Skip to content

Support custom/pre-provisioned TLS certificates via existingSecret reference #90

Description

@viniciusdc

Problem

Currently, the operator always creates cert-manager Certificate resources that obtain certificates through a configured ClusterIssuer. While users can work around this by using a CA-based ClusterIssuer with a pre-provisioned CA certificate, there's no way to directly reference an existing TLS secret for a NebariApp.

This limitation affects environments that:

  • Use pre-provisioned certificates from external sources
  • Cannot run cert-manager at all
  • Need to use certificates provisioned outside the cluster
  • Have certificates managed by external tooling/processes
  • Require certificate rotation to happen outside Kubernetes

Proposed Solution

Add an optional field to RoutingTLSConfig that allows referencing an existing Kubernetes TLS secret instead of creating a cert-manager Certificate:

apiVersion: reconcilers.nebari.dev/v1
kind: NebariApp
metadata:
  name: myapp
spec:
  hostname: myapp.example.com
  service:
    name: myapp-service
    port: 8080
  routing:
    tls:
      enabled: true
      existingSecret: my-custom-tls-cert  # New optional field

Implementation Considerations

  1. Behavior when existingSecret is set:

    • Skip cert-manager Certificate creation
    • Still create the per-app Gateway HTTPS listener
    • Reference the specified secret in the Gateway listener's certificateRefs
    • Validate that the secret exists and is of type kubernetes.io/tls
  2. Secret namespace:

    • The secret must be in the Gateway namespace (envoy-gateway-system)
    • Document requirement for users to create/maintain the secret in correct namespace
    • Consider adding validation to check secret existence
  3. Mutual exclusivity:

    • existingSecret and ClusterIssuer-based certificate creation are mutually exclusive
    • When existingSecret is set, ignore TLS_CLUSTER_ISSUER_NAME
  4. Status conditions:

    • Adjust TLSReady condition logic to check secret existence instead of Certificate readiness
    • Consider adding events/warnings if secret is missing or invalid

Benefits

  • Simplifies deployment in environments without ACME access
  • Supports certificate management workflows external to the cluster
  • Maintains backward compatibility (existing behavior when omitted)
  • Still leverages Gateway API for routing (only certificate source changes)

Related Discussion

This enhancement was discussed in the context of air-gapped and restricted environments where DNS configuration and ACME providers are not accessible.

Metadata

Metadata

Labels

No labels
No labels

Type

No type

Fields

Priority

High

Start date

None yet

Target date

None yet

Size

None yet

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions