charts/redpanda: fix mTLS

Prior to this commit the chart had a variety of bugs around mTLS. The majority
of them were incorrect path construction and handling of `.clientSecretRef`.
The primary issue, though, is that the chart incorrectly mints a single client
certificate regardless of how many trust chains are in use.

This commit moves all name and path references into helper methods onto the
`TLSCert` itself and generates client certs per unique trust chain with client
auth enabled.

K8S-719

(cherry picked from commit 6c63e57)

# Conflicts:
#	charts/redpanda/cert_issuers.go
#	charts/redpanda/certs.go
#	charts/redpanda/client/client_test.go
#	charts/redpanda/client_test.go
#	charts/redpanda/configmap.tpl.go
#	charts/redpanda/helpers.go
#	charts/redpanda/notes.go
#	charts/redpanda/render_state_nogotohelm.go
#	charts/redpanda/secrets.go
#	charts/redpanda/templates/_cert-issuers.go.tpl
#	charts/redpanda/templates/_certs.go.tpl
#	charts/redpanda/templates/_configmap.go.tpl
#	charts/redpanda/templates/_helpers.go.tpl
#	charts/redpanda/templates/_notes.go.tpl
#	charts/redpanda/templates/_secrets.go.tpl
#	charts/redpanda/templates/_values.go.tpl
#	charts/redpanda/testdata/template-cases.golden.txtar
#	charts/redpanda/values.go
#	gotohelm/transpiler.go
#	pkg/helm/helm.go

Author: chrisseto

.changes/unreleased/charts-redpanda-Changed-20250918-152741.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Changed
+body: Client certificates are now named `$FULLNAME-$CERT-client-cert`.
+time: 2025-09-18T15:27:41.700988-04:00

.changes/unreleased/charts-redpanda-Fixed-20250918-152623.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Fixed
+body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.
+time: 2025-09-18T15:26:23.232523-04:00

.changes/unreleased/operator-Changed-20250918-152741.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Changed
+body: Client certificates are now named `$FULLNAME-$CERT-client-cert`.
+time: 2025-09-18T15:27:41.700988-04:00

.changes/unreleased/operator-Fixed-20250918-152623.yaml

@@ -0,0 +1,4 @@
+project: operator
+kind: Fixed
+body: mTLS client certificates are now generated per certificate, as required, instead of using a single and potentially invalid certificate.
+time: 2025-09-18T15:26:23.232523-04:00

charts/redpanda/cert_issuers.go

@@ -37,11 +37,25 @@ func certIssuersAndCAs(dot *helmette.Dot) ([]*certmanagerv1.Issuer, []*certmanag
 	var issuers []*certmanagerv1.Issuer
 	var certs []*certmanagerv1.Certificate
 
+<<<<<<< HEAD
 	if !TLSEnabled(dot) {
 		return issuers, certs
 	}
 
 	for name, data := range helmette.SortedMap(values.TLS.Certs) {
+=======
+	inUseCerts := map[string]bool{}
+	for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) {
+		inUseCerts[name] = true
+	}
+	for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) {
+		inUseCerts[name] = true
+	}
+
+	for name := range helmette.SortedMap(inUseCerts) {
+		data := state.Values.TLS.Certs.MustGet(name)
+
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
 		// If this certificate is disabled (.Enabled), provided directly by the
 		// end user (.SecretRef), or has an issuer provided (.IssuerRef), we
 		// don't need to bootstrap an issuer.
@@ -130,7 +144,11 @@ func certIssuersAndCAs(dot *helmette.Dot) ([]*certmanagerv1.Issuer, []*certmanag
 				Spec: certmanagerv1.IssuerSpec{
 					IssuerConfig: certmanagerv1.IssuerConfig{
 						CA: &certmanagerv1.CAIssuer{
+<<<<<<< HEAD
 							SecretName: fmt.Sprintf(`%s-%s-root-certificate`, Fullname(dot), name),
+=======
+							SecretName: data.RootSecretName(state, name),
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
 						},
 					},
 				},

charts/redpanda/certs.go

@@ -22,6 +22,7 @@ import (
 	"github.com/redpanda-data/redpanda-operator/gotohelm/helmette"
 )
 
+<<<<<<< HEAD
 func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 	if !TLSEnabled(dot) {
 		return []*certmanagerv1.Certificate{}
@@ -32,13 +33,27 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 	fullname := Fullname(dot)
 	service := ServiceName(dot)
 	ns := dot.Release.Namespace
+=======
+func ClientCerts(state *RenderState) []*certmanagerv1.Certificate {
+	fullname := Fullname(state)
+	service := ServiceName(state)
+	ns := state.Release.Namespace
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
 	// Trailing .'s don't play nice with TLS/SNI: https://datatracker.ietf.org/doc/html/rfc6066#section-3
 	// So we trim it when generating certificates.
 	domain := strings.TrimSuffix(values.ClusterDomain, ".")
 
 	var certs []*certmanagerv1.Certificate
+<<<<<<< HEAD
 	for name, data := range helmette.SortedMap(values.TLS.Certs) {
 		if !helmette.Empty(data.SecretRef) || !ptr.Deref(data.Enabled, true) {
+=======
+	for _, name := range state.Values.Listeners.InUseServerCerts(&state.Values.TLS) {
+		data := state.Values.TLS.Certs.MustGet(name)
+
+		// Don't generate server Certificates if a secret is provided.
+		if !helmette.Empty(data.SecretRef) {
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
 			continue
 		}
 
@@ -85,7 +100,7 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 				Duration:   helmette.MustDuration(duration),
 				IsCA:       false,
 				IssuerRef:  issuerRef,
-				SecretName: fmt.Sprintf("%s-%s-cert", fullname, name),
+				SecretName: data.ServerSecretName(state, name),
 				PrivateKey: &certmanagerv1.CertificatePrivateKey{
 					Algorithm: "ECDSA",
 					Size:      256,
@@ -94,6 +109,7 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 		})
 	}
 
+<<<<<<< HEAD
 	name := values.Listeners.Kafka.TLS.Cert
 
 	data, ok := values.TLS.Certs[name]
@@ -104,20 +120,34 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 	if !helmette.Empty(data.SecretRef) || !ClientAuthRequired(dot) {
 		return certs
 	}
+=======
+	for _, name := range state.Values.Listeners.InUseClientCerts(&state.Values.TLS) {
+		data := state.Values.TLS.Certs.MustGet(name)
 
-	issuerRef := cmmetav1.ObjectReference{
-		Group: "cert-manager.io",
-		Kind:  "Issuer",
-		Name:  fmt.Sprintf("%s-%s-root-issuer", fullname, name),
-	}
+		if data.SecretRef != nil && data.ClientSecretRef == nil {
+			panic(fmt.Sprintf(".clientSecretRef MUST be set if .secretRef is set and require_client_auth is true: Cert %q", name))
+		}
 
-	if data.IssuerRef != nil {
-		issuerRef = *data.IssuerRef
-		issuerRef.Group = "cert-manager.io"
-	}
+		// Don't generate a client Certificate if a client secret is provided.
+		if data.ClientSecretRef != nil {
+			continue
+		}
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
+
+		issuerRef := cmmetav1.ObjectReference{
+			Group: "cert-manager.io",
+			Kind:  "Issuer",
+			Name:  fmt.Sprintf("%s-%s-root-issuer", fullname, name),
+		}
+
+		if data.IssuerRef != nil {
+			issuerRef = *data.IssuerRef
+			issuerRef.Group = "cert-manager.io"
+		}
 
-	duration := helmette.Default("43800h", data.Duration)
+		duration := helmette.Default("43800h", data.Duration)
 
+<<<<<<< HEAD
 	return append(certs, &certmanagerv1.Certificate{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "cert-manager.io/v1",
@@ -135,8 +165,31 @@ func ClientCerts(dot *helmette.Dot) []*certmanagerv1.Certificate {
 			PrivateKey: &certmanagerv1.CertificatePrivateKey{
 				Algorithm: "ECDSA",
 				Size:      256,
+=======
+		certs = append(certs, &certmanagerv1.Certificate{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "cert-manager.io/v1",
+				Kind:       "Certificate",
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS)
 			},
-			IssuerRef: issuerRef,
-		},
-	})
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("%s-%s-client", fullname, name),
+				Namespace: state.Release.Namespace,
+				Labels:    FullLabels(state),
+			},
+			Spec: certmanagerv1.CertificateSpec{
+				CommonName: fmt.Sprintf("%s--%s-client", fullname, name),
+				Duration:   helmette.MustDuration(duration),
+				IsCA:       false,
+				SecretName: data.ClientSecretName(state, name),
+				PrivateKey: &certmanagerv1.CertificatePrivateKey{
+					Algorithm: "ECDSA",
+					Size:      256,
+				},
+				IssuerRef: issuerRef,
+			},
+		})
+	}
+
+	return certs
 }

charts/redpanda/chart_test.go

@@ -749,26 +749,50 @@ func httpProxyListenerTest(ctx context.Context, rpk *Client) error {
 
 func mTLSValuesUsingCertManager() *redpanda.PartialValues {
 	return minimalValues(&redpanda.PartialValues{
+		TLS: &redpanda.PartialTLS{
+			Certs: redpanda.PartialTLSCertMap{
+				"kafka": redpanda.PartialTLSCert{
+					Enabled:   ptr.To(true),
+					CAEnabled: ptr.To(true),
+				},
+				"http": redpanda.PartialTLSCert{
+					Enabled:   ptr.To(true),
+					CAEnabled: ptr.To(true),
+				},
+				"rpc": redpanda.PartialTLSCert{
+					Enabled:   ptr.To(true),
+					CAEnabled: ptr.To(true),
+				},
+				"schema": redpanda.PartialTLSCert{
+					Enabled:   ptr.To(true),
+					CAEnabled: ptr.To(true),
+				},
+			},
+		},
 		External:      &redpanda.PartialExternalConfig{Enabled: ptr.To(false)},
 		ClusterDomain: ptr.To("cluster.local"),
 		Listeners: &redpanda.PartialListeners{
 			Admin: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				TLS: &redpanda.PartialInternalTLS{
+					// Uses default by default.
 					RequireClientAuth: ptr.To(true),
 				},
 			},
 			HTTP: &redpanda.PartialListenerConfig[redpanda.HTTPAuthenticationMethod]{
 				TLS: &redpanda.PartialInternalTLS{
+					Cert:              ptr.To("http"),
 					RequireClientAuth: ptr.To(true),
 				},
 			},
 			Kafka: &redpanda.PartialListenerConfig[redpanda.KafkaAuthenticationMethod]{
 				TLS: &redpanda.PartialInternalTLS{
+					Cert:              ptr.To("kafka"),
 					RequireClientAuth: ptr.To(true),
 				},
 			},
 			SchemaRegistry: &redpanda.PartialListenerConfig[redpanda.NoAuth]{
 				TLS: &redpanda.PartialInternalTLS{
+					Cert:              ptr.To("schema"),
 					RequireClientAuth: ptr.To(true),
 				},
 			},
@@ -777,6 +801,7 @@ func mTLSValuesUsingCertManager() *redpanda.PartialValues {
 				TLS  *redpanda.PartialInternalTLS `json:"tls,omitempty" jsonschema:"required"`
 			}{
 				TLS: &redpanda.PartialInternalTLS{
+					Cert:              ptr.To("rpc"),
 					RequireClientAuth: ptr.To(true),
 				},
 			},

charts/redpanda/client/client_test.go

@@ -21,6 +21,104 @@ import (
 	"github.com/redpanda-data/redpanda-operator/gotohelm/helmette"
 )
 
+<<<<<<< HEAD:charts/redpanda/client/client_test.go
+=======
+func TestCertificates(t *testing.T) {
+	cases := map[string]struct {
+		Cert                   *TLSCert
+		CertificateName        string
+		ExpectedRootCertName   string
+		ExpectedRootCertKey    string
+		ExpectedClientCertName string
+	}{
+		"default": {
+			CertificateName:        "default",
+			ExpectedRootCertName:   "redpanda-default-root-certificate",
+			ExpectedRootCertKey:    "tls.crt",
+			ExpectedClientCertName: "redpanda-default-client-cert",
+		},
+		"default with non-enabled global cert": {
+			Cert: &TLSCert{
+				Enabled: ptr.To(false),
+				SecretRef: &corev1.LocalObjectReference{
+					Name: "some-cert",
+				},
+			},
+			CertificateName:        "default",
+			ExpectedRootCertName:   "redpanda-default-root-certificate",
+			ExpectedRootCertKey:    "tls.crt",
+			ExpectedClientCertName: "redpanda-default-client-cert",
+		},
+		"certificate with secret ref": {
+			Cert: &TLSCert{
+				SecretRef: &corev1.LocalObjectReference{
+					Name: "some-cert",
+				},
+			},
+			CertificateName:        "default",
+			ExpectedRootCertName:   "some-cert",
+			ExpectedRootCertKey:    "tls.crt",
+			ExpectedClientCertName: "redpanda-default-client-cert",
+		},
+		"certificate with CA": {
+			Cert: &TLSCert{
+				CAEnabled: true,
+				SecretRef: &corev1.LocalObjectReference{
+					Name: "some-cert",
+				},
+			},
+			CertificateName:        "default",
+			ExpectedRootCertName:   "some-cert",
+			ExpectedRootCertKey:    "ca.crt",
+			ExpectedClientCertName: "redpanda-default-client-cert",
+		},
+		"certificate with client certificate": {
+			Cert: &TLSCert{
+				CAEnabled: true,
+				SecretRef: &corev1.LocalObjectReference{
+					Name: "some-cert",
+				},
+				ClientSecretRef: &corev1.LocalObjectReference{
+					Name: "client-cert",
+				},
+			},
+			CertificateName:        "default",
+			ExpectedRootCertName:   "some-cert",
+			ExpectedRootCertKey:    "ca.crt",
+			ExpectedClientCertName: "client-cert",
+		},
+	}
+
+	for name, c := range cases {
+		t.Run(name, func(t *testing.T) {
+			certMap := TLSCertMap{}
+
+			if c.Cert != nil {
+				certMap[c.CertificateName] = *c.Cert
+			}
+
+			dot, err := Chart.Dot(nil, helmette.Release{
+				Name:      "redpanda",
+				Namespace: "redpanda",
+				Service:   "Helm",
+			}, Values{
+				TLS: TLS{
+					Certs: certMap,
+				},
+			})
+			require.NoError(t, err)
+			state, err := RenderStateFromDot(dot)
+			require.NoError(t, err)
+
+			actualRootCertName, actualRootCertKey, actualClientCertName := certificatesFor(state, c.CertificateName)
+			require.Equal(t, c.ExpectedRootCertName, actualRootCertName)
+			require.Equal(t, c.ExpectedRootCertKey, actualRootCertKey)
+			require.Equal(t, c.ExpectedClientCertName, actualClientCertName)
+		})
+	}
+}
+
+>>>>>>> 6c63e57d (charts/redpanda: fix mTLS):charts/redpanda/render_state_test.go
 func TestFirstUser(t *testing.T) {
 	cases := []struct {
 		In  string