Skip to content

Manage external cert #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kangclzjc wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Manage external cert #233

kangclzjc wants to merge 4 commits into from

Conversation

@kangclzjc
Copy link
Contributor

@kangclzjc kangclzjc commented Oct 24, 2025

What type of PR is this?

Currently we do the certificate generation ourselves. If they already have certificate in their system, we should manage external existing certificate by mounting them

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a API change?

Additional documentation e.g., enhancement proposals, usage docs, etc.:

@kangclzjc kangclzjc marked this pull request as draft October 24, 2025 09:00
@kangclzjc kangclzjc mentioned this pull request Oct 24, 2025
Closed
gflarity
gflarity reviewed Oct 27, 2025
View reviewed changes
operator/api/config/v1alpha1/types.go Outdated
// If set to false, you must provide your own certificates via Secret.
// Default: true
// +optional
AutoProvision *bool `json:"autoProvision,omitempty"`
Copy link
Contributor

@gflarity gflarity Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... maybe just default to auto provision in the code if SecretName isn't set, then the user doesn't have to remember to disable and we don't need to track this variable.

Copy link
Contributor Author

@kangclzjc kangclzjc Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. It seems that we can detect secretName or certFilesPath user want to mount to decide whether to auto provision

gflarity
gflarity requested changes Oct 29, 2025
View reviewed changes
Copy link
Contributor

@gflarity gflarity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, let's simplify the logic by enabling automatic certs when the secretName isn't provided.

@kangclzjc kangclzjc marked this pull request as ready for review November 4, 2025 02:36
@kangclzjc
Copy link
Contributor Author

kangclzjc commented Nov 4, 2025

As discussed, let's simplify the logic by enabling automatic certs when the secretName isn't provided.
Currently, this ps will implement these feature:

  1. If enable certManagerEnabled, then certmanager should handle the certificate/secret creation process
  2. if certFilesPath is not empty, then we only mount the certfiles into grove operator pod
  3. if certManagerEnabled and certFilesPath are not provided, then we use the default auto provision logic which currently is cert controller

gflarity
gflarity reviewed Nov 5, 2025
View reviewed changes
gflarity
gflarity reviewed Nov 5, 2025
View reviewed changes
gflarity
gflarity reviewed Nov 5, 2025
View reviewed changes
@kangclzjc kangclzjc requested a review from gflarity November 12, 2025 06:19
gflarity
gflarity requested changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@gflarity gflarity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, left an example that I implemented a while ago (running in production for some time now). The only difference is we need to enable auto provision. Otherwise you can just follow this.

@kangclzjc
manage external cert
6eb2230 
Signed-off-by: kangclzjc <[email protected]>
@kangclzjc
customize ca
4c83e1b 
Signed-off-by: kangclzjc <[email protected]>
@kangclzjc kangclzjc requested a review from gflarity November 26, 2025 08:47
@kangclzjc
refactor
b00bb4c 
Signed-off-by: kangclzjc <[email protected]>
@kangclzjc
add pcs webhook
d86efc2 
Signed-off-by: kangclzjc <[email protected]>
@gflarity
Copy link
Contributor

gflarity commented Dec 1, 2025

Sorry for the delay, planning to review this today.

gflarity
gflarity requested changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@gflarity gflarity left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kangclzjc, gave it a quick review today. Looks good, I'll do a slower review tomorrow morning first thing. In the mean time:

One thing we'll need is a simple E2E test to verifying everything works using cert manager. Please take a look at the current E2E tests, all it really needs to do is install cert manager, then update the helm values to use it. If you start a simple grove deployment successfully, it means the webhooks are still working with this change.

There is code in the cluster setup utilities for installing a helm chart (cert manager). You should be able to reuse some of that logic to install cert manager for this specific test. Please let me know if you have any questions.

@kangclzjc
Copy link
Contributor Author

kangclzjc commented Dec 2, 2025

Thanks @kangclzjc, gave it a quick review today. Looks good, I'll do a slower review tomorrow morning first thing. In the mean time:

One thing we'll need is a simple E2E test to verifying everything works using cert manager. Please take a look at the current E2E tests, all it really needs to do is install cert manager, then update the helm values to use it. If you stat a simple grove deployment successfully, it means the webhooks are still working with this change.

There code in the cluster setup utilities for installing a helm chart (cert manager). You should be able to reuse some of that logic to install cert manager for this specific test. Please let me know if you have any questions.

Thanks @gflarity , let me check the E2E test first. And then do a simple E2E test to verifying everything works using cert manager.

gflarity
gflarity requested changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@gflarity gflarity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple small things, otherwise looks good. Just need the E2E test(s).

docs/api-reference/operator-api.md
Comment on lines +901 to +902
| `secretName` _string_ | SecretName is the name of the Kubernetes Secret containing webhook certificates.<br />The Secret must contain tls.crt, tls.key, and ca.crt. | | |
| `autoProvision` _boolean_ | AutoProvision enables automatic certificate generation and management via cert-controller.<br />When true: cert-controller automatically generates self-signed certificates and stores them in the Secret.<br />When false: certificates are expected to be provided externally (e.g., by cert-manager, cluster admin).<br />Default: true (auto-generate certificates for easy setup) | | |
Copy link
Contributor

@gflarity gflarity Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a default column, let's fill it in.

Suggested change
| `secretName` _string_ | SecretName is the name of the Kubernetes Secret containing webhook certificates.<br />The Secret must contain tls.crt, tls.key, and ca.crt. | | |
| `autoProvision` _boolean_ | AutoProvision enables automatic certificate generation and management via cert-controller.<br />When true: cert-controller automatically generates self-signed certificates and stores them in the Secret.<br />When false: certificates are expected to be provided externally (e.g., by cert-manager, cluster admin).<br />Default: true (auto-generate certificates for easy setup) | | |
| `secretName` _string_ | SecretName is the name of the Kubernetes Secret containing webhook certificates.<br />The Secret must contain tls.crt, tls.key, and ca.crt. | grove-webhook-server-cert | |
| `autoProvision` _boolean_ | AutoProvision enables automatic certificate generation and management via cert-controller.<br />When true: cert-controller automatically generates self-signed certificates and stores them in the Secret.<br />When false: certificates are expected to be provided externally (e.g., by cert-manager, cluster admin).| true | |

Copy link
Contributor Author

@kangclzjc kangclzjc Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK~

operator/charts/values.yaml
serverCertDir: /etc/grove-operator/webhook-certs
# secretName is the name of the Kubernetes Secret containing webhook certificates.
# The Secret must contain tls.crt, tls.key, and ca.crt.
# Default: ""
Copy link
Contributor

@gflarity gflarity Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set this to "grove-webhook-server-cert" to match the default in the code? That way anyone reading the values knows where to look in Kubernetes.

Copy link
Contributor Author

@kangclzjc kangclzjc Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, no problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gflarity gflarity gflarity requested changes

@unmarshall unmarshall Awaiting requested review from unmarshall unmarshall is a code owner

@sanjaychatterjee sanjaychatterjee Awaiting requested review from sanjaychatterjee sanjaychatterjee is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kangclzjc @gflarity