1alpha1/types.go
@@ -148,11 +148,18 @@ type WebhookCertManagement struct {
 	SecretName string `json:"secretName,omitempty"`
 	// CertManagerEnabled indicates whether to use cert-manager for certificate management.
 	// When true, the operator waits for cert-manager to provide certificates.
-	// When false, the operator checks if certificates exist and auto-generates them if not.
+	// When false, behavior depends on AutoProvision.
 	// This requires cert-manager to be installed in the cluster when set to true.
 	// Default: false
 	// +optional
 	CertManagerEnabled *bool `json:"certManagerEnabled,omitempty"`
+	// AutoProvision indicates whether to use cert-controller for automatic certificate generation.
+	// When true, cert-controller generates and manages certificates automatically.
+	// When false, certificates are expected to be provided externally (e.g., via Helm chart or manual Secret creation).
+	// This field is ignored when CertManagerEnabled is true.
+	// Default: true
+	// +optional
+	AutoProvision *bool `json:"autoProvision,omitempty"`
 }
 
 // Server contains information for HTTP(S) server configuration.
diff --git a/operator/charts/templates/_helpers.tpl b/operator/charts/templates/_helpers.tpl
@@ -16,10 +16,11 @@ config.yaml: |
   server:
     webhooks:
       port: {{ .Values.config.server.webhooks.port }}
-      serverCertDir: {{ .Values.config.server.webhooks.certDir }}
+      serverCertDir: {{ .Values.config.server.webhooks.serverCertDir }}
       certManagement:
         secretName: {{ .Values.config.server.webhooks.certManagement.secretName }}
         certManagerEnabled: {{ .Values.config.server.webhooks.certManagement.certManagerEnabled }}
+        autoProvision: {{ if or .Values.config.server.webhooks.certManagement.certManagerEnabled .Values.config.server.webhooks.certManagement.certFilesPath }}false{{ else }}true{{ end }}
     healthProbes:
       port: {{ .Values.config.server.healthProbes.port }}
     metrics:
diff --git a/operator/charts/templates/deployment.yaml b/operator/charts/templates/deployment.yaml
@@ -91,6 +91,7 @@ spec:
           configMap:
             name: {{ include "operator.config.name" . }}
         - name: grove-webhook-server-cert
+          # Always mount the Secret volume (cert-controller manages it in auto-provision mode)
           secret:
             secretName: {{ .Values.config.server.webhooks.certManagement.secretName }}
             defaultMode: 420
diff --git a/operator/cmd/main.go b/operator/cmd/main.go
@@ -69,6 +69,7 @@ func main() {
 		certMgmt.SecretName,
 		operatorCfg.Authorizer.Enabled,
 		*certMgmt.CertManagerEnabled,
+		*certMgmt.AutoProvision,
 		webhookCertsReadyCh,
 	); err != nil {
 		logger.Error(err, "failed to setup certificate management")
diff --git a/operator/internal/controller/cert/cert.go b/operator/internal/controller/cert/cert.go
@@ -17,6 +17,8 @@
 package cert
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"strings"
@@ -40,10 +42,11 @@ const (
 )
 
 // ManageWebhookCerts registers the cert-controller with the manager which will be used to manage
-// webhook certificates. The behavior depends on certManagerEnabled:
+// webhook certificates. The behavior depends on the configuration:
 // - If certManagerEnabled=true: waits for cert-manager to provide certificates
-// - If certManagerEnabled=false: checks if certificates exist, auto-generates if not
-func ManageWebhookCerts(mgr ctrl.Manager, certDir string, secretName string, authorizerEnabled bool, certManagerEnabled bool, certsReadyCh chan struct{}) error {
+// - If autoProvision=true: uses cert-controller for automatic certificate generation and management
+// - If autoProvision=false: waits for externally provided certificates (e.g., from Helm chart)
+func ManageWebhookCerts(mgr ctrl.Manager, certDir string, secretName string, authorizerEnabled bool, certManagerEnabled bool, autoProvision bool, certsReadyCh chan struct{}) error {
 	namespace, err := getOperatorNamespace()
 	if err != nil {
 		return err
@@ -59,16 +62,21 @@ func ManageWebhookCerts(mgr ctrl.Manager, certDir string, secretName string, aut
 		return nil
 	}
 
-	// Check if certificates already exist (from Helm certFilesPath or manual creation)
-	if certsExist(certDir) {
-		logger.Info("Using existing certificates",
-			"certDir", certDir)
-		close(certsReadyCh)
+	// If auto-provision is disabled, wait for externally provided certificates
+	if !autoProvision {
+		logger.Info("Using externally provided certificates",
+			"certDir", certDir, "secretName", secretName)
+		go waitForExternalCerts(logger, certDir, certsReadyCh)
 		return nil
 	}
 
-	// Auto-generate certificates using cert-controller
-	logger.Info("Auto-generating certificates using cert-controller",
+	// Auto-provision mode: Use cert-controller for certificate management
+	// cert-controller handles:
+	// - Generating certificates if they don't exist
+	// - Rotating certificates before expiry
+	// - Injecting CA bundle into webhook configurations
+	// - Monitoring certificate files and Secret for changes
+	logger.Info("Auto-provisioning certificates using cert-controller",
 		"secretName", secretName, "certDir", certDir)
 	rotator := &cert.CertRotator{
 		SecretKey: types.NamespacedName{
@@ -135,11 +143,11 @@ func getOperatorNamespace() (string, error) {
 	return namespace, nil
 }
 
-// certsExist checks if both certificate and key files exist in the specified directory
+// certsExist checks if both certificate and key files exist and have content in the specified directory
 func certsExist(certDir string) bool {
 	certPath := fmt.Sprintf("%s/tls.crt", certDir)
 	keyPath := fmt.Sprintf("%s/tls.key", certDir)
-	return fileExists(certPath) && fileExists(keyPath)
+	return fileExistsWithContent(certPath) && fileExistsWithContent(keyPath)
 }
 
 // waitForExternalCerts waits for externally managed certificates to be available
@@ -189,3 +197,27 @@ func fileExists(path string) bool {
 	}
 	return !info.IsDir()
 }
+
+// fileExistsWithContent checks if a file exists and contains valid PEM data
+func fileExistsWithContent(path string) bool {
+	data, err := os.ReadFile(path)
+	if err != nil || len(data) == 0 {
+		return false
+	}
+
+	// Try to decode PEM block to verify it's valid
+	block, _ := pem.Decode(data)
+	if block == nil || len(block.Bytes) == 0 {
+		return false
+	}
+
+	// For certificate files, try to parse as X.509
+	// For key files, just having valid PEM is enough
+	if strings.Contains(path, "tls.crt") || strings.Contains(path, "ca.crt") {
+		_, err := x509.ParseCertificate(block.Bytes)
+		return err == nil
+	}
+
+	// For key files (tls.key), valid PEM block is sufficient
+	return true
+}

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,9 @@ func SetDefaults_ServerConfiguration(serverConfig *ServerConfiguration) {`
`85`	`85`	`if serverConfig.Webhooks.CertManagement.CertManagerEnabled == nil {`
`86`	`86`	`serverConfig.Webhooks.CertManagement.CertManagerEnabled = ptr.To(false)`
`87`	`87`	`}`
	`88`	`+ if serverConfig.Webhooks.CertManagement.AutoProvision == nil {`
	`89`	`+ serverConfig.Webhooks.CertManagement.AutoProvision = ptr.To(true)`
	`90`	`+ }`
`88`	`91`	`if serverConfig.Webhooks.CertManagement.SecretName == "" {`
`89`	`92`	`serverConfig.Webhooks.CertManagement.SecretName = "grove-webhook-server-cert"`
`90`	`93`	`}`