From 02abe124ef3eb2be1e7e05e3c4d7b4d5a91738ce Mon Sep 17 00:00:00 2001
From: Fabian Bao <fabian.v.bao@gmail.com>
Date: Wed, 5 Nov 2025 22:13:32 +0800
Subject: [PATCH] Allow disabling cert-generator with a Helm value (#4186)

Problem: Need to allow disabling cert-generator with a Helm value.

Solution: Allow disabling cert-generator with a Helm value.

Testing: Allow disabling cert-generator with a Helm value.
---
 charts/nginx-gateway-fabric/README.md                | 3 ++-
 charts/nginx-gateway-fabric/templates/certs-job.yaml | 2 ++
 charts/nginx-gateway-fabric/values.schema.json       | 7 +++++++
 charts/nginx-gateway-fabric/values.yaml              | 2 ++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md
index aebd8ff6f2..8720888830 100644
--- a/charts/nginx-gateway-fabric/README.md
+++ b/charts/nginx-gateway-fabric/README.md
@@ -195,10 +195,11 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
+| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"enable":true,"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
 | `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` |
 | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` |
 | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` |
+| `certGenerator.enable` | Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets. | bool | `true` |
 | `certGenerator.nodeSelector` | The nodeSelector of the cert-generator pod. | object | `{}` |
 | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` |
 | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |
diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml
index a403e5f92e..506487aa88 100644
--- a/charts/nginx-gateway-fabric/templates/certs-job.yaml
+++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.certGenerator.enable }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -172,3 +173,4 @@ spec:
       {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }}
       {{- end }}
   ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }}
+{{- end }}
diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json
index 37879065d2..40ea333c06 100644
--- a/charts/nginx-gateway-fabric/values.schema.json
+++ b/charts/nginx-gateway-fabric/values.schema.json
@@ -23,6 +23,13 @@
           "title": "annotations",
           "type": "object"
         },
+        "enable": {
+          "default": true,
+          "description": "Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.",
+          "required": [],
+          "title": "enable",
+          "type": "boolean"
+        },
         "nodeSelector": {
           "description": "The nodeSelector of the cert-generator pod.",
           "required": [],
diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml
index 1893a315da..7b637fa03b 100644
--- a/charts/nginx-gateway-fabric/values.yaml
+++ b/charts/nginx-gateway-fabric/values.yaml
@@ -672,6 +672,8 @@ nginx:
 
 # -- The certGenerator section contains the configuration for the cert-generator Job.
 certGenerator:
+  # -- Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.
+  enable: true
   # -- The annotations of the cert-generator Job.
   annotations: {}