Skip to content

feat(operator): persist CA certificate and key in secrets and reuse o…#2756

Open
Rucha0901 wants to merge 1 commit into
kubearmor:mainfrom
Rucha0901:feature/persist-ca-in-secret
Open

feat(operator): persist CA certificate and key in secrets and reuse o…#2756
Rucha0901 wants to merge 1 commit into
kubearmor:mainfrom
Rucha0901:feature/persist-ca-in-secret

Conversation

@Rucha0901

Copy link
Copy Markdown
Contributor

Purpose of PR?:

Fixes #2755

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered::

  • Verified that pkg/KubeArmorOperator cross-compiles cleanly with GOOS=linux go build ./....
  • Implemented and verified the logic to extract existing CA certificate and CA private key from the kubearmor-controller-webhook-server-cert secret.

Additional information for reviewer? :
N/A

Checklist:

  • Bug fix. Fixes feat(operator): persist CA certificate/key in secrets and reuse on rotation #2755
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests (DCO signed off commit)
  • Commit has integration tests

@vee1e

vee1e commented Jul 10, 2026

Copy link
Copy Markdown

@Rucha0901 a few things here

  • please remove the unpinned image digests in favour of the pinned ones. this reduces the security of the dockerfile and is unrelated to the linked issue.
  • you say the commit has unit tests but there aren't any _test.go files. add them, plesae don't put incorrect information in the PR description
  • there's a stale TODO comment, Keep CA certificate in k8s secret which is the purpose of this entire PR. the comment should be removed, otherwise it reads as unfinished work.
  • The 5-return-value pattern in GeneratePki (repeating four empty bytes.NewBuffer([]byte{}) per error branch) was already awkward before this PR and gets worse with a 5th value. This isn't a blocker, but a small helper (e.g. a zero-value struct or named error return) would clean it up if touched again.
  • the Secrets().Get error handling doesn't distinguish "not found" from transient errors. Every other Get in this file uses IsNotfound(err) to tell "secret doesn't exist yet" apart from "API server hiccuped". This could result in new CA's being minted when not necessary (e.g during transient errors).

others can feel free to chime in, just giving my thoughts here.

@Rucha0901

Copy link
Copy Markdown
Contributor Author

Hello @vee1e ,I am so sorry for this inconvenience. Give me some time I will fix all things.
Thank you!!

@Rucha0901

Copy link
Copy Markdown
Contributor Author

@vee1e , As you asked I did the changes.
thank you!!

…n rotation

- Implemented CA certificate and key persistence in Kubernetes secrets to ensure stability on rotation.

- Refactored PKI generation logic to support named return values.

- Differentiated between transient and not-found secret retrieval errors to prevent unnecessary CA regenerations.

- Added comprehensive unit tests in tls_test.go.

Signed-off-by: Rucha0901 <imt_2025071@iiitm.ac.in>
@Rucha0901 Rucha0901 force-pushed the feature/persist-ca-in-secret branch from 4577732 to 5c77461 Compare July 10, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(operator): persist CA certificate/key in secrets and reuse on rotation

2 participants