Using secret names and custom issuer with cert-manager

[aryangorwade]

Implemented webhook signing configuration in a similar manner to DRA driver:

  admissionController:
    # Enable the admission controller. 
    # Note: cert-manager must be installed beforehand, as it is required to generate the TLS certificates.
    enabled: true    # TLS certificate configuration
    tls:
      # Certificate management mode: "cert-manager" or "secret"
      # - "cert-manager": Use cert-manager to automatically generate and manage certificates
      # - "secret": Use a user-provided secret containing tls.crt and tls.key
      mode: "secret"
      certManager:
        # Issuer type: "selfsigned", "clusterissuer", or "issuer"
        issuerType: "selfsigned"
        # Issuer name (required when issuerType is "clusterissuer" or "issuer")
        issuerName: ""
        # Additional DNS names for the certificate
        dnsNames: []
      secret:
        # Name of the secret containing tls.crt and tls.key
        name: ""
        # Base64-encoded CA certificate bundle for validating the webhook's TLS certificate (base64 encoded)
        # Required when using secret mode.
        # Note: Only include intermediate CA certificates, not root CA certificates
        caBundle:

This change introduces a new Helm chart value to supply a CA bundle (e.g., from ca.crt) directly into the ValidatingWebhookConfiguration when cert-manager is not used. Secret must be created with tls.key and tls.crt.
This allows clusters without automated CA injection to configure the webhook manually and ensure proper TLS verification.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[shivamerla]

Thanks @aryangorwade this looks good to me.

[aryangorwade]

@shivamerla should I set admissionController.enabled to true or false by default. Previously when you approved it was true

[shivamerla]

since the release branch for 3.0 is cut, we can enable this by default and add a dependency on cert-manager with next release.