Add automatic rolling deployment & option to re-create admission webhook certs

[duhminick]

Issue #, if available: NA

Description of changes:

Certificate Management Enhancement:

• Added a recreate flag for auto-generated certificates in the admission webhooks configuration
• This flag allows users to control whether existing certificates should be recreated during deployments
• Updated the helper templates and operator webhook configuration to support this new functionality
  • Will first check to see if autoGenerateCert is enabled, then check to see if there is an already existing cert with the recreate option set to false. If so, then it will retrieve the cert info. The ca.crt is not in the secret so we retrieve that from the caBundle from the admission webhooks to be re-used. Otherwise it will create new certs - the logic is taken from the operator-webhook.yaml file (copy & paste).
  • The operator-webhook.yaml file is updated to use the cert values from the helper
• Default value is set to true to maintain backward compatibility

Operator Deployment Rolling:

• Technique taken from: https://v3.helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
• Introduced a rolling flag in the operator configuration to enable automatic deployment rolling
• When enabled, this forces a deployment spec change to trigger pod restarts without manual intervention
• Default value is set to false to preserve existing behavior

---

Testing

Recreate is enabled

With these values:

clusterName: dscia-helm
region: us-east-1
admissionWebhooks:
  autoGenerateCert:
    recreate: true

$ kubectl get secret amazon-cloudwatch-observability-controller-manager-service-cert -n amazon-cloudwatch -o=jsonpath='{.data}' | md5sum
29f979c3cda1ae60969baec1073a7538  -
$ helm upgrade \
    --wait \
    --create-namespace \
    --namespace amazon-cloudwatch \
    amazon-cloudwatch-observability \
    ./charts/amazon-cloudwatch-observability \
    -f custom-values.yaml
Release "amazon-cloudwatch-observability" has been upgraded. Happy Helming!
NAME: amazon-cloudwatch-observability
LAST DEPLOYED: Wed Oct  1 20:11:16 2025
NAMESPACE: amazon-cloudwatch
STATUS: deployed
REVISION: 38
TEST SUITE: None
$ kubectl get secret amazon-cloudwatch-observability-controller-manager-service-cert -n amazon-cloudwatch -o=jsonpath='{.data}' | md5sum
11d37c192b475e522cbaae15a6dfb0d8  -

Recreate is disabled

With these values:

clusterName: dscia-helm
region: us-east-1
admissionWebhooks:
  autoGenerateCert:
    recreate: false

$ kubectl get secret amazon-cloudwatch-observability-controller-manager-service-cert -n amazon-cloudwatch -o=jsonpath='{.data}' | md5sum
11d37c192b475e522cbaae15a6dfb0d8  -
$ helm upgrade \
    --wait \
    --create-namespace \
    --namespace amazon-cloudwatch \
    amazon-cloudwatch-observability \
    ./charts/amazon-cloudwatch-observability \
    -f custom-values.yaml
Release "amazon-cloudwatch-observability" has been upgraded. Happy Helming!
NAME: amazon-cloudwatch-observability
LAST DEPLOYED: Wed Oct  1 20:12:20 2025
NAMESPACE: amazon-cloudwatch
STATUS: deployed
REVISION: 39
TEST SUITE: None
$ kubectl get secret amazon-cloudwatch-observability-controller-manager-service-cert -n amazon-cloudwatch -o=jsonpath='{.data}' | md5sum
11d37c192b475e522cbaae15a6dfb0d8  -

Rolling is enabled

With these values:

clusterName: dscia-helm
region: us-east-1
manager:
  rolling: true

$ kubectl get deployments amazon-cloudwatch-observability-controller-manager -n amazon-cloudwatch -o jsonpath='{.spec.template.metadata.annotations.rollme}'
Pvx1s%
$ helm upgrade \                                                                            --wait \
    --create-namespace \
    --namespace amazon-cloudwatch \
    amazon-cloudwatch-observability \
    ./charts/amazon-cloudwatch-observability \
    -f custom-values.yaml
Release "amazon-cloudwatch-observability" has been upgraded. Happy Helming!
NAME: amazon-cloudwatch-observability
LAST DEPLOYED: Wed Oct  1 20:26:33 2025
NAMESPACE: amazon-cloudwatch
STATUS: deployed
REVISION: 41
TEST SUITE: None
$ kubectl get deployments amazon-cloudwatch-observability-controller-manager -n amazon-cloudwatch -o jsonpath='{.spec.template.metadata.annotations.rollme}'
5g3lK%

Rolling is disabled

With these values:

clusterName: dscia-helm
region: us-east-1
manager:
  rolling: false

$ kubectl get deployments amazon-cloudwatch-observability-controller-manager -n amazon-cloudwatch -o jsonpath='{.spec.template.metadata.annotations.rollme}'
< empty >

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[duhminick]

Reference PRs:

1. add option to reuse previously auto-generated cert open-telemetry/opentelemetry-helm-charts#936
2. Fix operator tls error when cert file update open-telemetry/opentelemetry-helm-charts#720

[movence]

Maybe this is out of scope with this PR, but should we consider a way to organize minukube test scenarios? I can only imagine these cases will grow, so a folder structures will be nice