Netcracker · DmitriiRabenok · Jan 8, 2026 · Dec 12, 2025
diff --git a/charts/site-manager/templates/crd-sitemanager.yaml b/charts/site-manager/templates/crd-sitemanager.yaml
@@ -6,14 +6,6 @@ metadata:
   annotations:
     helm.sh/resource-policy: keep
     controller-gen.kubebuilder.io/version: v0.18.0
-  {{- if .Values.tls.generateCerts.enabled }}
-    {{- if eq .Values.tls.generateCerts.executor "cert-manager" }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate
-    {{- else if eq .Values.tls.generateCerts.executor "openshift" }}
-    service.alpha.openshift.io/inject-cabundle: "true" # for openshift 3.X
-    service.beta.openshift.io/inject-cabundle: "true"  # for openshift 4.X
-    {{- end }}
-  {{- end }}
   name: sitemanagers.qubership.org
 spec:
   group: qubership.org
@@ -125,7 +117,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: site-manager-qubership-validating-webhook-configuration
-  {{- if .Values.tls.generateCerts.enabled }}
+  {{- if not .Values.tls.ca }}
   annotations:
     {{- if eq .Values.tls.generateCerts.executor "cert-manager" }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate

diff --git a/charts/site-manager/templates/legacy-crd-sitemanager.yaml b/charts/site-manager/templates/legacy-crd-sitemanager.yaml
@@ -5,7 +5,7 @@ metadata:
   name: {{ printf "%ss" (lower .Values.env.SM_KIND) }}.{{ .Values.env.SM_GROUP }}
   annotations:
     helm.sh/resource-policy: keep
-  {{- if .Values.tls.generateCerts.enabled }}
+  {{- if not .Values.tls.ca }}
     {{- if eq .Values.tls.generateCerts.executor "cert-manager" }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate
     {{- else if eq .Values.tls.generateCerts.executor "openshift" }}
@@ -277,7 +277,7 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: "site-manager-crd-validating-webhook-configuration"
-  {{- if .Values.tls.generateCerts.enabled }}
+  {{- if not .Values.tls.ca }}
   annotations:
     {{- if eq .Values.tls.generateCerts.executor "cert-manager" }}
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/site-manager-tls-certificate

diff --git a/charts/site-manager/templates/service.yaml b/charts/site-manager/templates/service.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     app: site-manager
   annotations:
-    {{- if and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "openshift" ) }}
+    {{- if and (not .Values.tls.ca) ( eq .Values.tls.generateCerts.executor "openshift" ) }}
     service.alpha.openshift.io/serving-cert-secret-name: "sm-certs" # for openshift 3.X
     service.beta.openshift.io/serving-cert-secret-name: "sm-certs"  # for openshift 4.X
     {{- end }}

diff --git a/charts/site-manager/templates/tls-certificate.yaml b/charts/site-manager/templates/tls-certificate.yaml
@@ -1,4 +1,5 @@
-{{- if and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "cert-manager" ) }}
+{{- $cert_manager_used := and (not (and .Values.tls.crt .Values.tls.key)) (eq .Values.tls.generateCerts.executor "cert-manager") }}
+{{- if $cert_manager_used }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/charts/site-manager/templates/tls-issuer.yaml b/charts/site-manager/templates/tls-issuer.yaml
@@ -1,4 +1,5 @@
-{{- if and ( and .Values.tls.generateCerts.enabled ( eq .Values.tls.generateCerts.executor "cert-manager" ) ) (not .Values.tls.generateCerts.clusterIssuerName) }}
+{{- $cert_manager_used := and (not (and .Values.tls.crt .Values.tls.key)) (eq .Values.tls.generateCerts.executor "cert-manager") }}
+{{- if and $cert_manager_used (not .Values.tls.generateCerts.clusterIssuerName) }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:

diff --git a/charts/site-manager/values.yaml b/charts/site-manager/values.yaml
@@ -78,13 +78,17 @@ requests:
 affinity: {}
 
 tls:
+  # This enables/disables HTTPS only for main site-manager endpoint.
+  # NOTE: setting "enabled: false" does not affect webhooks, they still require TLS, so certs are ALWAYS required.
   enabled: true
+  # Below fields allow to provide custom crt/key/ca certificates.
+  # If you decide to use custom certificates, all three must be provided.
+  # Otherwise, certificates will be generated using cert-manager (or openshift if you customize executor).
   crt: ""
   key: ""
   ca: ""
   defaultIngressTls: false
   generateCerts:
-    enabled: false
     executor: cert-manager
     clusterIssuerName: ""
     duration: 365

diff --git a/documentation/public/installation.md b/documentation/public/installation.md
@@ -132,8 +132,7 @@ you can do one of following solutions:
 | tls.ca                                                         | CA tls certificate (content of `ca.crt` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled                       | ""                              |
 | tls.crt                                                        | SM public tls certificate (content of `site-manager-tls.crt` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled  | ""                              |
 | tls.key                                                        | SM private tls certificate (content of `site-manager-tls.key` file after [prerequisites](#prerequisites) step 2). Required, if integration with cert-manager is disabled | ""                              |
-| tls.generateCerts.enabled                                      | Enable/disable certificates generation using cert-manager or OpenShift services serving certificates mechanism.                                                          | false                           |
-| tls.generateCerts.executor                                     | Choose executor for certificates generation. Possible values: "cert-manager" and "openshift"                                                                             | cert-manager                    |
+| tls.generateCerts.executor                                     | Choose executor for certificates generation. Certificate generation is enabled automatically if custom crt/key/ca are not provided. Possible values: "cert-manager" and "openshift"                                                                             | cert-manager                    |
 | tls.generateCerts.clusterIssuerName                            | In case of cert-manager integration, define the cluster name issuer if required (if empty, it is created by a self-signed issuer).                                       | ""                              |
 | tls.generateCerts.duration                                     | In case of cert-manager integration, define the duration (days) of created certificate using cert-manager.                                                               | 365                             |
 | tls.generateCerts.subjectAlternativeName.additionalDnsNames    | In case of cert-manager integration, additional trusted DNS names in the certificate.                                                                                    | []                              |