Skip to content

USHIFT-6831: cert-manager Trust manager featuregate and test #6805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eslutsky wants to merge 3 commits into
base: main
Choose a base branch
from
+221 −0
Open

USHIFT-6831: cert-manager Trust manager featuregate and test #6805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bc9d52a
Enabling trust-manager featuregate by default
eslutsky Jun 4, 2026
34fdb66
testing cert-manager trust-manager deployment with RF
eslutsky Jun 4, 2026
91faa52
update kustomization with RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER image
eslutsky Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions assets/optional/cert-manager/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,24 @@ resources:
- manager.yaml
- images.yaml

patches:
- target:
kind: Deployment
name: controller-manager
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
spec:
template:
spec:
containers:
- name: cert-manager-operator
env:
- name: UNSUPPORTED_ADDON_FEATURES
value: TrustManager=true

replacements:
- source:
kind: ConfigMap
Expand Down Expand Up @@ -55,6 +73,16 @@ replacements:
name: controller-manager
fieldPaths:
- spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_ISTIOCSR].value
- source:
kind: ConfigMap
name: cert-manager-images
fieldPath: data.cert-manager-trust-manager
targets:
- select:
kind: Deployment
name: controller-manager
fieldPaths:
- spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER].value
- source:
kind: ConfigMap
name: cert-manager-images
Expand Down
6 changes: 6 additions & 0 deletions test/assets/cert-manager/trust-manager-cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: operator.openshift.io/v1alpha1
kind: TrustManager
metadata:
name: cluster
spec:
trustManagerConfig: {}
187 changes: 187 additions & 0 deletions test/suites/optional/cert-manager.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ ${HOSTSFILE_ENABLED} SEPARATOR=\n
... \ \ hosts:
... \ \ \ \ status: Enabled

${TRUST_MANAGER_BUNDLE_NAME} test-trust-bundle
${TRUST_MANAGER_OPERATOR_NS} cert-manager-operator
${TRUST_MANAGER_NS} cert-manager
${TRUST_MANAGER_DEPLOYMENT} cert-manager-operator-controller-manager

@pacevedom pacevedom Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This variable is not used.



*** Test Cases ***
Create Ingress route with Custom certificate
Expand Down Expand Up @@ -95,6 +100,72 @@ Test Cert manager with local acme server
... Cleanup HTTP01 Resources
... AND Cleanup DNS For Test ${dns_name}

Trust Manager Deployment
[Documentation] Verify trust-manager can be enabled and deploys successfully
[Tags] trust-manager
[Setup] Enable Trust Manager
Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS}

@pacevedom pacevedom Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is already done as part of the setup, right?

${status}= Oc Get JsonPath trustmanager ${EMPTY} cluster
... .status.conditions[?(@.type=="Ready")].status
Should Be Equal ${status} True msg=TrustManager CR is not ready
[Teardown] Disable Trust Manager

Trust Manager Bundle Creates ConfigMap
[Documentation] Verify trust-manager Bundle CR syncs a CA cert into a ConfigMap
[Tags] trust-manager
[Setup] Enable Trust Manager

Create CA Secret For Trust Manager
${bundle_yaml}= Create Trust Bundle From Source Secret YAML
Apply Trust Manager YAML ${bundle_yaml}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}

${cm_data}= Oc Get JsonPath
... configmap
... ${NAMESPACE}
... ${TRUST_MANAGER_BUNDLE_NAME}
... .data.ca-bundle\\.crt
Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data

[Teardown] Run Keywords
... Cleanup Trust Bundle
... AND Run With Kubeconfig oc delete secret ca-source-secret -n ${TRUST_MANAGER_NS} --ignore-not-found
... AND Disable Trust Manager

Trust Manager Bundle With Cert Manager CA
[Documentation] Verify trust-manager Bundle can use a cert-manager CA secret as a source
[Tags] trust-manager
[Setup] Enable Trust Manager

${issuer_yaml}= Create Cert Issuer YAML
Apply Trust Manager YAML ${issuer_yaml}
Oc Wait -n ${NAMESPACE} clusterissuer ${ISSUER_NAME}
... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT}

${ca_cert_yaml}= Create CA Certificate YAML
Apply Trust Manager YAML ${ca_cert_yaml}
Oc Wait -n ${TRUST_MANAGER_NS} certificate ca-certificate
... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT}

${bundle_yaml}= Create Trust Bundle From Secret YAML
Apply Trust Manager YAML ${bundle_yaml}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
Comment on lines +153 to +154

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Same fragile index issue.

Apply the same fix as line 122-123.

🔧 Proposed fix 
     Oc Wait    bundle ${TRUST_MANAGER_BUNDLE_NAME}
-    ...    --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
+    ...    --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/optional/cert-manager.robot` around lines 150 - 151, The jsonpath
used in the Oc Wait call is fragile because it assumes the condition is at index
0; update the jsonpath in the Oc Wait that references TRUST_MANAGER_BUNDLE_NAME
to check all conditions instead of .status.conditions[0].reason (e.g. use
.status.conditions[*].reason or a filter by condition type) so the wait asserts
any condition reason equals "Synced" rather than relying on index 0; modify the
Oc Wait invocation that currently uses .status.conditions[0].reason to use the
wildcard/filter form to match line 122-123's fix approach.


${cm_data}= Oc Get JsonPath
... configmap
... ${NAMESPACE}
... ${TRUST_MANAGER_BUNDLE_NAME}
... .data.ca-bundle\\.crt
Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data

[Teardown] Run Keywords
... Cleanup Trust Bundle
... AND Oc Delete certificate/ca-certificate -n ${TRUST_MANAGER_NS}
... AND Remove ClusterIssuer
... AND Disable Trust Manager


*** Keywords ***
Setup
Expand Down Expand Up @@ -432,3 +503,119 @@ Cleanup DNS For Test
Remove Entry From Hosts ${dns_name}
Remove Drop In MicroShift Config 20-dns
Restart MicroShift

Enable Trust Manager
[Documentation] Deploy trust-manager by applying the TrustManager CR directly.
... The UNSUPPORTED_ADDON_FEATURES=TrustManager=true feature gate is already
... set in the system cert-manager kustomization.
${tm_cr}= CATENATE SEPARATOR=\n

@pacevedom pacevedom Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we reference the file trust-manager-cr.yaml instead?

... apiVersion: operator.openshift.io/v1alpha1
... kind: TrustManager
... metadata:
... \ \ name: cluster
... spec:
... \ \ trustManagerConfig: {}
Apply Trust Manager YAML ${tm_cr}
Wait Until Keyword Succeeds 30x 10s
... Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS}

Disable Trust Manager
[Documentation] Remove the TrustManager CR and wait for cleanup.
Run With Kubeconfig oc delete trustmanager cluster --ignore-not-found

@pacevedom pacevedom Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is common to other locations in the file, but is there a reason to use Run With Kubeconfig oc delete instead of Oc Delete?

Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found
Run With Kubeconfig oc delete deployment trust-manager -n ${TRUST_MANAGER_NS} --ignore-not-found
Wait Until Keyword Succeeds 12x 10s
... Trust Manager Pod Should Not Exist

Trust Manager Pod Should Not Exist
[Documentation] Verify trust-manager pod no longer exists in cert-manager namespace
${output}= Run With Kubeconfig
... oc get pods -n ${TRUST_MANAGER_NS} -l app.kubernetes.io/name\=cert-manager-trust-manager --no-headers
... allow_fail=True
Should Not Contain ${output} trust-manager msg=trust-manager pod still exists
Comment thread
coderabbitai[bot] marked this conversation as resolved.

Create CA Secret For Trust Manager
[Documentation] Generate a self-signed CA cert locally and create a secret in the trust namespace
${cert_file}= Create Random Temp File
${result}= Process.Run Process
... openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
... -nodes -keyout /dev/null -out ${cert_file} -days 365
... -subj /CN\=test-ca.example.com
... stderr=STDOUT
Should Be Equal As Integers ${result.rc} 0
Run With Kubeconfig
... oc create secret generic ca-source-secret -n ${TRUST_MANAGER_NS} --from-file=tls.crt=${cert_file}
Remove File ${cert_file}

Create Trust Bundle From Source Secret YAML
[Documentation] Creates a Bundle CR YAML sourced from a manually created secret in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: trust.cert-manager.io/v1alpha1
... kind: Bundle
... metadata:
... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME}
... spec:
... \ \ sources:
... \ \ \ \ - secret:
... \ \ \ \ \ \ \ \ name: ca-source-secret
... \ \ \ \ \ \ \ \ key: tls.crt
... \ \ target:
... \ \ \ \ configMap:
... \ \ \ \ \ \ key: ca-bundle.crt
... \ \ \ \ namespaceSelector:
... \ \ \ \ \ \ matchLabels:
... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE}
RETURN ${yaml}

Create CA Certificate YAML
[Documentation] Creates a cert-manager CA Certificate in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: cert-manager.io/v1
... kind: Certificate
... metadata:
... \ \ name: ca-certificate
... \ \ namespace: ${TRUST_MANAGER_NS}
... spec:
... \ \ isCA: true
... \ \ commonName: test-ca.example.com
... \ \ secretName: ca-certificate-secret
... \ \ issuerRef:
... \ \ \ \ name: ${ISSUER_NAME}
... \ \ \ \ kind: ClusterIssuer
RETURN ${yaml}

Create Trust Bundle From Secret YAML
[Documentation] Creates a Bundle CR YAML sourced from a cert-manager CA secret in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: trust.cert-manager.io/v1alpha1
... kind: Bundle
... metadata:
... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME}
... spec:
... \ \ sources:
... \ \ \ \ - secret:
... \ \ \ \ \ \ \ \ name: ca-certificate-secret
... \ \ \ \ \ \ \ \ key: tls.crt
... \ \ target:
... \ \ \ \ configMap:
... \ \ \ \ \ \ key: ca-bundle.crt
... \ \ \ \ namespaceSelector:
... \ \ \ \ \ \ matchLabels:
... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE}
RETURN ${yaml}

Apply Trust Manager YAML
[Documentation] Apply YAML manifest, allowing both created and configured/unchanged results
[Arguments] ${yaml_content}
${temp_file}= Create Random Temp File ${yaml_content}
${result}= Oc Apply -f ${temp_file}

@pacevedom pacevedom Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this fails there is no cleanup of the file, right?

Remove File ${temp_file}
Log Applied manifest: ${result}

Cleanup Trust Bundle
[Documentation] Remove the test trust-manager Bundle CR and its target ConfigMap
Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found
Run With Kubeconfig oc delete configmap ${TRUST_MANAGER_BUNDLE_NAME} -n ${NAMESPACE} --ignore-not-found