Skip to content

Add support for injecting CA from secret for trust manager Webhook#762

Open
zeusal wants to merge 5 commits intocert-manager:mainfrom
zeusal:patch-1
Open

Add support for injecting CA from secret for trust manager Webhook#762
zeusal wants to merge 5 commits intocert-manager:mainfrom
zeusal:patch-1

Conversation

@zeusal
Copy link

@zeusal zeusal commented Oct 2, 2025

Add support for injecting CA from Secret, allowing cainjector to run with --enable-certificates-data-source=false as recommended by best practices. https://cert-manager.io/docs/concepts/ca-injector/#controlling-which-data-sources-are-enabled

zeusal added 3 commits October 2, 2025 12:17
@zeusal
Update webhook.yaml
b1e7f73 
Add support for injecting CA from Secret, allowing cainjector to run with --enable-certificates-data-source=false as recommended by best practices

Signed-off-by: Zeus Arias Lucero <33123154+zeusal@users.noreply.github.com>
@zeusal
Update values.yaml
cfc60b9 
Added default value with description

Signed-off-by: Zeus Arias Lucero <33123154+zeusal@users.noreply.github.com>
@zeusal
Update webhook.yaml
51dc0a3 
Move into app.webhook.tls

Signed-off-by: Zeus Arias Lucero <33123154+zeusal@users.noreply.github.com>
@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Oct 2, 2025
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Oct 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign maelvls for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented Oct 2, 2025

Hi @zeusal. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 2, 2025
zeusal added 2 commits October 2, 2025 12:44
@zeusal
Update values.yaml
62145f4 
Fix typo issue

Signed-off-by: Zeus Arias Lucero <33123154+zeusal@users.noreply.github.com>
@zeusal
Update values.schema.json
598f907 
Add values.schema

Signed-off-by: Zeus Arias Lucero <33123154+zeusal@users.noreply.github.com>
@erikgb
Copy link
Member

erikgb commented Oct 2, 2025

@zeusal, did you also read the note in https://cert-manager.io/docs/installation/best-practice/#memory?

image

@zeusal
Copy link
Author

zeusal commented Oct 2, 2025

@zeusal, did you also read the note in https://cert-manager.io/docs/installation/best-practice/#memory?

Yes, I did read the note in the best practices guide. The MR is aligned with it: by allowing inject-ca-from-secret, we can keep running cainjector with --enable-certificates-data-source=false, so the CA is injected from a pre-generated secret instead of generating certificates in the pod. This follows the memory and security recommendations from the guide.

The MR doesn’t change the default behavior — it only adds an optional way to provide the CA from a secret, keeping the pod lightweight and compliant with the best practices.

With this change, the chart can natively support both behaviors. It allows avoiding certificate auto-discovery and additional watchers, while still letting the MutationWebhook obtain the CA from a secret by specifying ca-from-secret and setting cert-manager.io/allow-direct-injection: "true" on that secret.

erikgb
erikgb reviewed Jan 18, 2026
View reviewed changes
deploy/charts/trust-manager/values.yaml

# Added option to inject CA from Secret instead of Certificate.
# This allows running cainjector with --enable-certificates-data-source=false, which follows cert-manager best practices by disabling unused data sources.
injectCaFrom: "certificate"
Copy link
Member

@erikgb erikgb Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not a big fan of this "enum", but your use case makes a lot of sense. Are you able to see a way to avoid this? Could it make sense to unconditionally use the cert-manager.io/inject-ca-from-secret annotation on the webhook?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikgb erikgb erikgb left review comments

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zeusal @erikgb