Skip to content

Comments

[kube-prometheus-stack] Fix operator tls handling when admission webhooks are disabled#6602

Open
firasmosbehi wants to merge 1 commit intoprometheus-community:mainfrom
firasmosbehi:fix/kps-operator-tls-without-webhook-6586
Open

[kube-prometheus-stack] Fix operator tls handling when admission webhooks are disabled#6602
firasmosbehi wants to merge 1 commit intoprometheus-community:mainfrom
firasmosbehi:fix/kps-operator-tls-without-webhook-6586

Conversation

@firasmosbehi
Copy link
Contributor

@firasmosbehi firasmosbehi commented Feb 9, 2026

Summary

  • fix Prometheus Operator TLS rendering when prometheusOperator.admissionWebhooks.enabled=false
  • compute effective operator TLS as enabled only when a certificate source exists:
    • admission webhooks enabled, or
    • cert-manager admission certs enabled, or
    • prometheusOperator.tls.secretName explicitly set
  • avoid mounting the generated *-admission secret when it is not created
  • switch operator Service, ServiceMonitor, and operator network policies to the same effective TLS mode
  • add prometheusOperator.tls.secretName to values for users who want TLS without admission webhooks
  • add regression unit tests for deployment/service/servicemonitor behavior and bump chart version to 81.5.1

Closes #6586.

Testing

  • helm unittest --strict --file 'unittests/**/*.yaml' charts/kube-prometheus-stack
  • helm lint charts/kube-prometheus-stack
  • GITHUB_SHA=$(git rev-parse HEAD) ct lint --config .github/linters/ct.yaml --charts charts/kube-prometheus-stack

@firasmosbehi
kube-prometheus-stack: avoid tls secret dependency when webhooks are off
95c2dba 
Signed-off-by: Firas Mosbehi <firas.mosbehi@insat.ucar.tn>
jkroepke
jkroepke requested changes Feb 9, 2026
View reviewed changes
charts/kube-prometheus-stack/unittests/prometheus-operator/deployment_tls_test.yaml
templates:
- prometheus-operator/deployment.yaml
tests:
- it: falls back to http when admission webhooks are disabled and no tls secret is provided
Copy link
Member

@jkroepke jkroepke Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If prometheusOperator.tls.enabled is set to true, I expect that the operator is configured with tls. Automatic behavior feels dangerous here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkroepke jkroepke jkroepke requested changes

@GMartinez-Sisti GMartinez-Sisti Awaiting requested review from GMartinez-Sisti GMartinez-Sisti is a code owner

@QuentinBisson QuentinBisson Awaiting requested review from QuentinBisson QuentinBisson is a code owner

@Xtigyro Xtigyro Awaiting requested review from Xtigyro Xtigyro is a code owner

@andrewgkew andrewgkew Awaiting requested review from andrewgkew andrewgkew is a code owner

@gianrubio gianrubio Awaiting requested review from gianrubio gianrubio is a code owner

@gkarthiks gkarthiks Awaiting requested review from gkarthiks gkarthiks is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[kube-prometheus-stack] Helm chart won't install with admission webhook disabled

2 participants

@firasmosbehi @jkroepke