Skip to content

feat(shield): add support to cert-manager on cluster-shield #2411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(shield): add support to cert-manager on cluster-shield #2411

wants to merge 7 commits into from
+841 −2

Conversation

@francesco-furlan
Copy link
Contributor

@francesco-furlan francesco-furlan commented Oct 17, 2025
edited
Loading

What this PR does / why we need it:

Add cert-manager support to generate the tls certs for audit/admission-control features.

cluster:
  tls_certificates:
    cert_manager:
      # Enable cert-manager for certificate management
      enabled: false
      ca:
        # Create the CA certificate using cert-manager
        create: false
        # The template for the CA certificate secret (if generate is true)
        # will automatically add the annotation `cert-manager.io/allow-direct-injection: "true"` if not present
        secret_template: {}
        # The name of the existing CA certificate secret (if generate is false)
        # has to be annotated with `cert-manager.io/allow-direct-injection: "true"`
        secret_name: ""
        # The namespace of the existing CA certificate secret (if generate is false)
        secret_namespace: ""
      issuer:
        # Create the Issuer instead of using an existing one
        create: false
        # The name of the existing issuer
        name: ""
        # The kind of the existing issuer (Issuer, ClusterIssuer)
        kind: Issuer
        # The group of the existing issuer
        group: cert-manager.io
      # Certificate duration (default: 30 days)
      duration: "720h"
      # How long before expiry to renew (default: 15 days)
      renew_before: "360h"

Thanks @yoderme for the proposal of this feature, and the initial setup in this PR

Checklist

  • Title of the PR starts with type and scope, (e.g. feat(agent,node-analyzer,sysdig-deploy):)
  • Chart Version bumped for the respective charts
  • Variables are documented in the README.md (or README.tpl in some charts)
  • Check GithubAction checks (like lint) to avoid merge-check stoppers
  • All test files are added in the tests folder of their respective chart and have a "_test" suffix

@francesco-furlan francesco-furlan force-pushed the feat/shield-add-cert-manager-support branch from a5c9c23 to 8c3479f Compare October 20, 2025 07:10
@francesco-furlan francesco-furlan force-pushed the feat/shield-add-cert-manager-support branch from 1d6d15c to 7638505 Compare November 4, 2025 14:12
@francesco-furlan francesco-furlan marked this pull request as ready for review November 4, 2025 14:12
@francesco-furlan francesco-furlan requested a review from a team as a code owner November 4, 2025 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@francesco-furlan