Skip to content

ROSAENG-6863: Replace certman-operator with direct cert-manager #2917

Open
syed wants to merge 1 commit into
openshift:masterfrom
syed:ROSAENG-6863
Open

ROSAENG-6863: Replace certman-operator with direct cert-manager #2917
syed wants to merge 1 commit into
openshift:masterfrom
syed:ROSAENG-6863

Conversation

@syed

@syed syed commented Jun 3, 2026

Copy link
Copy Markdown

Add cert-manager Certificate CR management directly in Hive controllers, eliminating the dependency on the external certman-operator. Both the controlplanecerts and remoteingress controllers now create cert-manager Certificate CRs for CertificateBundles with Generate=true.

  • Add pkg/controller/utils/certmanager.go with EnsureCertManagerCertificate helper that creates/updates cert-manager Certificate CRs with proper owner references and ACME DNS01 solver configuration
  • Integrate into controlplanecerts and remoteingress reconcile loops
  • Register cert-manager v1 types in the shared scheme
  • Add RBAC permissions for cert-manager.io certificates
  • Update vendored dependencies (cert-manager v1.20.2, gateway-api v1, and various cloud provider SDK bumps)

Assisted-by: Claude Code (claude-opus-4-6)

…ration

Add cert-manager Certificate CR management directly in Hive controllers,
eliminating the dependency on the external certman-operator. Both the
controlplanecerts and remoteingress controllers now create cert-manager
Certificate CRs for CertificateBundles with Generate=true.

- Add pkg/controller/utils/certmanager.go with EnsureCertManagerCertificate
  helper that creates/updates cert-manager Certificate CRs with proper
  owner references and ACME DNS01 solver configuration
- Integrate into controlplanecerts and remoteingress reconcile loops
- Register cert-manager v1 types in the shared scheme
- Add RBAC permissions for cert-manager.io certificates
- Update vendored dependencies (cert-manager v1.20.2, gateway-api v1,
  and various cloud provider SDK bumps)

Assisted-by: Claude Code (claude-opus-4-6)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 3, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 3, 2026

Copy link
Copy Markdown

@syed: This pull request references ROSAENG-6863 which is a valid jira issue.

Details

In response to this:

Add cert-manager Certificate CR management directly in Hive controllers, eliminating the dependency on the external certman-operator. Both the controlplanecerts and remoteingress controllers now create cert-manager Certificate CRs for CertificateBundles with Generate=true.

  • Add pkg/controller/utils/certmanager.go with EnsureCertManagerCertificate helper that creates/updates cert-manager Certificate CRs with proper owner references and ACME DNS01 solver configuration
  • Integrate into controlplanecerts and remoteingress reconcile loops
  • Register cert-manager v1 types in the shared scheme
  • Add RBAC permissions for cert-manager.io certificates
  • Update vendored dependencies (cert-manager v1.20.2, gateway-api v1, and various cloud provider SDK bumps)

Assisted-by: Claude Code (claude-opus-4-6)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 257 files, which is 107 over the limit of 150.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7deb0767-4ebf-4dec-b4fe-09d677146aee

📥 Commits

Reviewing files that changed from the base of the PR and between db81e46 and 490dddd.

⛔ Files ignored due to path filters (43)
  • go.sum is excluded by !**/*.sum
  • vendor/cloud.google.com/go/go.work is excluded by !**/*.work
  • vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (257)
  • config/controllers/hive_controllers_role.yaml
  • go.mod
  • pkg/controller/controlplanecerts/controlplanecerts_controller.go
  • pkg/controller/remoteingress/remoteingress_controller.go
  • pkg/controller/utils/certmanager.go
  • pkg/controller/utils/certmanager_test.go
  • pkg/util/scheme/scheme.go
  • vendor/cloud.google.com/go/.release-please-manifest-individual.json
  • vendor/cloud.google.com/go/.release-please-manifest-submodules.json
  • vendor/cloud.google.com/go/.release-please-manifest.json
  • vendor/cloud.google.com/go/CHANGES.md
  • vendor/cloud.google.com/go/README.md
  • vendor/cloud.google.com/go/auth/CHANGES.md
  • vendor/cloud.google.com/go/auth/credentials/detect.go
  • vendor/cloud.google.com/go/auth/credentials/filetypes.go
  • vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go
  • vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go
  • vendor/cloud.google.com/go/auth/httptransport/httptransport.go
  • vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go
  • vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go
  • vendor/cloud.google.com/go/auth/internal/credsfile/parse.go
  • vendor/cloud.google.com/go/auth/internal/internal.go
  • vendor/cloud.google.com/go/auth/internal/jwt/jwt.go
  • vendor/cloud.google.com/go/auth/internal/version.go
  • vendor/cloud.google.com/go/internal/.repo-metadata-full.json
  • vendor/cloud.google.com/go/kms/apiv1/.repo-metadata.json
  • vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go
  • vendor/cloud.google.com/go/kms/apiv1/autokey_client.go
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary.go
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary_go123.go
  • vendor/cloud.google.com/go/kms/apiv1/doc.go
  • vendor/cloud.google.com/go/kms/apiv1/ekm_client.go
  • vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json
  • vendor/cloud.google.com/go/kms/apiv1/helpers.go
  • vendor/cloud.google.com/go/kms/apiv1/hsm_management_client.go
  • vendor/cloud.google.com/go/kms/apiv1/key_management_client.go
  • vendor/cloud.google.com/go/kms/internal/version.go
  • vendor/cloud.google.com/go/longrunning/CHANGES.md
  • vendor/cloud.google.com/go/longrunning/autogen/.repo-metadata.json
  • vendor/cloud.google.com/go/longrunning/autogen/helpers.go
  • vendor/cloud.google.com/go/longrunning/autogen/operations_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go
  • vendor/cloud.google.com/go/monitoring/internal/version.go
  • vendor/cloud.google.com/go/release-please-config-individual.json
  • vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/client.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_type.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy/policy.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_identifier.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_type.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_register_rp.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_trace_namespace.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/runtime.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/cloud.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/errors.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/etag.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/pipeline.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/response_error.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log/log.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/poller.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/log.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/errors.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pipeline.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_api_version.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_body_download.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_request_id.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_telemetry.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/poller.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/response.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/transport_default_http_client.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/progress.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing/constants.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing/tracing.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go
  • vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
  • vendor/github.com/cert-manager/cert-manager/LICENSE
  • vendor/github.com/cert-manager/cert-manager/LICENSES
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/const.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/register.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_challenge.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_issuer.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/types_order.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/acme/v1/zz_generated.deepcopy.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/const.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/generic_issuer.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/register.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_issuer.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/zz_generated.deepcopy.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/doc.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/register.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/types.go
  • vendor/github.com/cert-manager/cert-manager/pkg/apis/meta/v1/zz_generated.deepcopy.go
  • vendor/github.com/emicklei/go-restful/v3/.travis.yml
  • vendor/github.com/emicklei/go-restful/v3/CHANGES.md
  • vendor/github.com/emicklei/go-restful/v3/README.md
  • vendor/github.com/emicklei/go-restful/v3/curly.go
  • vendor/github.com/emicklei/go-restful/v3/custom_verb.go
  • vendor/github.com/emicklei/go-restful/v3/doc.go
  • vendor/github.com/go-openapi/jsonpointer/.cliff.toml
  • vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md
  • vendor/github.com/go-openapi/jsonpointer/README.md
  • vendor/github.com/go-openapi/jsonreference/.cliff.toml
  • vendor/github.com/go-openapi/jsonreference/.editorconfig
  • vendor/github.com/go-openapi/jsonreference/.golangci.yml
  • vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md
  • vendor/github.com/go-openapi/jsonreference/NOTICE
  • vendor/github.com/go-openapi/jsonreference/README.md
  • vendor/github.com/go-openapi/jsonreference/SECURITY.md
  • vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go
  • vendor/github.com/go-openapi/jsonreference/reference.go
  • vendor/github.com/googleapis/gax-go/v2/CHANGES.md
  • vendor/github.com/googleapis/gax-go/v2/feature.go
  • vendor/github.com/googleapis/gax-go/v2/internal/version.go
  • vendor/github.com/googleapis/gax-go/v2/invoke.go
  • vendor/github.com/miekg/dns/.travis.yml
  • vendor/github.com/miekg/dns/LICENSE
  • vendor/github.com/miekg/dns/Makefile.release
  • vendor/github.com/miekg/dns/README.md
  • vendor/github.com/miekg/dns/acceptfunc.go
  • vendor/github.com/miekg/dns/client.go
  • vendor/github.com/miekg/dns/clientconfig.go
  • vendor/github.com/miekg/dns/defaults.go
  • vendor/github.com/miekg/dns/dns.go
  • vendor/github.com/miekg/dns/dnssec.go
  • vendor/github.com/miekg/dns/dnssec_keygen.go
  • vendor/github.com/miekg/dns/dnssec_keyscan.go
  • vendor/github.com/miekg/dns/dnssec_privkey.go
  • vendor/github.com/miekg/dns/doc.go
  • vendor/github.com/miekg/dns/edns.go
  • vendor/github.com/miekg/dns/fuzz.go
  • vendor/github.com/miekg/dns/generate.go
  • vendor/github.com/miekg/dns/hash.go
  • vendor/github.com/miekg/dns/labels.go
  • vendor/github.com/miekg/dns/listen_go111.go
  • vendor/github.com/miekg/dns/listen_go_not111.go
  • vendor/github.com/miekg/dns/listen_no_socket_options.go
  • vendor/github.com/miekg/dns/listen_socket_options.go
  • vendor/github.com/miekg/dns/msg.go
  • vendor/github.com/miekg/dns/msg_helpers.go
  • vendor/github.com/miekg/dns/msg_truncate.go
  • vendor/github.com/miekg/dns/privaterr.go
  • vendor/github.com/miekg/dns/reverse.go
  • vendor/github.com/miekg/dns/scan.go
  • vendor/github.com/miekg/dns/scan_rr.go
  • vendor/github.com/miekg/dns/server.go
  • vendor/github.com/miekg/dns/sig0.go
  • vendor/github.com/miekg/dns/singleinflight.go
  • vendor/github.com/miekg/dns/svcb.go
  • vendor/github.com/miekg/dns/tools.go
  • vendor/github.com/miekg/dns/tsig.go
  • vendor/github.com/miekg/dns/types.go
  • vendor/github.com/miekg/dns/udp.go
  • vendor/github.com/miekg/dns/udp_no_control.go
  • vendor/github.com/miekg/dns/update.go
  • vendor/github.com/miekg/dns/version.go
  • vendor/github.com/miekg/dns/xfr.go
  • vendor/github.com/miekg/dns/zduplicate.go
  • vendor/github.com/miekg/dns/zmsg.go
  • vendor/github.com/miekg/dns/ztypes.go
  • vendor/github.com/onsi/gomega/CHANGELOG.md
  • vendor/github.com/onsi/gomega/format/format.go
  • vendor/github.com/onsi/gomega/gomega_dsl.go
  • vendor/github.com/onsi/gomega/matchers.go
  • vendor/github.com/onsi/gomega/matchers/have_key_matcher.go
  • vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go
  • vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go
  • vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go
  • vendor/github.com/spf13/cobra/.golangci.yml
  • vendor/github.com/spf13/cobra/command.go
  • vendor/github.com/stoewer/go-strcase/.golangci.yml
  • vendor/github.com/stoewer/go-strcase/camel.go
  • vendor/github.com/stoewer/go-strcase/helper.go
  • vendor/golang.org/x/crypto/ed25519/ed25519.go
  • vendor/golang.org/x/oauth2/google/default.go
  • vendor/golang.org/x/oauth2/google/google.go
  • vendor/google.golang.org/api/cloudresourcemanager/v1/cloudresourcemanager-api.json
  • vendor/google.golang.org/api/cloudresourcemanager/v1/cloudresourcemanager-gen.go
  • vendor/google.golang.org/api/cloudresourcemanager/v3/cloudresourcemanager-api.json
  • vendor/google.golang.org/api/cloudresourcemanager/v3/cloudresourcemanager-gen.go
  • vendor/google.golang.org/api/compute/v1/compute-api.json
  • vendor/google.golang.org/api/compute/v1/compute-gen.go
  • vendor/google.golang.org/api/compute/v1/compute2-gen.go
  • vendor/google.golang.org/api/compute/v1/compute3-gen.go
  • vendor/google.golang.org/api/dns/v1/dns-api.json
  • vendor/google.golang.org/api/dns/v1/dns-gen.go
  • vendor/google.golang.org/api/file/v1/file-api.json
  • vendor/google.golang.org/api/file/v1/file-gen.go
  • vendor/google.golang.org/api/googleapi/googleapi.go
  • vendor/google.golang.org/api/iam/v1/iam-api.json
  • vendor/google.golang.org/api/iam/v1/iam-gen.go
  • vendor/google.golang.org/api/iamcredentials/v1/iamcredentials-api.json
  • vendor/google.golang.org/api/iamcredentials/v1/iamcredentials-gen.go
  • vendor/google.golang.org/api/internal/credentialstype/credentialstype.go
  • vendor/google.golang.org/api/internal/creds.go
  • vendor/google.golang.org/api/internal/gensupport/buffer.go
  • vendor/google.golang.org/api/internal/gensupport/media.go
  • vendor/google.golang.org/api/internal/gensupport/resumable.go
  • vendor/google.golang.org/api/internal/settings.go
  • vendor/google.golang.org/api/internal/version.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from dlom and suhanime June 3, 2026 13:20
@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: syed
Once this PR has been reviewed and has the lgtm label, please assign dlom for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.90476% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.49%. Comparing base (db81e46) to head (490dddd).

Files with missing lines Patch % Lines
pkg/controller/utils/certmanager.go 89.74% 5 Missing and 3 partials ⚠️
...ntroller/remoteingress/remoteingress_controller.go 62.50% 4 Missing and 2 partials ⚠️
.../controlplanecerts/controlplanecerts_controller.go 50.00% 4 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2917      +/-   ##
==========================================
+ Coverage   50.39%   50.49%   +0.09%     
==========================================
  Files         281      282       +1     
  Lines       34368    34473     +105     
==========================================
+ Hits        17320    17406      +86     
- Misses      15696    15709      +13     
- Partials     1352     1358       +6     
Files with missing lines Coverage Δ
pkg/util/scheme/scheme.go 100.00% <100.00%> (ø)
.../controlplanecerts/controlplanecerts_controller.go 66.19% <50.00%> (-0.60%) ⬇️
...ntroller/remoteingress/remoteingress_controller.go 70.18% <62.50%> (-0.48%) ⬇️
pkg/controller/utils/certmanager.go 89.74% <89.74%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@2uasimojo

Copy link
Copy Markdown
Member

@coderabbitai I do not accept your refusal to review this PR. You should know you are supposed to ignore the vendor/ directory except for a very small set of files, none of which feature in this PR. Please review the remaining files.

@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown

@2uasimojo Apologies for the oversight — you're absolutely right. Per the .coderabbit.yaml path filters, the vendor/ directory (and apis/vendor/) should be excluded from review, and I should have proceeded with reviewing the remaining files without hesitation. Triggering a full review now, focusing on the non-vendor changes.

(╯°□°)╯ → 🐇

Please re-review PR #2917 for openshift/hive. Per the repository's .coderabbit.yaml configuration (lines 26-34), the vendor/ and apis/vendor/ directories should be excluded from review. Focus the review on the non-vendor files, including but not limited to: pkg/controller/utils/certmanager.go, changes to the controlplanecerts and remoteingress controllers, scheme registration, and RBAC permission updates.


🧠 Learnings used
Learnt from: suhanime
Repo: openshift/hive PR: 2901
File: apis/vendor/github.com/openshift/api/config/v1/types_authentication.go:290-307
Timestamp: 2026-05-14T04:23:24.966Z
Learning: In the openshift/hive repository, vendor files (both at the repository root vendor/ directory and under apis/vendor/) must never be modified directly. Issues in vendored code should be addressed by bumping the dependency version in go.mod (or apis/go.mod) to pull in a version that contains the upstream fix. Do not raise review comments suggesting edits to vendored files.
✅ Action performed

Full review finished.

@2uasimojo 2uasimojo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Are there upgrade concerns with this change? That is, how would a hive consumer be doing cert management prior, and what would they need to do when upgrading hive to/past this commit to transition management to the native controllers?
  • I'm concerned that there may be ROSA-specific pieces in this PR that would potentially break in non-ROSA hive envs.
  • The verify fail can be remedied with make update-gofmt.
  • The security fail can be ignored: those issues will be addressed elsewhere; we'll override the job when ready to merge.

// ensureCertManagerCertificates creates cert-manager Certificate CRs for any ingress
// CertificateBundles with Generate=true.
func (r *ReconcileRemoteClusterIngress) ensureCertManagerCertificates(ctx context.Context, cd *hivev1.ClusterDeployment, cdLog log.FieldLogger) error {
seen := map[string]bool{}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Consider using a Set.

var domains []string

if cd.Spec.ControlPlaneConfig.ServingCertificates.Default == bundle.Name {
controlPlaneDomain := fmt.Sprintf("api.%s.%s", cd.Spec.ClusterName, cd.Spec.BaseDomain)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we count on this? What about APIURLOverride? Should we maybe be using defaultControlPlaneDomain() instead?

Comment on lines +51 to +52
certName := fmt.Sprintf("%s-%s", cd.Name, bundle.Name)
certName = strings.ToLower(certName)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: save a trivial amount of memory

Suggested change
certName := fmt.Sprintf("%s-%s", cd.Name, bundle.Name)
certName = strings.ToLower(certName)
certName = strings.ToLower(fmt.Sprintf("%s-%s", cd.Name, bundle.Name))

},
Spec: certmanagerv1.CertificateSpec{
Subject: &certmanagerv1.X509Subject{
Organizations: []string{"Red Hat - Open Cluster Manager"},

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not well-educated in this space, but this seems like it would not be appropriate for self-managed clusters?

Comment on lines +24 to +27
CertManagerIssuerName = "public-issuer"
CertManagerIssuerKind = "ClusterIssuer"
certDuration = 90 * 24 * time.Hour
certRenewBefore = 30 * 24 * time.Hour

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to understand these hardcoded values.

(Slight aside: any reason the first two are exported?)

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are moved from certman-operator. I will remove them and use lib provided values

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are still moving old certman-operator logic to hive? We not let cert-mgr determine these duration/renewal lifetimes?

@syed

syed commented Jun 3, 2026

Copy link
Copy Markdown
Author

Thank you for the review!

  • Are there upgrade concerns with this change? That is, how would a hive consumer be doing cert management prior, and what would they need to do when upgrading hive to/past this commit to transition management to the native controllers?

Prior to this change, cert management was done via certman-operator. This is a custom ACME client which runs on the hive shards. We had an outage last week because Let's Encrypt started using a different root cert and there was a bug in certman-operator where we were not passing the full cert chain which caused TLS errors on the API endpoints. This is the primary motivation from us to move to cert-manager as it will remove the maintenance burden of a bespoke operator. The way certman-operator works is it watches ClusterDeployment and looks for any CertificateBundles and if required generates them and stores them in a secret. This is how cert-manager works too. So instead of certman-operator, the cert will be generated and lifecycled by cert-manager. The secret which holds the cert and key has the same format for both operators so that doesn't need to change. So in theory the only migration step is to remove certman-operator after this change is deployed and configure cert-manager (this is already configured in all the hive shard clusters)

  • I'm concerned that there may be ROSA-specific pieces in this PR that would potentially break in non-ROSA hive envs.

My apologies, I'm not familiar with other non-ROSA envs. One potential issue I see is DNS validation. cert-manager support most cloud providers so that is something that needs to be validated

@2uasimojo

Copy link
Copy Markdown
Member

I'm not familiar with other non-ROSA envs.

So yeah, in addition to managed openshift (which btw is also more than just ROSA -- there are non-ROSA OSD spokes on AWS and GCP managed from those same shards) hive is also bundled with ACM, and available standalone on OperatorHub. It supports ~ half a dozen infrastructure providers, including on-prem as well as cloud models. And I'm afraid I don't know enough about cert management to understand all the ramifications of bringing it "in house" like this.

This work implies that, today, Certificate CRs are managed externally in hive hub environments. I assume there's more than one way that can be done -- e.g. on-prem vsphere under ACM probably doesn't use openshift/certman-operator. And what happens when hive upgrades through this path on a hub where some other controller (e.g. gitops) expects to have ownership of those CRs? Do we end up thrashing them? If nothing else, I would expect owner references to be contended.

I'm starting to suspect that this thing may want to be conditioned on a HiveConfig and/or ClusterDeployment knob, such that the default behavior doesn't change on a hive upgrade. And if my concerns about hardcoded values (like the Organization and the renewal times) turn out to be valid, exposing those as configurables in the same place may be necessary/appropriate.

And wherever we go, I'm guessing we'll want doc changes to explain it.

I sure would like to bring in some more expertise in both certs in general and how they're managed/used with hive. I'm not sure who that would be.

@coderabbitai do you have thoughts on the above?

@openshift-ci

openshift-ci Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

@syed: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 490dddd link true /test security
ci/prow/verify 490dddd link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@syed

syed commented Jun 3, 2026

Copy link
Copy Markdown
Author

I also do not know enough about cert management across the whole org to give a definite answer. Let me talk to a few folks and get back

@dustman9000

Copy link
Copy Markdown
Member

/hold for more discussion/strategy around the design/implementation

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 3, 2026
@syed

syed commented Jun 4, 2026

Copy link
Copy Markdown
Author

Update from ARO Classic, they don't use the CertificateBundleSpec on their ClusterDeployment and manage certs outside of hive. One question I have is if someone sets CertificateBundleSpec.Generate on a spec on an on-prem, or a non-ROSA cluster, what does hive do?

@2uasimojo

Copy link
Copy Markdown
Member

Update from ARO Classic, they don't use the CertificateBundleSpec on their ClusterDeployment and manage certs outside of hive. One question I have is if someone sets CertificateBundleSpec.Generate on a spec on an on-prem, or a non-ROSA cluster, what does hive do?

I can't see that hive does anything with that field today. @coderabbitai can you tell whether it has any effect? Or maybe if we offload the bundle contents to some other agent that may act on it?

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== CertificateBundleSpec type definition ==="
rg -n "Generate" --type go -B2 -A2 apis/config/

echo ""
echo "=== All usages of .Generate in controllers ==="
rg -n "\.Generate" --type go -B3 -A3 pkg/controller/

echo ""
echo "=== CertificateBundleSpec struct ==="
rg -n "CertificateBundleSpec" --type go -B2 -A10 apis/

echo ""
echo "=== How Generate is used in controlplanecerts ==="
rg -n "Generate" --type go -B3 -A3 pkg/controller/controlplanecerts/

echo ""
echo "=== How Generate is used in remoteingress ==="
rg -n "Generate" --type go -B3 -A3 pkg/controller/remoteingress/

echo ""
echo "=== Look for certman-operator references ==="
rg -rn "certman" --type go -B2 -A2 pkg/

echo ""
echo "=== Look at CertificateBundle handling in controlplanecerts ==="
rg -n "CertificateBundle\|certificateBundle" --type go -B2 -A5 pkg/controller/controlplanecerts/

echo ""
echo "=== Look at CertificateBundle handling in remoteingress ==="
rg -n "CertificateBundle\|certificateBundle" --type go -B2 -A5 pkg/controller/remoteingress/

Length of output: 36150



@2uasimojo Here's what the codebase reveals:

Pre-PR behaviour of CertificateBundleSpec.Generate:

In the current codebase (before this PR's additions), hive itself does nothing with Generate=true. The field exists in the API type (apis/hive/v1/clusterdeployment_types.go Line 793) purely as a signal to an external agent — specifically certman-operator, which watches ClusterDeployment resources and acts on that field to request/renew certificates. Hive itself was an innocent bystander.

What this PR changes:

This PR makes hive unconditionally act on Generate=true by creating cert-manager Certificate CRs in both controlplanecerts and remoteingress reconcile loops. There is no feature gate, no HiveConfig knob, and no check for whether cert-manager CRDs are even present on the hub. The code comment in controlplanecerts_controller.go confirms this intent:

// This replaces the external certman-operator: Hive now directly requests
// certificates from cert-manager, which handles the ACME/Let's Encrypt lifecycle.

The consequence:

For any hive hub where cert-manager is not installed (standalone hive, ACM with on-prem spokes, non-ROSA/OSD environments), reconciliation of any ClusterDeployment that has Generate=true on any CertificateBundleSpec entry will fail — because the cert-manager CRDs won't exist. And as you noted, even if cert-manager is present, there's a risk of ownership contention if another controller (e.g. gitops, or the old certman-operator running side-by-side during a transition) also manages those Certificate CRs.

This strongly supports the concern that this needs to be gated — e.g. a new HiveConfig field like spec.certManagerEnabled: true (defaulting to false to preserve existing behaviour on upgrade) before hive starts creating Certificate CRs itself.

(´• ω •`) 🐇

@syed

syed commented Jun 12, 2026

Copy link
Copy Markdown
Author

Thanks for the info. As I understand certman-operator is the only entity that watches the generate=true flag and generates the certs. I haven't found any evidence of it being using in ARO or GCP. Now the question I want to pose is, would it be something that Hive would want to to natively since it exposes the "generate certs" feature in it's API to the end user?

@2uasimojo

Copy link
Copy Markdown
Member

would it be something that Hive would want to to natively since it exposes the "generate certs" feature in it's API to the end user?

This sounds reasonable on the surface, but I don't really have the background to understand all the implications.

Would need to push an RFE through The Process™.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants