Skip to content

Set CA_SIGNER_NAME env var on Voltron for certificate management#4672

Merged
rene-dekker merged 4 commits intotigera:masterfrom
rene-dekker:EV-6547
Apr 10, 2026
Merged

Set CA_SIGNER_NAME env var on Voltron for certificate management#4672
rene-dekker merged 4 commits intotigera:masterfrom
rene-dekker:EV-6547

Conversation

@rene-dekker
Copy link
Copy Markdown
Member

@rene-dekker rene-dekker commented Apr 10, 2026

Summary

  • When CertificateManagement is enabled in the InstallationSpec, pass the SignerName to the Voltron container via a new CA_SIGNER_NAME env var.
  • This allows Voltron's JWT authenticator to identify the correct CA issuer public key when a custom operator signer name is configured.
  • Companion to tigera/calico-private#11471.

Test plan

  • make build passes
  • Unit test updated and passing: "should render all resources for certificate management" now verifies CA_SIGNER_NAME on the Voltron container

🤖 Generated with Claude Code

@rene-dekker @claude
Set CA_SIGNER_NAME env var on Voltron when certificate management is …
69c7569 
…enabled

Passes the InstallationSpec CertificateManagement SignerName to the Voltron
container so it can identify the correct CA issuer public key, supporting
custom operator signer names (calico-private#11471).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rene-dekker rene-dekker requested a review from a team as a code owner April 10, 2026 21:21
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Apr 10, 2026
rene-dekker and others added 2 commits April 10, 2026 14:37
@rene-dekker @claude
Prefix CA_SIGNER_NAME env var with VOLTRON_
bf970aa 
All Voltron env vars use the VOLTRON_ prefix to match envconfig processing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rene-dekker @claude
Use CA cert CommonName instead of SignerName for VOLTRON_CA_SIGNER_NAME
5ecdb5a 
Expose CACertCommonName() on the CertificateManager interface to provide
the parsed CN from the CA certificate. This is the actual value Voltron
needs to match against cert.Subject.CommonName in the trust bundle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 10, 2026
Merged
Merged
@rene-dekker @claude
Remove redundant embedded field selector for staticcheck
4c53ed6 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rene-dekker rene-dekker merged commit 33bdc31 into tigera:master Apr 10, 2026
6 checks passed
@rene-dekker rene-dekker deleted the EV-6547 branch April 10, 2026 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hjiawei hjiawei hjiawei approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-not-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rene-dekker @hjiawei @marvin-tigera