Skip to content

cert-manager Trust manager featuregate and test #6805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
eslutsky wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

cert-manager Trust manager featuregate and test #6805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d39f916
Enabling trust-manager featuregate by default
eslutsky Jun 4, 2026
741675b
testing cert-manager trust-manager deployment with RF
eslutsky Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions assets/optional/cert-manager/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,24 @@ resources:
- manager.yaml
- images.yaml

patches:
- target:
kind: Deployment
name: controller-manager
patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
spec:
template:
spec:
containers:
- name: cert-manager-operator
env:
- name: UNSUPPORTED_ADDON_FEATURES
value: TrustManager=true

replacements:
- source:
kind: ConfigMap
Expand Down
6 changes: 6 additions & 0 deletions test/assets/cert-manager/trust-manager-cr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: operator.openshift.io/v1alpha1
kind: TrustManager
metadata:
name: cluster
spec:
trustManagerConfig: {}
204 changes: 204 additions & 0 deletions test/suites/optional/cert-manager.robot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,12 @@ ${HOSTSFILE_ENABLED} SEPARATOR=\n
... \ \ hosts:
... \ \ \ \ status: Enabled

${TRUST_MANAGER_BUNDLE_NAME} test-trust-bundle
${TRUST_MANAGER_OPERATOR_NS} cert-manager-operator
${TRUST_MANAGER_NS} cert-manager
${TRUST_MANAGER_DEPLOYMENT} cert-manager-operator-controller-manager
${TRUST_MANAGER_MANIFESTS_DIR} /etc/microshift/manifests.d/trust-manager


*** Test Cases ***
Create Ingress route with Custom certificate
Expand Down Expand Up @@ -95,6 +101,64 @@ Test Cert manager with local acme server
... Cleanup HTTP01 Resources
... AND Cleanup DNS For Test ${dns_name}

Trust Manager Deployment
[Documentation] Verify trust-manager can be enabled and deploys successfully
[Tags] trust-manager
[Setup] Enable Trust Manager
Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS}
${status}= Oc Get JsonPath trustmanager ${EMPTY} cluster
... .status.conditions[?(@.type=="Ready")].status
Should Be Equal ${status} True msg=TrustManager CR is not ready
[Teardown] Disable Trust Manager

Trust Manager Bundle Creates ConfigMap
[Documentation] Verify trust-manager Bundle CR syncs a CA cert into a ConfigMap
[Tags] trust-manager
[Setup] Enable Trust Manager

Create CA Secret For Trust Manager
${bundle_yaml}= Create Trust Bundle From Source Secret YAML
Apply Trust Manager YAML ${bundle_yaml}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}

${cm_data}= Oc Get JsonPath configmap ${NAMESPACE} ${TRUST_MANAGER_BUNDLE_NAME} .data.ca-bundle\\.crt
Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data

[Teardown] Run Keywords
... Cleanup Trust Bundle
... AND Run With Kubeconfig oc delete secret ca-source-secret -n ${TRUST_MANAGER_NS} --ignore-not-found
... AND Disable Trust Manager

Trust Manager Bundle With Cert Manager CA
[Documentation] Verify trust-manager Bundle can use a cert-manager CA secret as a source
[Tags] trust-manager
[Setup] Enable Trust Manager

${issuer_yaml}= Create Cert Issuer YAML
Apply Trust Manager YAML ${issuer_yaml}
Oc Wait -n ${NAMESPACE} clusterissuer ${ISSUER_NAME}
... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT}

${ca_cert_yaml}= Create CA Certificate YAML
Apply Trust Manager YAML ${ca_cert_yaml}
Oc Wait -n ${TRUST_MANAGER_NS} certificate ca-certificate
... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT}

${bundle_yaml}= Create Trust Bundle From Secret YAML
Apply Trust Manager YAML ${bundle_yaml}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
Comment on lines +150 to +151
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Same fragile index issue.

Apply the same fix as line 122-123.

🔧 Proposed fix 
     Oc Wait    bundle ${TRUST_MANAGER_BUNDLE_NAME}
-    ...    --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
+    ...    --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
... --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/optional/cert-manager.robot` around lines 150 - 151, The jsonpath
used in the Oc Wait call is fragile because it assumes the condition is at index
0; update the jsonpath in the Oc Wait that references TRUST_MANAGER_BUNDLE_NAME
to check all conditions instead of .status.conditions[0].reason (e.g. use
.status.conditions[*].reason or a filter by condition type) so the wait asserts
any condition reason equals "Synced" rather than relying on index 0; modify the
Oc Wait invocation that currently uses .status.conditions[0].reason to use the
wildcard/filter form to match line 122-123's fix approach.


${cm_data}= Oc Get JsonPath configmap ${NAMESPACE} ${TRUST_MANAGER_BUNDLE_NAME} .data.ca-bundle\\.crt
Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data

[Teardown] Run Keywords
... Cleanup Trust Bundle
... AND Oc Delete certificate/ca-certificate -n ${TRUST_MANAGER_NS}
... AND Remove ClusterIssuer
... AND Disable Trust Manager


*** Keywords ***
Setup
Expand Down Expand Up @@ -432,3 +496,143 @@ Cleanup DNS For Test
Remove Entry From Hosts ${dns_name}
Remove Drop In MicroShift Config 20-dns
Restart MicroShift

Enable Trust Manager
[Documentation] Deploy trust-manager by creating a TrustManager CR via manifests.d
... and restarting MicroShift. The UNSUPPORTED_ADDON_FEATURES=TrustManager=true
... feature gate is already set in the system cert-manager kustomization.
Create Trust Manager CR Manifests
Restart MicroShift
Wait Until Keyword Succeeds 30x 10s
... Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS}

Disable Trust Manager
[Documentation] Remove the TrustManager CR manifests.d and restart MicroShift.
Run With Kubeconfig oc delete trustmanager cluster --ignore-not-found
Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found
Run With Kubeconfig oc delete deployment trust-manager -n ${TRUST_MANAGER_NS} --ignore-not-found
Remove Trust Manager CR Manifests
Restart MicroShift
Wait Until Keyword Succeeds 12x 10s
... Trust Manager Pod Should Not Exist

Trust Manager Pod Should Not Exist
[Documentation] Verify trust-manager pod no longer exists in cert-manager namespace
${output}= Run With Kubeconfig
... oc get pods -n ${TRUST_MANAGER_NS} -l app.kubernetes.io/name\=cert-manager-trust-manager --no-headers
... allow_fail=True
Should Be Empty ${output} msg=trust-manager pod still exists

Create Trust Manager CR Manifests
[Documentation] Create the manifests.d kustomization with the TrustManager CR
${stdout} ${stderr} ${rc}= Execute Command
... mkdir -p ${TRUST_MANAGER_MANIFESTS_DIR}
... sudo=True return_rc=True return_stdout=True return_stderr=True
Should Be Equal As Integers ${rc} 0
${kustomization}= CATENATE SEPARATOR=\n
... apiVersion: kustomize.config.k8s.io/v1beta1
... kind: Kustomization
... resources:
... \ \ - trust-manager-cr.yaml
Upload String To File ${kustomization} ${TRUST_MANAGER_MANIFESTS_DIR}/kustomization.yaml
${tm_cr}= CATENATE SEPARATOR=\n
... apiVersion: operator.openshift.io/v1alpha1
... kind: TrustManager
... metadata:
... \ \ name: cluster
... spec:
... \ \ trustManagerConfig: {}
Upload String To File ${tm_cr} ${TRUST_MANAGER_MANIFESTS_DIR}/trust-manager-cr.yaml

Remove Trust Manager CR Manifests
[Documentation] Remove the trust-manager manifests.d directory
${stdout} ${stderr} ${rc}= Execute Command
... rm -rf ${TRUST_MANAGER_MANIFESTS_DIR}
... sudo=True return_rc=True return_stdout=True return_stderr=True
Should Be Equal As Integers ${rc} 0

Create CA Secret For Trust Manager
[Documentation] Generate a self-signed CA cert locally and create a secret in the trust namespace
${cert_file}= Create Random Temp File
${result}= Process.Run Process
... openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
... -nodes -keyout /dev/null -out ${cert_file} -days 365
... -subj /CN\=test-ca.example.com
... stderr=STDOUT
Should Be Equal As Integers ${result.rc} 0
Run With Kubeconfig
... oc create secret generic ca-source-secret -n ${TRUST_MANAGER_NS} --from-file=tls.crt=${cert_file}
Remove File ${cert_file}

Create Trust Bundle From Source Secret YAML
[Documentation] Creates a Bundle CR YAML sourced from a manually created secret in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: trust.cert-manager.io/v1alpha1
... kind: Bundle
... metadata:
... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME}
... spec:
... \ \ sources:
... \ \ \ \ - secret:
... \ \ \ \ \ \ \ \ name: ca-source-secret
... \ \ \ \ \ \ \ \ key: tls.crt
... \ \ target:
... \ \ \ \ configMap:
... \ \ \ \ \ \ key: ca-bundle.crt
... \ \ \ \ namespaceSelector:
... \ \ \ \ \ \ matchLabels:
... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE}
RETURN ${yaml}

Create CA Certificate YAML
[Documentation] Creates a cert-manager CA Certificate in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: cert-manager.io/v1
... kind: Certificate
... metadata:
... \ \ name: ca-certificate
... \ \ namespace: ${TRUST_MANAGER_NS}
... spec:
... \ \ isCA: true
... \ \ commonName: test-ca.example.com
... \ \ secretName: ca-certificate-secret
... \ \ issuerRef:
... \ \ \ \ name: ${ISSUER_NAME}
... \ \ \ \ kind: ClusterIssuer
RETURN ${yaml}

Create Trust Bundle From Secret YAML
[Documentation] Creates a Bundle CR YAML sourced from a cert-manager CA secret in the trust namespace
${yaml}= CATENATE SEPARATOR=\n
... ---
... apiVersion: trust.cert-manager.io/v1alpha1
... kind: Bundle
... metadata:
... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME}
... spec:
... \ \ sources:
... \ \ \ \ - secret:
... \ \ \ \ \ \ \ \ name: ca-certificate-secret
... \ \ \ \ \ \ \ \ key: tls.crt
... \ \ target:
... \ \ \ \ configMap:
... \ \ \ \ \ \ key: ca-bundle.crt
... \ \ \ \ namespaceSelector:
... \ \ \ \ \ \ matchLabels:
... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE}
RETURN ${yaml}

Apply Trust Manager YAML
[Documentation] Apply YAML manifest, allowing both created and configured/unchanged results
[Arguments] ${yaml_content}
${temp_file}= Create Random Temp File ${yaml_content}
${result}= Oc Apply -f ${temp_file}
Remove File ${temp_file}
Log Applied manifest: ${result}

Cleanup Trust Bundle
[Documentation] Remove the test trust-manager Bundle CR and its target ConfigMap
Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found
Run With Kubeconfig oc delete configmap ${TRUST_MANAGER_BUNDLE_NAME} -n ${NAMESPACE} --ignore-not-found