[v1.38] Add labels and annotations to TLS secrets for discoverability by rene-dekker · Pull Request #4508 · tigera/operator

rene-dekker · 2026-03-09T21:37:26Z

Cherry-pick history

Pick onto release-v1.38: [v1.40] Add labels and annotations to TLS secrets for discoverability #4506
Pick onto release-v1.40: Add labels and annotations to TLS secrets for discoverability #4479
Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().

This allows filtering secrets by secret type and /or issuer. It allows us to quickly see the signer, expiry and other metadata using describe, it can really speed up troubleshooting certificate misconfigurations and other issues.

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().
Display the Degraded condition's message when running `kubectl get tigerastatus`, making it easier to see error details at a glance without needing to describe the resource.

This is now possible, which would be very helpful to our users:

$ kubectl get secrets -n tigera-operator -l operator.tigera.io/signer     -o custom-columns='NAME:.metadata.name,EXPIRY:.metadata.annotations.operator\.tigera\.io/cert-expiry,SIGNER:.metadata.annotations.operator\.tigera\.io/cert-signer'
NAME                                        EXPIRY                 SIGNER
calico-apiserver-certs                      2028-05-28T23:56:09Z   tigera-operator-signer
calico-kube-controllers-metrics-tls         2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-client-tls           2028-05-29T18:28:09Z   tigera-operator-signer
calico-node-prometheus-server-tls           2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-tls                  2028-05-29T18:28:09Z   tigera-operator-signer
deep-packet-inspection-tls                  2028-05-29T18:31:16Z   tigera-operator-signer
internal-manager-tls                        2028-05-30T22:13:17Z   tigera-operator-signer
intrusion-detection-tls                     2028-05-29T18:31:16Z   tigera-operator-signer
manager-tls                                 2028-05-30T22:13:17Z   tigera-operator-signer
node-certs                                  2028-05-28T23:56:08Z   tigera-operator-signer
policy-recommendation-tls                   2028-05-29T18:28:09Z   tigera-operator-signer
tigera-ca-private                           2126-01-30T23:56:06Z   tigera-operator-signer
tigera-ee-elasticsearch-metrics-tls         2028-05-30T22:17:24Z   tigera-operator-signer
tigera-fluentd-prometheus-tls               2028-05-29T18:28:10Z   tigera-operator-signer
tigera-secure-elasticsearch-cert            2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-internal-elasticsearch-cert   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-kibana-cert                   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-linseed-cert                  2028-05-30T22:17:25Z   tigera-operator-signer
typha-certs                                 2028-05-28T23:56:08Z   tigera-operator-signer
typha-certs-noncluster-host                 2028-05-28T23:56:08Z   tigera-operator-signer

The output of TigeraStatus will now look like this:

$ k get tigerastatus
NAME                          AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
apiserver                     True        False         False      4m51s   All objects available
calico                        False       False         True       106s    Pod calico-system/calico-node-tjlnv failed to pull container image for: ebpf-bootstrap
intrusion-detection           False       False         True       11m     Error creating TLS certificate: secret tigera-operator/deep-packet-inspection-tls must specify ext key usages: ExtKeyUsageClientAuth, ExtKeyUsageServerAuth
ippools                       True        False         False      5m26s   All objects available
log-collector                 True        False         False      4m26s   All objects available
log-storage                   True        False         False      3h33m   All objects available
log-storage-access            False       False         True       11m     Pod tigera-elasticsearch/tigera-linseed-58745b7574-p6zmx has crash looping container: tigera-linseed
log-storage-dashboards        True        False         False      7m51s   All objects available
log-storage-elastic           True        False         False      91s     All objects available
log-storage-esmetrics         True        False         False      5m16s   All objects available
log-storage-kubecontrollers   True        False         False      6s      All objects available
log-storage-secrets           True        False         False      3h33m   All objects available
manager                       True        False         False      6s      All objects available; Warning: user provided certificate "manager-tls" expires in 21 days
monitor                       True        False         False      4m46s   All objects available
policy-recommendation         True        False         False      5m21s   All objects available
tiers                         True        False         False      5m21s   All objects available

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add a signer label on TLS secrets produced by Secret() and CreateSelfSignedSecret(). Use certificates.operator.tigera.io prefix for all cert metadata. Exclude certificates.operator.tigera.io keys from MergeMaps to prevent stale operator state from overwriting cluster state. Add unit tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Display the Degraded condition's message when running `kubectl get tigerastatus`, making it easier to see error details at a glance without needing to describe the resource. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

KeyPairInterface now exposes a Warnings() method that returns a message when a BYO certificate is expiring within 30 days. StatusManager gains SetWarning/ClearWarning methods that append warning text to the Available condition message in TigeraStatus. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Check Warnings() on all keypairs obtained during reconciliation (typha, node, nodePrometheus, kubeController) and propagate them to the status manager so they appear in `kubectl get tigerastatus`. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Ensures warnings are cleared even when a keypair becomes nil (e.g., Enterprise-only secrets on a Calico install), preventing stale warnings from lingering in TigeraStatus. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add SetWarning/ClearWarning calls to 9 additional controllers (apiserver, authentication, compliance, intrusiondetection, logcollector, manager, monitor, packetcapture, policyrecommendation) and refactor status.go to use availableMessage() consistently across all condition types. Fix keypair_test.go warning message assertion to match implementation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

…Managed - Add CheckKeyPairWarnings() helper in certificatemanagement package to deduplicate the warning check loop across all controllers - Add WarningReporter interface to avoid circular dependency with status pkg - Extract isOperatorManaged() helper in MergeMaps to consolidate operator annotation filtering (covers all operator.tigera.io annotations) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

) BYO certificate issuer CNs can contain characters invalid in Kubernetes label values (spaces, commas, equals, etc.). Replace unsafe characters with '-', trim non-alphanumeric leading/trailing chars, and truncate to 63 chars. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Fix flaky certificatemanager test and upload CI logs Compare certificate PEM bytes instead of full KeyPair objects in equality assertions. reflect.DeepEqual on *rsa.PrivateKey is non-deterministic because internal big.Int representation can differ after deserialization. Also tee UT/FV output to log files and upload them as Semaphore artifacts. * Update generated files

rene-dekker and others added 7 commits March 9, 2026 14:32

Add Message column to TigeraStatus kubectl output

850f6a3

Display the Degraded condition's message when running `kubectl get tigerastatus`, making it easier to see error details at a glance without needing to describe the resource. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

rene-dekker requested a review from a team as a code owner March 9, 2026 21:37

rene-dekker added docs-pr-required release-note-required labels Mar 9, 2026

marvin-tigera added this to the v1.38.13 milestone Mar 9, 2026

rene-dekker and others added 3 commits March 10, 2026 12:00

Check warnings for the right apiserver tls secret name.

4d4e456

rene-dekker force-pushed the auto-pick-of-#4506-origin-release-v1.38 branch from 83bd145 to bb600ce Compare March 10, 2026 22:59

caseydavenport approved these changes Mar 11, 2026

View reviewed changes

rene-dekker merged commit dd8e285 into tigera:release-v1.38 Mar 11, 2026
2 checks passed

rene-dekker deleted the auto-pick-of-#4506-origin-release-v1.38 branch March 11, 2026 17:50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v1.38] Add labels and annotations to TLS secrets for discoverability#4508

[v1.38] Add labels and annotations to TLS secrets for discoverability#4508
rene-dekker merged 10 commits intotigera:release-v1.38from
rene-dekker:auto-pick-of-#4506-origin-release-v1.38

rene-dekker commented Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

rene-dekker commented Mar 9, 2026

Cherry-pick history

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants