Skip to content

feat: add pregenerated certificates support with comprehensive testing #928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

feat: add pregenerated certificates support with comprehensive testing #928

wants to merge 4 commits into from

Conversation

@rossigee
Copy link

@rossigee rossigee commented Aug 29, 2025

This feature allows users to specify existing certificates and keys instead of generating new ones, addressing enterprise security requirements and certificate lifecycle management needs.

Key changes:

  • Add PreGeneratedCertificatesSpec API with CertificateReference and KeyReference types
  • Support for CA, API Server, Kubelet Client, Front Proxy CA/Client, and Service Account certificates
  • Add PublicAPIServerAddress field for DNS-based cluster access
  • Implement PublicControlPlaneAddress() method for cluster-info ConfigMap
  • Add Bootstrap configuration for RBAC and initial manifests
  • Support for internal CA certificates via ConfigMap mounting
  • Extensive test coverage including unit tests and E2E scenarios
  • Update CRDs, samples, charts, and documentation
  • Add validation webhooks and mutual exclusivity checks

This implementation maintains backward compatibility while providing flexibility for certificate management in enterprise environments.

@netlify
Copy link

netlify bot commented Aug 29, 2025
edited
Loading

Deploy Preview for kamaji-documentation canceled.

Name Link
🔨 Latest commit 5754162
🔍 Latest deploy log https://app.netlify.com/projects/kamaji-documentation/deploys/68e7019e246f3c0008f53b57

@prometherion
Copy link
Member

prometherion commented Aug 30, 2025

This is absolutely massive and awesome, thanks Ross!

I'll need some time to review it property but this feature unlocks a stale feature request we had for so long time.

prometherion
prometherion requested changes Sep 1, 2025
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to have the e2e being green before planning this to get merged: that would be helpful for avoiding introducing breaking changes.

internal/resources/kubeadm_phases.go
Comment on lines +163 to +168
// If bootstrap RBAC is configured, use that instead of default kubeadm behavior
if tcp.Spec.Bootstrap != nil && tcp.Spec.Bootstrap.RBAC != nil && tcp.Spec.Bootstrap.RBAC.Enabled {
return r.createBootstrapRBAC(ctx, c, tcp)
}

// Fallback to original kubeadm behavior for backward compatibility
Copy link
Member

@prometherion prometherion Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of making toggleable the RBAC setup, but I would avoid having a separate function such as createBootstrapRBAC.

We should make Bootstrap and RBAC enabled by default, with the same defaults as Kubernetes, and try to resuse the underlying kubeadm library for DRY purposes/duplication of code.

@rossigee
Copy link
Author

rossigee commented Sep 1, 2025

@prometherion - thanks for the feedback! I've also found some further issues since posting this, so it seems I was a bit premature. I'll put this in draft mode and deal with the remaining bugs, and your comments above first.

@rossigee rossigee marked this pull request as draft September 1, 2025 09:38
@bsctl
Copy link
Member

bsctl commented Sep 2, 2025

@rossigee this is great! thank you for contributing to Kamaji!

@rossigee
Add pre-generated certificates and bootstrap configuration
dd43543 
This commit adds support for pre-generated certificates and bootstrap
configuration to TenantControlPlane resources.

Key features:
- PreGeneratedCertificates: Allow specifying existing certificates instead of generating new ones
- Bootstrap: Configure initial RBAC setup and init manifests for clusters
- CertificateReference and KeyReference types for certificate management
- RBACBootstrapSpec for RBAC configuration during cluster creation
- BootstrapSpec for initial cluster setup including CNI, GitOps operators, etc.

Includes:
- API types and validation
- Certificate management logic
- Webhook defaults and validation
- Comprehensive test coverage
- Updated CRDs and documentation
@rossigee rossigee force-pushed the feature/pregenerated-certificates branch 2 times, most recently from d336a3c to 238c872 Compare October 8, 2025 23:44
@rossigee
Add suggested port setting optimisation.
eba69e7
@rossigee
fix: add missing cmp import for PublicControlPlaneAddress
43dfc39 
Add import for cmp package and fix cmpt.Or to cmp.Or in
tenantcontrolplane_public_address.go to resolve compilation failure.
@rossigee
fix: update TCP defaulting webhook test expectations
5754162 
Update the test to expect 7 patches instead of 6 due to DataStoreUsername
defaulting being added. Also set DataStoreUsername in the 'fields already set'
test to prevent unwanted patches.
@rossigee rossigee force-pushed the feature/pregenerated-certificates branch from a277c8e to 5754162 Compare October 9, 2025 00:28
@rossigee
Copy link
Author

rossigee commented Oct 9, 2025

FTR, I'm trying to break it up into more manageable chunks. Here's a related PR...

#986

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prometherion prometherion prometherion requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rossigee @prometherion @bsctl