Problem
Currently, the operator always creates cert-manager Certificate resources that obtain certificates through a configured ClusterIssuer. While users can work around this by using a CA-based ClusterIssuer with a pre-provisioned CA certificate, there's no way to directly reference an existing TLS secret for a NebariApp.
This limitation affects environments that:
- Use pre-provisioned certificates from external sources
- Cannot run cert-manager at all
- Need to use certificates provisioned outside the cluster
- Have certificates managed by external tooling/processes
- Require certificate rotation to happen outside Kubernetes
Proposed Solution
Add an optional field to RoutingTLSConfig that allows referencing an existing Kubernetes TLS secret instead of creating a cert-manager Certificate:
apiVersion: reconcilers.nebari.dev/v1
kind: NebariApp
metadata:
name: myapp
spec:
hostname: myapp.example.com
service:
name: myapp-service
port: 8080
routing:
tls:
enabled: true
existingSecret: my-custom-tls-cert # New optional field
Implementation Considerations
-
Behavior when existingSecret is set:
- Skip cert-manager Certificate creation
- Still create the per-app Gateway HTTPS listener
- Reference the specified secret in the Gateway listener's
certificateRefs
- Validate that the secret exists and is of type
kubernetes.io/tls
-
Secret namespace:
- The secret must be in the Gateway namespace (
envoy-gateway-system)
- Document requirement for users to create/maintain the secret in correct namespace
- Consider adding validation to check secret existence
-
Mutual exclusivity:
existingSecret and ClusterIssuer-based certificate creation are mutually exclusive
- When
existingSecret is set, ignore TLS_CLUSTER_ISSUER_NAME
-
Status conditions:
- Adjust
TLSReady condition logic to check secret existence instead of Certificate readiness
- Consider adding events/warnings if secret is missing or invalid
Benefits
- Simplifies deployment in environments without ACME access
- Supports certificate management workflows external to the cluster
- Maintains backward compatibility (existing behavior when omitted)
- Still leverages Gateway API for routing (only certificate source changes)
Related Discussion
This enhancement was discussed in the context of air-gapped and restricted environments where DNS configuration and ACME providers are not accessible.
Problem
Currently, the operator always creates cert-manager Certificate resources that obtain certificates through a configured ClusterIssuer. While users can work around this by using a CA-based ClusterIssuer with a pre-provisioned CA certificate, there's no way to directly reference an existing TLS secret for a NebariApp.
This limitation affects environments that:
Proposed Solution
Add an optional field to
RoutingTLSConfigthat allows referencing an existing Kubernetes TLS secret instead of creating a cert-manager Certificate:Implementation Considerations
Behavior when
existingSecretis set:certificateRefskubernetes.io/tlsSecret namespace:
envoy-gateway-system)Mutual exclusivity:
existingSecretand ClusterIssuer-based certificate creation are mutually exclusiveexistingSecretis set, ignoreTLS_CLUSTER_ISSUER_NAMEStatus conditions:
TLSReadycondition logic to check secret existence instead of Certificate readinessBenefits
Related Discussion
This enhancement was discussed in the context of air-gapped and restricted environments where DNS configuration and ACME providers are not accessible.