Skip to content

Helm chart requires cert-manager even with createSelfSignedIssuer enabled #33

New issue
New issue
Open
Open
Helm chart requires cert-manager even with createSelfSignedIssuer enabled#33
@bgruszka

Description

@bgruszka
bgruszka
opened on Jan 2, 2026

Problem

The Helm chart currently requires cert-manager to be installed even when webhook.certManager.createSelfSignedIssuer is set to true. This creates confusion for users who expect that enabling createSelfSignedIssuer would allow the chart to work without cert-manager.

Current Behavior

  1. Default values.yaml has:

    webhook:
  certManager:
    enabled: false
    createSelfSignedIssuer: true

  2. The templates/certificate.yaml template is wrapped with:

    {{- if .Values.webhook.certManager.enabled }}

  3. When deployed with defaults, the deployment fails with:

    MountVolume.SetUp failed for volume "webhook-certs" : secret "contextforge-webhook-certs" not found

Root Cause

  • The entire certificate generation logic (including self-signed issuer creation) is gated behind certManager.enabled
  • The selfSigned.validityDays value in values.yaml is never used in any template
  • There's no fallback mechanism to create certificates without cert-manager

Expected Behavior

When certManager.enabled: false but self-signed certificates are needed, the chart should:

  1. Generate self-signed certificates automatically (using a Kubernetes Job)
  2. Create the webhook-certs secret without requiring cert-manager
  3. Make the deployment succeed out-of-the-box

Proposed Solution

Add a Kubernetes Job template that:

  • Runs when certManager.enabled: false and selfSigned.enabled: true
  • Uses an initContainer approach with OpenSSL to generate certificates
  • Creates the contextforge-webhook-certs secret with proper SANs:
    • {name}-webhook.{namespace}.svc
    • {name}-webhook.{namespace}.svc.cluster.local
  • Uses the existing selfSigned.validityDays configuration
  • Includes proper RBAC for secret creation

This would allow users to:

  • Use cert-manager if they have it (preferred for production)
  • Use auto-generated self-signed certs for testing/development
  • Manually provide certificates if needed

Testing Requirements

The implementation should include:

  1. Helm Chart Tests (new):

    • Test certificate secret creation with certManager.enabled: false
    • Test certificate secret creation with certManager.enabled: true
    • Validate certificate SANs and expiry
    • Test RBAC permissions for Job

  2. E2E Test Coverage:

    • Webhook functionality already tested by tests/e2e/keepalive_isolation_test.go
    • Ensure webhook works with both cert-manager and self-signed certificates
    • Validate certificate rotation scenario (cert-manager only)

  3. Integration Testing:

    • Deploy with default values and verify webhook is functional
    • Test webhook certificate expiry handling
    • Verify proper cleanup of Job resources

Impact

This affects new users trying to deploy the chart with default values, as the deployment currently fails without cert-manager installed. This is a barrier to adoption for users wanting to quickly test the operator.

Related Files

  • deploy/helm/contextforge/values.yaml (lines 73-99)
  • deploy/helm/contextforge/templates/certificate.yaml
  • deploy/helm/contextforge/templates/deployment.yaml (lines 74-81)
  • deploy/helm/contextforge/templates/webhook.yaml
  • tests/e2e/keepalive_isolation_test.go (webhook functionality tests)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions