Skip to content

K8SPG-1017 leaf cert function needs to check whether the existing secret is already managed by internal PKI before switching to cert-manager #1578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hors merged 19 commits into from
May 11, 2026
Merged

K8SPG-1017 leaf cert function needs to check whether the existing secret is already managed by internal PKI before switching to cert-manager #1578

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
efb0845
K8SPG-1017 leaf cert function needs to check whether the existing sec…
gkech May 4, 2026
c0c13d2
add unit test
gkech May 4, 2026
9909d88
improve e2e test to include the scenario where cluster starts with pk…
gkech May 5, 2026
eba0700
fix timeout configuration
gkech May 5, 2026
2f23135
fixes on timeouts now that they are working
gkech May 5, 2026
a211bbc
fix timeout
gkech May 5, 2026
29e346e
fixes on timeouts
gkech May 5, 2026
2cdeb53
fixes for when cert manager is installed on a running operator
gkech May 6, 2026
0c84baa
Merge branch 'main' into K8SPG-1017
gkech May 6, 2026
1954966
Merge branch 'main' into K8SPG-1017
gkech May 7, 2026
b89d4fa
CLOUD-727 fix flaky test TestGetLatestCompleteBackupJob due to list …
gkech May 7, 2026
792a747
destory cert manager as a first step of the test in case it exists in…
gkech May 7, 2026
a6c2fa4
fixes around crd renaming
gkech May 7, 2026
9b59493
a fix more
gkech May 7, 2026
4d11f75
Merge branch 'main' into K8SPG-1017
gkech May 7, 2026
e9875aa
cr: combine cert manager predicates
gkech May 11, 2026
37fd1ec
handle custom secret value when checking for cert manager and remove …
gkech May 11, 2026
90534f7
handle isRootCACertManagerManaged error
gkech May 11, 2026
9e506d5
Merge branch 'main' into K8SPG-1017
egegunes May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions internal/controller/postgrescluster/instance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1487,12 +1487,12 @@ func (r *Reconciler) reconcileInstanceCertificates(
rootCertificateAuth *pki.RootCertificateAuthority,
) (*corev1.Secret, error) {
if cluster.Spec.CustomTLSSecret == nil {
certManagerInstalled, err := r.isCertManagerInstalled(ctx, cluster.Namespace)
certManagerManaged, err := r.isRootCACertManagerManaged(ctx, cluster)
if err != nil {
return nil, errors.Wrap(err, "failed to check if cert-manager is installed")
return nil, errors.Wrap(err, "failed to check if cert-manager manages root CA")
}

if certManagerInstalled {
if certManagerManaged {
return r.reconcileCertManagerInstanceCertificates(ctx, cluster, spec, instance, rootCertificateAuth)
}
}
Expand Down
8 changes: 4 additions & 4 deletions internal/controller/postgrescluster/pgbackrest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2227,16 +2227,16 @@ func (r *Reconciler) reconcilePGBackRestSecret(ctx context.Context,
// }

if err == nil && repoHost != nil {
certManagerInstalled := false
certManagerManaged := false
if cluster.Spec.CustomTLSSecret == nil {
var certErr error
certManagerInstalled, certErr = r.isCertManagerInstalled(ctx, cluster.Namespace)
certManagerManaged, certErr = r.isRootCACertManagerManaged(ctx, cluster)
if certErr != nil {
return errors.Wrap(certErr, "failed to check if cert-manager is installed")
return errors.Wrap(certErr, "failed to check if cert-manager manages root CA")
}
}

if certManagerInstalled {
if certManagerManaged {
err = r.reconcileCertManagerPGBackRestSecret(ctx, cluster, repoHost, rootCA, existing, intent)
} else {
err = pgbackrest.Secret(ctx, cluster, repoHost, rootCA, existing, intent)
Expand Down
6 changes: 3 additions & 3 deletions internal/controller/postgrescluster/pgbouncer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,12 +223,12 @@ func (r *Reconciler) reconcilePGBouncerSecret(

var frontendCertManagerSecret *corev1.Secret
if cluster.Spec.Proxy.PGBouncer.CustomTLSSecret == nil {
certManagerInstalled, certErr := r.isCertManagerInstalled(ctx, cluster.Namespace)
certManagerManaged, certErr := r.isRootCACertManagerManaged(ctx, cluster)
if certErr != nil {
return nil, errors.Wrap(certErr, "failed to check if cert-manager is installed")
return nil, errors.Wrap(certErr, "failed to check if cert-manager manages root CA")
}

if certManagerInstalled {
if certManagerManaged {
c := r.CertManagerCtrlFunc(r.Client, r.Scheme, false)

dnsNames, dnsErr := naming.ServiceDNSNames(ctx, service, cluster.Spec.ClusterServiceDNSSuffix)
Expand Down
24 changes: 21 additions & 3 deletions internal/controller/postgrescluster/pki.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,12 +231,12 @@ func (r *Reconciler) reconcileClusterCertificate(
return cluster.Spec.CustomTLSSecret, nil
}

certManagerInstalled, err := r.isCertManagerInstalled(ctx, cluster.Namespace)
certManagerManaged, err := r.isRootCACertManagerManaged(ctx, cluster)
if err != nil {
return nil, errors.Wrap(err, "failed to check if cert-manager is installed")
return nil, errors.Wrap(err, "failed to check if cert-manager manages root CA")
}

if certManagerInstalled {
if certManagerManaged {
return r.reconcileCertManagerClusterCertificate(ctx, root, cluster, primaryService, replicaService)
}

Expand Down Expand Up @@ -361,6 +361,24 @@ func (r *Reconciler) reconcileCertManagerClusterCertificate(
}), nil
}

func (r *Reconciler) isRootCACertManagerManaged(ctx context.Context, cluster *v1beta1.PostgresCluster) (bool, error) {
installed, err := r.isCertManagerInstalled(ctx, cluster.Namespace)
if err != nil || !installed {
return false, err
}

rootSecret := &corev1.Secret{ObjectMeta: naming.PostgresRootCASecret(cluster)}
err = r.Client.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret)
Comment on lines +354 to +365
Copy link
Copy Markdown
Contributor Author

@gkech gkech May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is fixed

if err != nil {
if k8serrors.IsNotFound(err) {
return true, nil
Copy link
Copy Markdown
Contributor

@egegunes egegunes May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we really return true here?

Copy link
Copy Markdown
Contributor Author

@gkech gkech May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no pre-existing internally-managed secret to conflict with. Since cert-manager is available and no secret has been created yet, it's safe to let cert-manager create and manage the root CA from scratch. That's the idea.

Copy link
Copy Markdown
Member

@mayankshah1607 mayankshah1607 May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also check .spec.CustomRootCATLSSecret name? Note that in a previous step, reconcileRootCertificate uses it, I think we should too

Copy link
Copy Markdown
Contributor Author

@gkech gkech May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

37fd1ec

}
return false, errors.WithStack(err)
}

return rootSecret.Annotations["cert-manager.io/certificate-name"] != "", nil
}

func (r *Reconciler) isCertManagerInstalled(ctx context.Context, ns string) (bool, error) {
if r.RestConfig == nil {
return false, nil
Expand Down
143 changes: 143 additions & 0 deletions internal/controller/postgrescluster/pki_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/rest"
"sigs.k8s.io/controller-runtime/pkg/client"

"github.com/percona/percona-postgresql-operator/v2/internal/naming"
Expand Down Expand Up @@ -380,6 +382,147 @@ func TestReconcileCerts(t *testing.T) {
})
}

type mockCertManagerController struct{}

func (m *mockCertManagerController) Check(context.Context, *rest.Config, string) error { return nil }
func (m *mockCertManagerController) ApplyIssuer(context.Context, *v1beta1.PostgresCluster) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyCAIssuer(context.Context, *v1beta1.PostgresCluster) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyCACertificate(context.Context, *v1beta1.PostgresCluster) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyClusterCertificate(context.Context, *v1beta1.PostgresCluster, []string) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyInstanceCertificate(context.Context, *v1beta1.PostgresCluster, string, []string) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyPGBouncerCertificate(context.Context, *v1beta1.PostgresCluster, []string) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyPGBackRestClientCertificate(context.Context, *v1beta1.PostgresCluster) error {
panic("unexpected call")
}
func (m *mockCertManagerController) ApplyPGBackRestRepoCertificate(context.Context, *v1beta1.PostgresCluster, []string) error {
panic("unexpected call")
}

func mockCertManagerCtrlFunc(_ client.Client, _ *runtime.Scheme, _ bool) certmanager.Controller {
return &mockCertManagerController{}
}

func TestUpgradeCertManagerDoesNotTakeOverInternalPKI(t *testing.T) {
if strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") {
t.Skip("USE_EXISTING_CLUSTER: Test fails due to garbage collection")
}

_, tClient := setupKubernetes(t)
require.ParallelCapacity(t, 1)
ctx := t.Context()
namespace := require.Namespace(t, tClient).Name

reconcilerWithoutCertManager := &Reconciler{
Client: tClient,
Owner: ControllerName,
CertManagerCtrlFunc: certmanager.NewController,
}

cluster := testCluster()
cluster.Name = "upgrade-test"
cluster.Namespace = namespace
assert.NilError(t, tClient.Create(ctx, cluster))

root, err := reconcilerWithoutCertManager.reconcileRootCertificate(ctx, cluster)
assert.NilError(t, err)

primaryService := &corev1.Service{ObjectMeta: metav1.ObjectMeta{
Namespace: namespace, Name: "upgrade-test-primary",
}}
replicaService := &corev1.Service{ObjectMeta: metav1.ObjectMeta{
Namespace: namespace, Name: "upgrade-test-replicas",
}}

_, err = reconcilerWithoutCertManager.reconcileClusterCertificate(ctx, root, cluster, primaryService, replicaService)
assert.NilError(t, err)

rootSecret := &corev1.Secret{}
assert.NilError(t, tClient.Get(ctx, types.NamespacedName{
Name: naming.PostgresRootCASecret(cluster).Name,
Namespace: namespace,
}, rootSecret))
assert.Equal(t, rootSecret.Annotations["cert-manager.io/certificate-name"], "")

clusterCertSecret := &corev1.Secret{}
assert.NilError(t, tClient.Get(ctx, types.NamespacedName{
Name: fmt.Sprintf(naming.ClusterCertSecret, cluster.Name),
Namespace: namespace,
}, clusterCertSecret))
originalCertData := clusterCertSecret.Data["tls.crt"]

reconcilerWithCertManager := &Reconciler{
Client: tClient,
Owner: ControllerName,
CertManagerCtrlFunc: mockCertManagerCtrlFunc,
RestConfig: &rest.Config{},
}

t.Run("isRootCACertManagerManaged returns false for internal PKI root", func(t *testing.T) {
managed, err := reconcilerWithCertManager.isRootCACertManagerManaged(ctx, cluster)
assert.NilError(t, err)
assert.Assert(t, !managed)
})

t.Run("reconcileClusterCertificate uses internal PKI after upgrade", func(t *testing.T) {
_, err := reconcilerWithCertManager.reconcileClusterCertificate(ctx, root, cluster, primaryService, replicaService)
assert.NilError(t, err)

updatedCertSecret := &corev1.Secret{}
assert.NilError(t, tClient.Get(ctx, types.NamespacedName{
Name: fmt.Sprintf(naming.ClusterCertSecret, cluster.Name),
Namespace: namespace,
}, updatedCertSecret))

assert.DeepEqual(t, originalCertData, updatedCertSecret.Data["tls.crt"])
})

t.Run("isRootCACertManagerManaged returns true for cert-manager root", func(t *testing.T) {
rootSecret.Annotations = map[string]string{
"cert-manager.io/certificate-name": "test-ca-cert",
}
assert.NilError(t, tClient.Update(ctx, rootSecret))

managed, err := reconcilerWithCertManager.isRootCACertManagerManaged(ctx, cluster)
assert.NilError(t, err)
assert.Assert(t, managed)
})

t.Run("isRootCACertManagerManaged returns true when no root CA exists", func(t *testing.T) {
freshCluster := testCluster()
freshCluster.Name = "fresh-cluster"
freshCluster.Namespace = namespace
assert.NilError(t, tClient.Create(ctx, freshCluster))

managed, err := reconcilerWithCertManager.isRootCACertManagerManaged(ctx, freshCluster)
assert.NilError(t, err)
assert.Assert(t, managed)
})

t.Run("isRootCACertManagerManaged returns false when cert-manager not installed", func(t *testing.T) {
rNoCertManager := &Reconciler{
Client: tClient,
Owner: ControllerName,
CertManagerCtrlFunc: certmanager.NewController,
}

managed, err := rNoCertManager.isRootCACertManagerManaged(ctx, cluster)
assert.NilError(t, err)
assert.Assert(t, !managed)
})
}

// getCertFromSecret returns a parsed certificate from the named secret
func getCertFromSecret(
ctx context.Context, tClient client.Client, name, namespace, dataKey string,
Expand Down
6 changes: 4 additions & 2 deletions internal/testing/require/kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,10 @@ func kubernetes3(t TestingT) (*envtest.Environment, client.Client) {
); assert.Check(t,
err == nil && len(pkgs) > 0 && pkgs[0].Module != nil, "got %v\n%#v", err, pkgs,
) {
snapshotter, err = filepath.Rel(root, pkgs[0].Module.Dir)
assert.NilError(t, err)
if pkgs[0].Module.Dir != "" {
snapshotter, err = filepath.Rel(root, pkgs[0].Module.Dir)
assert.NilError(t, err)
}
}

kubernetes.Lock()
Expand Down
Loading