fix: fixed tilt tests and janitor issuer

Author: KaivalyaMDabhadkar

distros/kubernetes/nvsentinel/charts/janitor/templates/issuer.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.webhook.certIssuer }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "janitor.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+

distros/kubernetes/nvsentinel/charts/janitor/values.yaml

@@ -224,8 +224,8 @@ webhook:
   # Directory containing webhook TLS certs
   certDir: "/tmp/k8s-webhook-server/serving-certs"
   # Cert-manager issuer to use for webhook certificate
-  # This issuer must exist in the same namespace
-  certIssuer: "selfsigned-ca-issuer"
+  # Janitor creates its own self-signed issuer
+  certIssuer: "janitor-selfsigned-issuer"
 
 # Metrics Configuration
 metrics:

distros/kubernetes/nvsentinel/charts/mongodb-store/templates/jobs.yaml

@@ -389,5 +389,5 @@ spec:
       {{- with $jobTolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+{{- end }}
       restartPolicy: OnFailure

distros/kubernetes/nvsentinel/charts/mongodb-store/values.yaml

@@ -29,8 +29,8 @@ mongodb-store:
   # IMPORTANT: These flags control which chart dependencies are loaded.
   # Both must be set correctly to avoid loading unnecessary charts.
 
-  useBitnami: false
-  usePerconaOperator: true
+  useBitnami: true
+  usePerconaOperator: false
 
   # Common Job configuration (applies to both Bitnami and Percona)
   # If not set, falls back to mongodb.jobTolerations and mongodb.nodeSelector for backward compatibility

distros/kubernetes/nvsentinel/values-tilt.yaml

@@ -71,6 +71,83 @@ global:
     enabled: true
 
 mongodb-store:
+  useBitnami: true
+  usePerconaOperator: false
+  
+  job:
+    nodeSelector:
+      node-role.kubernetes.io/control-plane: ""
+    tolerations:
+      - operator: Exists
+  
+  psmdb-operator:
+    nodeSelector:
+      node-role.kubernetes.io/control-plane: ""
+    tolerations:
+      - operator: Exists
+
+  psmdb-db:
+    nameOverride: mongodb
+    fullnameOverride: mongodb
+    replsets:
+      rs0:
+        name: rs0
+        size: 3
+        configuration: |
+          setParameter:
+            authenticationMechanisms: "MONGODB-X509,SCRAM-SHA-256,SCRAM-SHA-1"
+        replsetOverrides:
+          mongodb-rs0-0:
+            priority: 3
+          mongodb-rs0-1:
+            priority: 1
+          mongodb-rs0-2:
+            priority: 1
+        volumeSpec:
+          pvc:
+            resources:
+              requests:
+                storage: "1Gi"
+        nodeSelector:
+          node-role.kubernetes.io/control-plane: ""
+        tolerations:
+          - operator: Exists
+        podDisruptionBudget:
+          maxUnavailable: 1
+    
+    sharding:
+      enabled: false
+      
+    logcollector:
+      enabled: false
+    
+    tls:
+      mode: requireTLS
+
+    secrets:
+      keyFile: mongodb-keyfile
+      encryptionKey: mongodb-encryption-key
+    
+    backup:
+      enabled: false
+      storages: {}
+      tasks: []
+      volumeMounts: []
+    
+    finalizers: []
+
+  psmdb:
+    helperImages:
+      kubectl:
+        repository: docker.io/lachlanevenson/k8s-kubectl
+        tag: "v1.25.4"
+        pullPolicy: IfNotPresent
+      mongosh:
+        repository: ghcr.io/rtsp/docker-mongosh
+        tag: "2.5.2"
+        pullPolicy: IfNotPresent
+  
+  # Bitnami configuration
   mongodb:
     replicaCount: 1
     nodeSelector:
@@ -165,6 +242,10 @@ health-events-analyzer:
             kubernetes.io/metadata.name: kube-system
         topologyKey: kubernetes.io/hostname
 
+janitor:
+  webhook:
+    certIssuer: "janitor-selfsigned-issuer"
+
 labeler:
   logLevel: debug
   # Test kata label override with the annotation present on kata test nodes

tilt/Tiltfile

@@ -116,20 +116,70 @@ yaml = helm(
     namespace='nvsentinel',
     values=values_files,
 )
+
+local_resource(
+    'wait-for-cert-manager-crds',
+    cmd='''
+        echo "Waiting for cert-manager webhook to be ready..."
+        kubectl rollout status deployment/cert-manager-webhook -n cert-manager --timeout=300s
+        
+        echo "Verifying CRDs..."
+        kubectl wait --for=condition=established --timeout=60s crd/certificates.cert-manager.io crd/issuers.cert-manager.io
+        
+        echo "cert-manager is ready"
+    ''',
+    resource_deps=['cert-manager'],
+)
+
 k8s_yaml(yaml)
 
-k8s_resource(
-    new_name='cert-manager-resources',
-    objects=[
+tilt_values = read_yaml('../distros/kubernetes/nvsentinel/values-tilt.yaml')
+use_percona = tilt_values.get('mongodb-store', {}).get('usePerconaOperator', False)
+
+mongodb_dep = 'mongodb' if not use_percona else 'create-mongodb-database'
+cert_objects = [
+    'janitor-selfsigned-issuer:issuer',
+    'janitor-webhook-cert:certificate',
+]
+
+if use_percona:
+    cert_objects.append('mongo-app-client-cert:certificate')
+else:
+    cert_objects.extend([
         'mongo-root-ca:certificate',
         'mongo-ca-issuer:issuer', 
         'selfsigned-ca-issuer:issuer',
         'mongo-server-cert-0:certificate',
         'mongo-app-client-cert:certificate',
-        'mongo-dgxcops-client-cert:certificate',
-        'janitor-webhook-cert:certificate'
-    ],
-    resource_deps=['cert-manager'],
+    ])
+
+k8s_resource(
+    new_name='cert-manager-resources',
+    objects=cert_objects,
+    resource_deps=['wait-for-cert-manager-crds'],
+)
+
+local_resource(
+    'wait-for-janitor-cert',
+    cmd='kubectl wait --for=condition=Ready --timeout=300s certificate/janitor-webhook-cert -n nvsentinel',
+    resource_deps=['cert-manager-resources'],
+)
+
+k8s_resource(
+    'janitor',
+    resource_deps=['wait-for-janitor-cert'],
+)
+
+k8s_resource(
+    'create-mongodb-database',
+    resource_deps=['wait-for-cert-manager-crds', 'nvsentinel-psmdb-operator'] if use_percona else ['wait-for-cert-manager-crds'],
+)
+
+if not use_percona:
+    k8s_resource(
+        'mongodb-0',
+        new_name='mongodb',
+        resource_deps=['wait-for-cert-manager-crds'],
 )
 
 k8s_resource(
@@ -152,7 +202,7 @@ if not skip_kwok_nodes:
         new_name='kwok-fake-nodes',
         objects=kwok_all_node_names,
         resource_deps=['kwok', 'platform-connectors', 'fault-quarantine', 'fault-remediation', 
-            'labeler', 'node-drainer', 'mongodb', 'simple-health-client'
+            'labeler', 'node-drainer', mongodb_dep, 'simple-health-client'
         ], 
     )
 
@@ -178,22 +228,22 @@ k8s_resource(
 
 k8s_resource(
     'platform-connectors',
-    resource_deps=['mongodb']
+    resource_deps=[mongodb_dep]
 )
 
 k8s_resource(
     'fault-quarantine',
-    resource_deps=['mongodb']
+    resource_deps=[mongodb_dep]
 )
 
 k8s_resource(
     'node-drainer',
-    resource_deps=['mongodb']
+    resource_deps=[mongodb_dep]
 )
 
 k8s_resource(
     'fault-remediation',
-    resource_deps=['mongodb']
+    resource_deps=[mongodb_dep]
 )
 
 k8s_resource(