Skip to content

[patch] implement cluster issuer override #1983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
terc1997 wants to merge 7 commits into
base: master
Choose a base branch
from
Open

[patch] implement cluster issuer override #1983

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f13d927
[patch] implement cluster issuer override
terc1997 Dec 26, 2025
18b241b
Merge branch 'master' into issue-1812
terc1997 Dec 26, 2025
5f46485
[patch] add condition to reuse deployed cluster issuer
terc1997 Dec 30, 2025
b19160b
[patch] remove the override option for cluster issuer
terc1997 Dec 30, 2025
8d953b9
Merge branch 'master' into issue-1812
terc1997 Jan 5, 2026
23ed913
Merge branch 'master' into issue-1812
terc1997 Jan 7, 2026
4c96936
Merge branch 'master' into issue-1812
terc1997 Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions python/src/mas/cli/install/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
from .catalogs import supportedCatalogs

from mas.cli.validators import (
ClusterIssuerValidator,
InstanceIDFormatValidator,
WorkspaceIDFormatValidator,
WorkspaceNameFormatValidator,
Expand All @@ -51,7 +52,8 @@
createNamespace,
getStorageClasses,
getClusterVersion,
isClusterVersionInRange
isClusterVersionInRange,
getClusterIssuers
)
from mas.devops.mas import (
getCurrentCatalog,
Expand Down Expand Up @@ -562,7 +564,6 @@ def configDNSAndCerts(self):
"Unless you see an error during the ocp-verify stage indicating that the secret can not be determined you do not need to set this and can leave the response empty"
])
self.promptForString("Cluster ingress certificate secret name", "ocp_ingress_tls_secret_name", default="")

self.printH1("Configure Domain & Certificate Management")
configureDomainAndCertMgmt = self.yesOrNo('Configure domain & certificate management')
if configureDomainAndCertMgmt:
Expand Down Expand Up @@ -602,13 +603,34 @@ def configDNSAndCerts(self):
# Use MAS default self-signed cluster issuer with the default domain
self.setParam("dns_provider", "")
self.setParam("mas_domain", "")
self.setParam("mas_cluster_issuer", "")
self.manualCerts = self.yesOrNo("Configure manual certificates")
self.setParam("mas_manual_cert_mgmt", self.manualCerts)
if self.getParam("mas_manual_cert_mgmt"):
self.manualCertsDir = self.promptForDir("Enter the path containing the manual certificates", mustExist=True)
else:
self.manualCertsDir = None
else:
# Configuring domain
if self.yesOrNo('Configure custom domain'):
self.promptForString("MAS top-level domain", "mas_domain")
else:
self.setParam("mas_domain", "")

# Configuring DNS
if self.yesOrNo("Do you want MAS to set up its own (self-signed) cluster issuer?"):
self.setParam("mas_cluster_issuer", "")
else:
self.printDescription([
"Select the ClusterIssuer to use from the list below:",
])
clusterIssuers = getClusterIssuers(self.dynamicClient)
if clusterIssuers is not None and len(clusterIssuers) > 0:
for clusterIssuer in clusterIssuers:
print_formatted_text(HTML(f"<LightSlateGrey> - {clusterIssuer.metadata.name}</LightSlateGrey>"))
self.params['mas_cluster_issuer'] = prompt(HTML('<Yellow>MAS Cluster Issuer</Yellow> '), validator=ClusterIssuerValidator(), validate_while_typing=False)
else:
print_formatted_text(HTML("<Red>No ClusterIssuers found on this cluster. MAS will use self-signed certificates.</Red>"))
self.setParam("mas_cluster_issuer", "")

@logMethodCall
def configDNSAndCertsCloudflare(self):
Expand Down
17 changes: 16 additions & 1 deletion python/src/mas/cli/validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

from prompt_toolkit.validation import Validator, ValidationError

from mas.devops.ocp import getStorageClass
from mas.devops.ocp import getStorageClass, getClusterIssuer
from mas.devops.mas import verifyMasInstance
from mas.devops.aiservice import verifyAiServiceInstance, verifyAiServiceTenantInstance

Expand Down Expand Up @@ -238,3 +238,18 @@ def validate(self, document):

if not match(r"^.{1,4}$", bucketPrefix):
raise ValidationError(message='Bucket prefix does not meet the requirement', cursor_position=len(bucketPrefix))


class ClusterIssuerValidator(Validator):
def validate(self, document):
"""
Validate that a ClusterIssuer exists on the target cluster
"""
name = document.text

dynClient = dynamic.DynamicClient(
api_client.ApiClient(configuration=config.load_kube_config())
)

if getClusterIssuer(dynClient, name) is None:
raise ValidationError(message='Specified cluster issuer is not available on this cluster', cursor_position=len(name))
Loading