Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds support for ClusterIssuer (cluster-scoped cert-manager issuers) in addition to the existing Issuer (namespace-scoped) support for TLS certificate management in the Percona Server MongoDB Operator.
Changes:
- Introduced new
IssuerConfReferencetype to replace the cert-managerObjectReferencedependency, allowing specification of issuer name, kind, and group - Modified cert-manager integration to create both Issuer and ClusterIssuer resources based on configuration
- Updated CA certificate placement to use cert-manager namespace when using ClusterIssuer (version >= 1.22.0)
- Added comprehensive E2E tests for ClusterIssuer functionality
- Updated RBAC permissions to include ClusterIssuer resources
- Added CERTMANAGER_NAMESPACE environment variable configuration
Reviewed changes
Copilot reviewed 46 out of 46 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/apis/psmdb/v1/psmdb_types.go | Defines new IssuerConfReference type with name, kind, and group fields |
| pkg/apis/psmdb/v1/psmdb_defaults.go | Sets default values for IssuerConf (kind=Issuer, group=cert-manager.io) |
| pkg/apis/psmdb/v1/zz_generated.deepcopy.go | Auto-generated deepcopy methods for IssuerConfReference |
| pkg/psmdb/tls/certmanager.go | Core logic for creating Issuer/ClusterIssuer resources, removed deprecated issuer cleanup |
| pkg/psmdb/tls/certificate.go | Certificate generation with namespace handling for ClusterIssuer CA certs |
| pkg/psmdb/tls/tls.go | Enhanced issuer detection to support ClusterIssuer kind |
| pkg/psmdb/tls/certmanager_test.go | Updated tests to use new IssuerConfReference type |
| pkg/controller/perconaservermongodb/ssl.go | Simplified certificate application logic, removed deprecated code |
| deploy/rbac.yaml, deploy/cw-rbac.yaml | Added ClusterIssuer permissions |
| deploy/operator.yaml | Added CERTMANAGER_NAMESPACE environment variable |
| deploy/crd.yaml, deploy/cw-bundle.yaml, deploy/bundle.yaml | Removed 'required' constraint on issuerConf.name field |
| deploy/cr.yaml | Example configuration with ClusterIssuer |
| e2e-tests/tls-clusterissue-cert-manager/* | New E2E test suite for ClusterIssuer functionality |
| e2e-tests/run-*.csv | Added new test to test suites |
| e2e-tests/functions | Added cleanup of ClusterIssuer/Certificate resources before cert-manager deployment |
| config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml | CRD update for issuerConf changes |
Comments suppressed due to low confidence (2)
pkg/psmdb/tls/tls.go:62
- When fetching a ClusterIssuer, the code uses types.NamespacedName with secret.Namespace. ClusterIssuers are cluster-scoped resources and don't have a namespace. The Get call should use types.NamespacedName{Name: issuerName} without specifying a Namespace for ClusterIssuer resources. This will cause the Get operation to fail for ClusterIssuer.
pkg/psmdb/tls/certmanager_test.go:93 - The unit tests do not cover the ClusterIssuer scenario at all. They only test regular Issuer functionality. Tests should be added for: 1) Creating a ClusterIssuer (verifying no namespace is set), 2) Creating certificates with ClusterIssuer references, 3) CA certificate creation in the cert-manager namespace when using ClusterIssuer, 4) Verifying the issuer names include namespace suffix when using ClusterIssuer.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gkech
reviewed
Feb 4, 2026
Contributor
gkech
left a comment
gkech
left a comment
There was a problem hiding this comment.
leaving some initial comments while continuing the review
| fi | ||
| } | ||
|
|
||
| # TODO: The problem is about using ClusterIssuer. |
| return c.cr.Name + "-ca-cert" | ||
| } | ||
|
|
||
| func (c *caCert) Namespace() string { |
Contributor
There was a problem hiding this comment.
Let's have a unit test for this function. Mainly because the logic with the if-clause and the default behaviour have some interest.
| labels = nil | ||
| } | ||
|
|
||
| issuerKind := cm.IssuerKind |
Contributor
There was a problem hiding this comment.
let's have also a unit test for object. Since I guess we will have to create a pkg/psmdb/tls/certificate_test.go file
| func certManagerNamespace() string { | ||
| ns := os.Getenv("CERTMANAGER_NAMESPACE") | ||
| if ns == "" { | ||
| return "cert-manager" |
Contributor
There was a problem hiding this comment.
is this the namespace that is always the default for cert-manager when you dont specify it in its deployment? Because on our e2e test we have a command to create the namespace when deploying cert manager
kubectl_bin create namespace cert-manager || :
But i'm not sure if this should be our default one.
Contributor
There was a problem hiding this comment.
cert-manager docs use this namespace too:
- https://cert-manager.io/docs/installation/kubectl/
- https://cert-manager.io/docs/installation/helm/
- cert-manager's official cli cmctl also uses
cert-manageras default namespace: https://github.com/cert-manager/cmctl/blob/b57ea82800da4e655c1a54fdf8c0f3714746bdfe/pkg/install/helm/settings.go#L33
if we need a default, imo this is the proper one
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (1)
pkg/psmdb/tls/certmanager_test.go:73
- Missing unit test coverage for ClusterIssuer functionality. The test file has been modified but no new tests have been added to cover the ClusterIssuer code path. Given that this PR adds support for ClusterIssuer (a major new feature), unit tests should be added to verify that ClusterIssuer objects are created correctly, have the correct namespace handling (empty namespace for cluster-scoped resources), and that issuer names are correctly namespaced.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
hors
requested review from
egegunes,
eleo007,
hors,
jvpasinatto,
mayankshah1607,
nmarukovich,
oksana-grishchenko and
valmiranogueira
as code owners
egegunes
requested changes
Feb 10, 2026
deploy/cr.yaml
Outdated
Comment on lines
31
to
33
| issuerConf: | ||
| name: special-selfsigned-issuer | ||
| kind: ClusterIssuer |
e2e-tests/run-distro.csv
Outdated
| rs-shard-migration | ||
| scaling | ||
| split-horizon | ||
| tls-clusterissue-cert-manager |
Contributor
There was a problem hiding this comment.
please fix the typo in the name
| func certManagerNamespace() string { | ||
| ns := os.Getenv("CERTMANAGER_NAMESPACE") | ||
| if ns == "" { | ||
| return "cert-manager" |
Contributor
There was a problem hiding this comment.
cert-manager docs use this namespace too:
- https://cert-manager.io/docs/installation/kubectl/
- https://cert-manager.io/docs/installation/helm/
- cert-manager's official cli cmctl also uses
cert-manageras default namespace: https://github.com/cert-manager/cmctl/blob/b57ea82800da4e655c1a54fdf8c0f3714746bdfe/pkg/install/helm/settings.go#L33
if we need a default, imo this is the proper one
pooknull
force-pushed
the
K8SPSMDB-1413
branch
from
c104a49 to
9927c1a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 46 out of 46 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (2)
pkg/psmdb/tls/tls.go:62
- When the secret was issued by a ClusterIssuer, this Get call uses
secret.Namespace, but ClusterIssuer is cluster-scoped and must be fetched with an empty namespace. As written, the lookup will always fail (NotFound), causing the secret to be treated as user-created even when it isn’t.
pkg/psmdb/tls/tls.go:71 isCertManagerSecretCreatedByUserdetermines operator-ownership by checking whether the Issuer/ClusterIssuer is controlled by the CR. For ClusterIssuer this will never be true (cluster-scoped resources can’t be owned by a namespaced CR), so cert-manager-managed secrets will be misclassified as user-created and the operator may stop reconciling TLS/internal TLS secrets. Consider instead checking whether the referencedCertificate(viacert-manager.io/certificate-nameannotation) is controlled by the CR.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
commit: 9afc535 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Due to the high volume of requests, we're unable to provide free service for this account. To continue using the service, please upgarde to a paid plan.
https://perconadev.atlassian.net/browse/K8SPSMDB-1413
DESCRIPTION
Problem:
The operator fails to deploy the cluster when
ClusterIssueris specified in.spec.tls.issuerConf.kind.Cause:
The operator does not support
ClusterIssuer. It only works withIssuer.Solution:
To add support for
ClusterIssuer, the operator must know the namespace in whichcert-manageris deployed. This is usually thecert-managernamespace, but it must be explicitly provided via theCERTMANAGER_NAMESPACEenv var inoperator.yaml.The CA certificate must be created in this namespace, because other
ClusterIssuerresources expect the CA secret to exist in thecert-managernamespace.If a user wants to use an existing
ClusterIssuer, they should set.spec.tls.issuerConf.kind: ClusterIssuer. When the operator creates resources in thecert-managernamespace, it must not set owner references, as cross-namespace owner references are forbidden in Kubernetes.CHECKLIST
Jira
Needs Doc) and QA (Needs QA)?Tests
compare/*-oc.yml)?Config/Logging/Testability