Skip to content

feat: add global certificate management for ZTVP applications #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
minmzzhang wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add global certificate management for ZTVP applications #83

minmzzhang wants to merge 1 commit into from

Conversation

@minmzzhang
Copy link
Collaborator

@minmzzhang minmzzhang commented Dec 16, 2025
edited
Loading

Add ztvp-certificates chart for managing trusted CA certificates across all ZTVP applications with support for custom certificates via Kubernetes secret references.

Key features:

  • Initial job for immediate certificate extraction on install
  • Cronjob for periodic certificate rotation (daily at 2AM)
  • Automatic rollout restart for consuming applications (labeled strategy)
  • Auto-detects OpenShift ingress, service and proxy CA certificates
  • Supports custom CA certificates via secretRef (primary + additional)
  • Distributes certificates to target namespaces via ACM Policy

Certificate Sources:

  • Primary custom CA via secretRef (customCA.secretRef)
  • Additional certificates via extraValueFiles (overrides/values-ztvp-certificates.yaml)
  • Auto-detected proxy CA from trusted-ca-bundle (openshift-config-managed)
  • Auto-detected ingress CA from all IngressControllers (not just default)
  • Auto-detected service CA from openshift-service-ca

Configuration:

  • Use extraValueFiles for complex nested structures (additionalCertificates, rollout)
  • Simple overrides via values-hub.yaml for flat key-value pairs

Chart deploys:

  • Job/cronjob to extract and combine CA certificates
  • ConfigMap with combined CA bundle (ztvp-trusted-ca)
  • ACM Policy to distribute to target namespaces
  • RBAC permissions for CA extraction

Applications can consume the CA bundle by:

  • Mounting the ztvp-trusted-ca ConfigMap at /etc/pki/ca-trust/extracted/pem/
  • Setting ZTVP_CA_BUNDLE environment variable
  • Using standard SSL/TLS libraries that check system CA paths

@minmzzhang minmzzhang force-pushed the ztvp-trusted-ca branch 27 times, most recently from fd1ada7 to 6407ec3 Compare December 17, 2025 05:08
sabre1041
sabre1041 requested changes Dec 17, 2025
View reviewed changes
Copy link
Collaborator

@sabre1041 sabre1041 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking really good. A few comments

charts/ztvp-certificates/values.yaml
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
Copy link
Collaborator

@sabre1041 sabre1041 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend increasing these values. My cluster OOMKilled the container

Copy link
Collaborator Author

@minmzzhang minmzzhang Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

increased, this size mismatch was due to the addition of proxy CA extraction.

.github/workflows/superlinter.yml Outdated
# These are the validation we disable atm
VALIDATE_ANSIBLE: false
VALIDATE_BASH: false
VALIDATE_BASH_EXEC: false
Copy link
Collaborator

@sabre1041 sabre1041 Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this because we do not set the execute bit on the file?

Copy link
Collaborator Author

@minmzzhang minmzzhang Dec 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The shell script was a helm template, which has the helm syntax inside, bash_exec cannot pass it. I've updated the filename to avoid this single file's bash_exec linter execution.

Copy link
Collaborator

@mlorenzofr mlorenzofr Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I usually do in these cases is have a simple script and control the variables and conditions using environment variables. Another option is to have source files and import them depending on the environment

Copy link
Collaborator

@mlorenzofr mlorenzofr Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The FILTER_REGEX_EXCLUDE option also works for me

@minmzzhang minmzzhang force-pushed the ztvp-trusted-ca branch 4 times, most recently from cfa46e0 to cd77935 Compare December 17, 2025 14:22
@minmzzhang
feat: add global certificate management with secretRef and extraValue…
4349ad5 
…Files

Implements comprehensive certificate management for ZTVP:

Certificate Sources:
- Primary custom CA via secretRef (customCA.secretRef)
- Additional certificates via extraValueFiles (overrides/values-ztvp-certificates.yaml)
- Auto-detected proxy CA from trusted-ca-bundle (openshift-config-managed)
- Auto-detected ingress CA from all IngressControllers (not just default)
- Auto-detected service CA from openshift-service-ca

Features:
- Initial Job for immediate certificate extraction on install
- CronJob for periodic certificate rotation (daily at 2 AM)
- Warning and continue behavior for missing additional certificates
- Automatic rollout restart for consuming applications (labeled strategy)
- ACM Policy distribution to target namespaces

Configuration:
- Use extraValueFiles for complex nested structures (additionalCertificates, rollout)
- Simple overrides via values-hub.yaml for flat key-value pairs

Signed-off-by: Min Zhang <[email protected]>
@mlorenzofr
Copy link
Collaborator

mlorenzofr commented Dec 17, 2025

I think it might be interesting to extend the functionality to 2 additional components

External Secrets Operator

Currently, the ClusterSecretStore vault-backend has a configuration section where the CA it uses is specified:

       caProvider:
          key: ca.crt
          name: kube-root-ca.crt
          namespace: golang-external-secrets
          type: ConfigMap

This can be configured via an override in values-hub.yaml:

    golang-external-secrets:
      name: golang-external-secrets
      namespace: golang-external-secrets
      project: hub
      chart: golang-external-secrets
      chartVersion: 0.1.*
      overrides:
        - name: golangExternalSecrets.caProvider.hostCluster.name
          value: ztvp-trusted-ca
        - name: golangExternalSecrets.caProvider.hostCluster.key
          value: tls-ca-bundle.pem
        - name: golangExternalSecrets.caProvider.hostCluster.namespace
          value: openshift-config

Should we change it permanently if we adopt this solution?

Image registries (Quay)

The cluster can use image registries that use internal certificates. In this case, the configuration is done in the images.config.openshift.io resource.

apiVersion: config.openshift.io/v1
kind: Image
  name: cluster
spec:
  additionalTrustedCA:
    name: ztvp-registry-trusted-ca

The additionalTrustedCA attribute references a ConfigMap in the openshift-config namespace. The ConfigMap contains a list of the registry hostnames and trusted CAs:

apiVersion: v1
data:
  quay-registry-quay-quay-enterprise.apps.example.domain: |
    -----BEGIN CERTIFICATE-----
    ... ...
kind: ConfigMap
metadata:
  name: ztvp-registry-trusted-ca
  namespace: openshift-config

This functionality would allow configuring CRI-O on the nodes to download images from registries with internal certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 sabre1041 requested changes

@mlorenzofr mlorenzofr Awaiting requested review from mlorenzofr

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@minmzzhang @mlorenzofr @sabre1041