Configured cert-manager/secret signing modes

aryangorwade · visheshtanksale · commit 6d20752c311a · 2025-10-17T19:47:08.000Z
Signed-off-by: Aryan &lt;gorwadearyan@gmail.com&gt;
diff --git a/deployments/helm/k8s-nim-operator/templates/admission-controller.yaml b/deployments/helm/k8s-nim-operator/templates/admission-controller.yaml
@@ -19,7 +19,9 @@ spec:
     app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 ---
-{{- if .Values.operator.admissionController.enabled }}
+{{ if and .Values.operator.admissionController.enabled (eq .Values.operator.admissionController.tls.mode "cert-manager") }}
+{{ $issuerType := default "selfsigned" .Values.operator.admissionController.tls.certManager.issuerType -}}
+{{ $issuerName := .Values.operator.admissionController.tls.certManager.issuerName -}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -32,13 +34,16 @@ spec:
   dnsNames:
     - {{ include "k8s-nim-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc
     - {{ include "k8s-nim-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
+    {{- range .Values.operator.admissionController.tls.certManager.dnsNames }}
+    - {{ . }}
+    {{- end }}
   issuerRef:
-    kind: Issuer
-    name: {{ include "k8s-nim-operator.fullname" . }}-selfsigned-issuer
+    kind: {{- if eq (lower $issuerType) "clusterissuer" }} ClusterIssuer {{- else }} Issuer {{- end }}
+    name: {{- if eq (lower $issuerType) "selfsigned" }} {{ include "k8s-nim-operator.fullname" . }}-selfsigned-issuer {{- else }} {{ required "operator.admissionController.tls.certManager.issuerName is required when issuerType is 'issuer' or 'clusterissuer'" $issuerName }} {{- end }}
   secretName: {{ include "k8s-nim-operator.fullname" . }}-webhook-server-cert
 {{- end }}
 ---
-{{- if .Values.operator.admissionController.enabled }}
+{{ if and .Values.operator.admissionController.enabled (eq .Values.operator.admissionController.tls.mode "cert-manager") (eq (lower (default "selfsigned" .Values.operator.admissionController.tls.certManager.issuerType)) "selfsigned") }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -56,8 +61,10 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: {{ include "k8s-nim-operator.fullname" . }}-validating-webhook-configuration
+  {{- if eq .Values.operator.admissionController.tls.mode "cert-manager" }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "k8s-nim-operator.fullname" . }}-serving-cert
+  {{- end }}
   labels:
     app.kubernetes.io/name: k8s-nim-operator
     app.kubernetes.io/managed-by: helm
@@ -69,6 +76,9 @@ webhooks:
         name: {{ include "k8s-nim-operator.fullname" . }}-webhook-service
         namespace: {{ .Release.Namespace }}
         path: /validate-apps-nvidia-com-v1alpha1-nimcache
+      {{- if and (eq .Values.operator.admissionController.tls.mode "secret") (.Values.operator.admissionController.tls.secret.caBundle) }}
+      caBundle: {{ .Values.operator.admissionController.tls.secret.caBundle }}
+      {{- end }}
     failurePolicy: Fail
     rules:
       - apiGroups: ["apps.nvidia.com"]
@@ -83,6 +93,9 @@ webhooks:
         name: {{ include "k8s-nim-operator.fullname" . }}-webhook-service
         namespace: {{ .Release.Namespace }}
         path: /validate-apps-nvidia-com-v1alpha1-nimservice
+      {{- if and (eq .Values.operator.admissionController.tls.mode "secret") (.Values.operator.admissionController.tls.secret.caBundle) }}
+      caBundle: {{ .Values.operator.admissionController.tls.secret.caBundle }}
+      {{- end }}
     failurePolicy: Fail
     rules:
       - apiGroups: ["apps.nvidia.com"]
diff --git a/deployments/helm/k8s-nim-operator/templates/deployment.yaml b/deployments/helm/k8s-nim-operator/templates/deployment.yaml
@@ -79,7 +79,11 @@ spec:
       volumes:
         - name: cert
           secret:
+            {{- if eq .Values.operator.admissionController.tls.mode "cert-manager" }}
             secretName: {{ include "k8s-nim-operator.fullname" . }}-webhook-server-cert
+            {{- else }}
+            secretName: {{ required "operator.admissionController.tls.secret.name is required when tls.mode is 'secret'" .Values.operator.admissionController.tls.secret.name }}
+            {{- end }}
             defaultMode: 420
       {{- end }}
     {{- with .Values.operator.nodeSelector }}
@@ -93,4 +97,4 @@ spec:
     {{- with .Values.operator.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+    {{- end }}
diff --git a/deployments/helm/k8s-nim-operator/values.yaml b/deployments/helm/k8s-nim-operator/values.yaml
@@ -56,8 +56,26 @@ operator:
   admissionController:
     # Enable the admission controller. 
     # Note: cert-manager must be installed beforehand, as it is required to generate the TLS certificates.
-    enabled: false
-
+    enabled: true    # TLS certificate configuration
+    tls:
+      # Certificate management mode: "cert-manager" or "secret"
+      # - "cert-manager": Use cert-manager to automatically generate and manage certificates
+      # - "secret": Use a user-provided secret containing tls.crt and tls.key
+      mode: "cert-manager"
+      certManager:
+        # Issuer type: "selfsigned", "clusterissuer", or "issuer"
+        issuerType: "selfsigned"
+        # Issuer name (required when issuerType is "clusterissuer" or "issuer")
+        issuerName: ""
+        # Additional DNS names for the certificate
+        dnsNames: []
+      secret:
+        # Name of the secret containing tls.crt and tls.key
+        name: ""
+        # Base64-encoded CA certificate bundle for validating the webhook's TLS certificate (base64 encoded)
+        # Required when using secret mode.
+        # Note: Only include intermediate CA certificates, not root CA certificates
+        caBundle:
 metricsService:
   ports:
   - name: metrics
