Release 2.29.0.0-b35: [PLAT-16381] Adding support for Cert Manager in K8s Operator · yugabyte/yugabyte-db

2.29.0.0-b35
69535e0
Choose a tag to compare

Filter

View all tags

2.29.0.0-b35: [PLAT-16381] Adding support for Cert Manager in K8s Operator

2.29.0.0-b35
69535e0
Choose a tag to compare

Filter

View all tags

shashwat-yb tagged this 10 Oct 10:17

Summary:
- Define a CRD (YBCertificate) that encapsulates certificate management
- Manage CRUD operations for certificate configuration using a CR
- Ability to use custom TLS certificates
- Support kubernetes and openshift environments.

Test Plan:
  - Create YBCertificate with valid secret -> Create YBUniverse referencing the certificate -> Verify universe creation succeeds with certificate UUID in logs

  - Create YBUniverse with non-existent rootCA name -> Verify ERROR_CREATING status is set via updateUniverseState() -> Confirm descriptive error logging

  - Create YBCertificate with invalid secret reference -> Reference certificate in YBUniverse -> Verify error handling and status updates

  - Update certificate content in Kubernetes secret -> Verify YBCertificate reconciliation (delete old, create new) -> Confirm YBUniverse continues to work with updated certificate

Validations for negative scenarios:

```
skhilar@dev-server-skhilar-new ~/code/test_operator % vi invalid-cert-type.yaml
skhilar@dev-server-skhilar-new ~/code/test_operator % kubectl apply -f invalid-cert-type.yaml
The YBCertificate "empty-cert-type-test" is invalid:
* spec.certType: Unsupported value: "": supported values: "SELF_SIGNED", "K8S_CERT_MANAGER"
* <nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation
skhilar@dev-server-skhilar-new ~/code/test_operator % vi empty-cert-type.yaml
skhilar@dev-server-skhilar-new ~/code/test_operator % kubectl apply -f empty-cert-type.yaml
The YBCertificate "empty-secret-name-test" is invalid: spec.certificateSecretRef.name: Invalid value: "string": name cannot be empty
skhilar@dev-server-skhilar-new ~/code/test_operator % vi empty-secret-name.yaml
skhilar@dev-server-skhilar-new ~/code/test_operator % kubectl apply -f empty-secret-name.yaml
The YBCertificate "missing-secret-name-test" is invalid:
* spec.certificateSecretRef.name: Required value
```

Reviewers: anabaria, anijhawan, vkumar

Reviewed By: anabaria

Subscribers: svc_phabricator, vkumar

Differential Revision: https://phorge.dev.yugabyte.com/D46349

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Uh oh!