Skip to content

K8SPSMDB-1413: add ClusterIssuer support #2225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pooknull wants to merge 10 commits into
base: main
Choose a base branch
from
+3,350 −216
Open

K8SPSMDB-1413: add ClusterIssuer support #2225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a664f50
K8SPSMDB-1413: add `ClusterIssuer` support
pooknull Feb 2, 2026
264aa76
fix imports
pooknull Feb 3, 2026
9545d18
fix unit-tests
pooknull Feb 3, 2026
e4cebf1
fix e2e tests
pooknull Feb 3, 2026
fa6ebd1
fix unit-test
pooknull Feb 3, 2026
19b4a05
remove TODO comment
pooknull Feb 4, 2026
a04fdc2
improve `TestCreateIssuer` test
pooknull Feb 4, 2026
df206b3
fix typo in the test name
pooknull Feb 10, 2026
9927c1a
add `certificate_test.go`
pooknull Feb 10, 2026
9afc535
revert cr.yaml
pooknull Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25423,8 +25423,6 @@ spec:
type: string
name:
type: string
required:
- name
type: object
mode:
type: string
Expand Down
5 changes: 3 additions & 2 deletions deploy/bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26310,8 +26310,6 @@ spec:
type: string
name:
type: string
required:
- name
type: object
mode:
type: string
Expand Down Expand Up @@ -26635,6 +26633,7 @@ rules:
- cert-manager.io
resources:
- issuers
- clusterissuers
- certificates
- certificaterequests
verbs:
Expand Down Expand Up @@ -26741,3 +26740,5 @@ spec:
value: "false"
- name: MAX_CONCURRENT_RECONCILES
value: "1"
- name: CERTMANAGER_NAMESPACE
value: "cert-manager"
2 changes: 0 additions & 2 deletions deploy/crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26310,8 +26310,6 @@ spec:
type: string
name:
type: string
required:
- name
type: object
mode:
type: string
Expand Down
3 changes: 1 addition & 2 deletions deploy/cw-bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26310,8 +26310,6 @@ spec:
type: string
name:
type: string
required:
- name
type: object
mode:
type: string
Expand Down Expand Up @@ -26662,6 +26660,7 @@ rules:
- cert-manager.io
resources:
- issuers
- clusterissuers
- certificates
- certificaterequests
verbs:
Expand Down
1 change: 1 addition & 0 deletions deploy/cw-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ rules:
- cert-manager.io
resources:
- issuers
- clusterissuers
- certificates
- certificaterequests
verbs:
Expand Down
2 changes: 2 additions & 0 deletions deploy/operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,5 @@ spec:
value: "false"
- name: MAX_CONCURRENT_RECONCILES
value: "1"
- name: CERTMANAGER_NAMESPACE
value: "cert-manager"
1 change: 1 addition & 0 deletions deploy/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ rules:
- cert-manager.io
resources:
- issuers
- clusterissuers
- certificates
- certificaterequests
verbs:
Expand Down
102 changes: 52 additions & 50 deletions e2e-tests/functions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -563,56 +563,56 @@ deploy_operator_gh_release() {
}

deploy_minio() {
local cert_secret="$1"
local service_name="${2:-minio-service}"

desc "install MinIO: ${service_name}"

# Cleanup old installation
helm uninstall "${service_name}" 2>/dev/null || :
helm repo remove minio 2>/dev/null || :
helm repo add minio https://charts.min.io/

local endpoint="http://${service_name}:9000"
local minio_args=(
--version $MINIO_VER
--set replicas=1
--set mode=standalone
--set resources.requests.memory=256Mi
--set rootUser=rootuser
--set rootPassword=rootpass123
--set "users[0].accessKey=some-access-key"
--set "users[0].secretKey=some-secret-key"
--set "users[0].policy=consoleAdmin"
--set service.type=ClusterIP
--set configPathmc=/tmp/
--set securityContext.enabled=false
--set persistence.size=2G
--set fullnameOverride="${service_name}"
--set serviceAccount.create=true
--set serviceAccount.name="${service_name}-sa"
)

if [[ -n $cert_secret ]]; then
endpoint="https://${service_name}:9000"
minio_args+=(
--set tls.enabled=true
--set tls.certSecret="$cert_secret"
)
fi

retry 10 60 helm install "${service_name}" "${minio_args[@]}" minio/minio

local MINIO_POD=$(kubectl_bin get pods --selector=release="${service_name}" -o 'jsonpath={.items[].metadata.name}')
wait_pod $MINIO_POD

if [ -n "$OPERATOR_NS" ]; then
kubectl_bin create svc -n ${OPERATOR_NS} externalname "${service_name}" \
--external-name="${service_name}.${namespace}.svc.cluster.local" \
--tcp="9000" 2>/dev/null || :
fi

create_minio_bucket operator-testing $endpoint
local cert_secret="$1"
local service_name="${2:-minio-service}"

desc "install MinIO: ${service_name}"

# Cleanup old installation
helm uninstall "${service_name}" 2>/dev/null || :
helm repo remove minio 2>/dev/null || :
helm repo add minio https://charts.min.io/

local endpoint="http://${service_name}:9000"
local minio_args=(
--version $MINIO_VER
--set replicas=1
--set mode=standalone
--set resources.requests.memory=256Mi
--set rootUser=rootuser
--set rootPassword=rootpass123
--set "users[0].accessKey=some-access-key"
--set "users[0].secretKey=some-secret-key"
--set "users[0].policy=consoleAdmin"
--set service.type=ClusterIP
--set configPathmc=/tmp/
--set securityContext.enabled=false
--set persistence.size=2G
--set fullnameOverride="${service_name}"
--set serviceAccount.create=true
--set serviceAccount.name="${service_name}-sa"
)

if [[ -n $cert_secret ]]; then
endpoint="https://${service_name}:9000"
minio_args+=(
--set tls.enabled=true
--set tls.certSecret="$cert_secret"
)
fi

retry 10 60 helm install "${service_name}" "${minio_args[@]}" minio/minio

local MINIO_POD=$(kubectl_bin get pods --selector=release="${service_name}" -o 'jsonpath={.items[].metadata.name}')
wait_pod $MINIO_POD

if [ -n "$OPERATOR_NS" ]; then
kubectl_bin create svc -n ${OPERATOR_NS} externalname "${service_name}" \
--external-name="${service_name}.${namespace}.svc.cluster.local" \
--tcp="9000" 2>/dev/null || :
fi

create_minio_bucket operator-testing $endpoint
}

create_minio_bucket() {
Expand Down Expand Up @@ -1272,6 +1272,8 @@ run_pumba() {
deploy_cert_manager() {
desc 'deploy cert manager'

kubectl_bin -n cert-manager delete clusterissuer --all || :
kubectl_bin -n cert-manager delete certificate --all || :
kubectl_bin create namespace cert-manager || :
kubectl_bin label namespace cert-manager certmanager.k8s.io/disable-validation=true || :
kubectl_bin apply -f "https://github.com/cert-manager/cert-manager/releases/download/v${CERT_MANAGER_VER}/cert-manager.yaml" --validate=false || : 2>/dev/null
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-distro.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ replset-remapping-sharded
rs-shard-migration
scaling
split-horizon
tls-clusterissuer-cert-manager
tls-issue-cert-manager
upgrade
upgrade-sharded
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-pr.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ smart-update
split-horizon
stable-resource-version
storage
tls-clusterissuer-cert-manager
tls-issue-cert-manager
unsafe-psa
upgrade
Expand Down
1 change: 1 addition & 0 deletions e2e-tests/run-release.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ smart-update
split-horizon
stable-resource-version
storage
tls-clusterissuer-cert-manager
tls-issue-cert-manager
unsafe-psa
upgrade
Expand Down
44 changes: 44 additions & 0 deletions e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-custom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
some-random-annotation: "true"
generation: 1
name: some-name-ssl
spec:
commonName: some-name
dnsNames:
- localhost
- some-name-rs0
- some-name-rs0.NAME_SPACE
- some-name-rs0.NAME_SPACE.svc.cluster.local
- '*.some-name-rs0'
- '*.some-name-rs0.NAME_SPACE'
- '*.some-name-rs0.NAME_SPACE.svc.cluster.local'
- some-name-rs0.NAME_SPACE.svc.clusterset.local
- '*.some-name-rs0.NAME_SPACE.svc.clusterset.local'
- '*.NAME_SPACE.svc.clusterset.local'
- some-name-mongos
- some-name-mongos.NAME_SPACE
- some-name-mongos.NAME_SPACE.svc.cluster.local
- '*.some-name-mongos'
- '*.some-name-mongos.NAME_SPACE'
- '*.some-name-mongos.NAME_SPACE.svc.cluster.local'
- some-name-cfg
- some-name-cfg.NAME_SPACE
- some-name-cfg.NAME_SPACE.svc.cluster.local
- '*.some-name-cfg'
- '*.some-name-cfg.NAME_SPACE'
- '*.some-name-cfg.NAME_SPACE.svc.cluster.local'
- some-name-mongos.NAME_SPACE.svc.clusterset.local
- '*.some-name-mongos.NAME_SPACE.svc.clusterset.local'
- some-name-cfg.NAME_SPACE.svc.clusterset.local
- '*.some-name-cfg.NAME_SPACE.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: ClusterIssuer
name: some-name-psmdb-issuer
secretName: some-name-ssl
subject:
organizations:
- CUSTOM
44 changes: 44 additions & 0 deletions ...ests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal-custom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
some-random-annotation: "true"
generation: 1
name: some-name-ssl-internal
spec:
commonName: some-name
dnsNames:
- localhost
- some-name-rs0
- some-name-rs0.NAME_SPACE
- some-name-rs0.NAME_SPACE.svc.cluster.local
- '*.some-name-rs0'
- '*.some-name-rs0.NAME_SPACE'
- '*.some-name-rs0.NAME_SPACE.svc.cluster.local'
- some-name-rs0.NAME_SPACE.svc.clusterset.local
- '*.some-name-rs0.NAME_SPACE.svc.clusterset.local'
- '*.NAME_SPACE.svc.clusterset.local'
- some-name-mongos
- some-name-mongos.NAME_SPACE
- some-name-mongos.NAME_SPACE.svc.cluster.local
- '*.some-name-mongos'
- '*.some-name-mongos.NAME_SPACE'
- '*.some-name-mongos.NAME_SPACE.svc.cluster.local'
- some-name-cfg
- some-name-cfg.NAME_SPACE
- some-name-cfg.NAME_SPACE.svc.cluster.local
- '*.some-name-cfg'
- '*.some-name-cfg.NAME_SPACE'
- '*.some-name-cfg.NAME_SPACE.svc.cluster.local'
- some-name-mongos.NAME_SPACE.svc.clusterset.local
- '*.some-name-mongos.NAME_SPACE.svc.clusterset.local'
- some-name-cfg.NAME_SPACE.svc.clusterset.local
- '*.some-name-cfg.NAME_SPACE.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: ClusterIssuer
name: some-name-psmdb-issuer
secretName: some-name-ssl-internal
subject:
organizations:
- CUSTOM
53 changes: 53 additions & 0 deletions e2e-tests/tls-clusterissuer-cert-manager/compare/certificate_some-name-ssl-internal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations: {}
generation: 1
labels:
app.kubernetes.io/instance: some-name
app.kubernetes.io/managed-by: percona-server-mongodb-operator
app.kubernetes.io/name: percona-server-mongodb
app.kubernetes.io/part-of: percona-server-mongodb
name: some-name-ssl-internal
ownerReferences:
- blockOwnerDeletion: true
controller: true
kind: PerconaServerMongoDB
name: some-name
spec:
commonName: some-name
dnsNames:
- localhost
- some-name-rs0
- some-name-rs0.NAME_SPACE
- some-name-rs0.NAME_SPACE.svc.cluster.local
- '*.some-name-rs0'
- '*.some-name-rs0.NAME_SPACE'
- '*.some-name-rs0.NAME_SPACE.svc.cluster.local'
- some-name-rs0.NAME_SPACE.svc.clusterset.local
- '*.some-name-rs0.NAME_SPACE.svc.clusterset.local'
- '*.NAME_SPACE.svc.clusterset.local'
- some-name-mongos
- some-name-mongos.NAME_SPACE
- some-name-mongos.NAME_SPACE.svc.cluster.local
- '*.some-name-mongos'
- '*.some-name-mongos.NAME_SPACE'
- '*.some-name-mongos.NAME_SPACE.svc.cluster.local'
- some-name-cfg
- some-name-cfg.NAME_SPACE
- some-name-cfg.NAME_SPACE.svc.cluster.local
- '*.some-name-cfg'
- '*.some-name-cfg.NAME_SPACE'
- '*.some-name-cfg.NAME_SPACE.svc.cluster.local'
- some-name-mongos.NAME_SPACE.svc.clusterset.local
- '*.some-name-mongos.NAME_SPACE.svc.clusterset.local'
- some-name-cfg.NAME_SPACE.svc.clusterset.local
- '*.some-name-cfg.NAME_SPACE.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: ClusterIssuer
name: some-name-NAME_SPACE-psmdb-issuer
secretName: some-name-ssl-internal
subject:
organizations:
- PSMDB
Loading
Loading