feat: add pregenerated certificates support with comprehensive testing#928
feat: add pregenerated certificates support with comprehensive testing#928rossigee wants to merge 4 commits intoclastix:masterfrom
Conversation
✅ Deploy Preview for kamaji-documentation canceled.
|
|
This is absolutely massive and awesome, thanks Ross! I'll need some time to review it property but this feature unlocks a stale feature request we had for so long time. |
prometherion
left a comment
prometherion
left a comment
There was a problem hiding this comment.
It would be great to have the e2e being green before planning this to get merged: that would be helpful for avoiding introducing breaking changes.
| // If bootstrap RBAC is configured, use that instead of default kubeadm behavior | ||
| if tcp.Spec.Bootstrap != nil && tcp.Spec.Bootstrap.RBAC != nil && tcp.Spec.Bootstrap.RBAC.Enabled { | ||
| return r.createBootstrapRBAC(ctx, c, tcp) | ||
| } | ||
|
|
||
| // Fallback to original kubeadm behavior for backward compatibility |
There was a problem hiding this comment.
I like the idea of making toggleable the RBAC setup, but I would avoid having a separate function such as createBootstrapRBAC.
We should make Bootstrap and RBAC enabled by default, with the same defaults as Kubernetes, and try to resuse the underlying kubeadm library for DRY purposes/duplication of code.
|
@prometherion - thanks for the feedback! I've also found some further issues since posting this, so it seems I was a bit premature. I'll put this in draft mode and deal with the remaining bugs, and your comments above first. |
|
@rossigee this is great! thank you for contributing to Kamaji! |
This commit adds support for pre-generated certificates and bootstrap configuration to TenantControlPlane resources. Key features: - PreGeneratedCertificates: Allow specifying existing certificates instead of generating new ones - Bootstrap: Configure initial RBAC setup and init manifests for clusters - CertificateReference and KeyReference types for certificate management - RBACBootstrapSpec for RBAC configuration during cluster creation - BootstrapSpec for initial cluster setup including CNI, GitOps operators, etc. Includes: - API types and validation - Certificate management logic - Webhook defaults and validation - Comprehensive test coverage - Updated CRDs and documentation
rossigee
force-pushed
the
feature/pregenerated-certificates
branch
2 times, most recently
from
d336a3c to
238c872
Compare
Add import for cmp package and fix cmpt.Or to cmp.Or in tenantcontrolplane_public_address.go to resolve compilation failure.
Update the test to expect 7 patches instead of 6 due to DataStoreUsername defaulting being added. Also set DataStoreUsername in the 'fields already set' test to prevent unwanted patches.
rossigee
force-pushed
the
feature/pregenerated-certificates
branch
from
a277c8e to
5754162
Compare
|
FTR, I'm trying to break it up into more manageable chunks. Here's a related PR... |
3 participants
This feature allows users to specify existing certificates and keys instead of generating new ones, addressing enterprise security requirements and certificate lifecycle management needs.
Key changes:
This implementation maintains backward compatibility while providing flexibility for certificate management in enterprise environments.