Skip to content

Fix issue #1668 about auto renew certificat on mutating / validatinf#1669

Open
disaster37 wants to merge 2 commits into
devfile:mainfrom
disaster37:fix/issue-1668
Open

Fix issue #1668 about auto renew certificat on mutating / validatinf#1669
disaster37 wants to merge 2 commits into
devfile:mainfrom
disaster37:fix/issue-1668

Conversation

@disaster37

@disaster37 disaster37 commented Jul 2, 2026

Copy link
Copy Markdown

What does this PR do?

Add cert-manager annotations on mutating and validating depoloyment to auto renew certificate and auto restart pod when it's done.

What issues does this PR fix or reference?

Fix issue #1668

Is it tested? How?

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

  • Bug Fixes
    • Improved webhook certificate handling by adding webhook annotations to both mutating and validating configurations.
    • Webhook CA injection now adapts automatically: it uses cert-manager when available, otherwise it uses the OpenShift CABundle when running on OpenShift.
    • Helps webhook connectivity stay reliable after deployment by ensuring the correct CA source is applied consistently.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: disaster37
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

Hi @disaster37. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds environment-specific annotations to mutating and validating webhook configurations. Cert-manager API-group detection is stored by infrastructure initialization, and annotation generation selects cert-manager injection, OpenShift CA injection, or no annotations.

Changes

Environment-aware webhook annotations

Layer / File(s) Summary
Environment detection state
pkg/infrastructure/cluster.go
Tracks cert-manager API-group detection during live and test initialization and exposes the result through CertManagerDetected.
Annotation generation
webhook/workspace/annotations.go
Generates cert-manager or OpenShift CA injection annotations based on the namespace and detected environment.
Webhook configuration metadata
webhook/workspace/mutating_cfg.go, webhook/workspace/validating_cfg.go
Adds generated annotations to both webhook configuration objects and updates copyright years.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Cluster as Cluster detection
  participant Infrastructure as Infrastructure state
  participant ConfigBuilders as Webhook configuration builders
  participant Annotations as getWebhookAnnotations
  Cluster->>Infrastructure: detect cert-manager API group
  Infrastructure->>Infrastructure: store certManagerDetected
  ConfigBuilders->>Annotations: generate annotations(namespace)
  Annotations->>Infrastructure: read environment state
  Infrastructure-->>Annotations: return detection result
  Annotations-->>ConfigBuilders: return CA injection annotations
  ConfigBuilders->>ConfigBuilders: set ObjectMeta annotations
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding auto-renew certificate support for mutating and validating webhooks.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
webhook/workspace/mutating_cfg.go (1)

160-162: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider extracting the annotation to a shared constant.

The cert-manager.io/inject-ca-from key and devworkspace-controller-serving-cert name are duplicated verbatim in validating_cfg.go (Lines 41-43). Centralizing this in a shared constant/helper (e.g., alongside server.WebhookServerAppLabels()) would prevent the two copies from drifting if the secret/certificate name ever changes.

♻️ Proposed refactor
+// in a shared location, e.g. webhook/workspace/server package
+const CertManagerServingCertName = "devworkspace-controller-serving-cert"
+
+func CertManagerInjectCAAnnotation(namespace string) map[string]string {
+	return map[string]string{
+		"cert-manager.io/inject-ca-from": fmt.Sprintf("%s/%s", namespace, CertManagerServingCertName),
+	}
+}
-			Annotations: map[string]string{
-				"cert-manager.io/inject-ca-from": fmt.Sprintf("%s/devworkspace-controller-serving-cert", namespace),
-			},
+			Annotations: server.CertManagerInjectCAAnnotation(namespace),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@webhook/workspace/mutating_cfg.go` around lines 160 - 162, The webhook CA
injection annotation and serving cert name are duplicated in mutating_cfg.go and
validating_cfg.go, so extract them into a shared constant or helper near the
webhook/server label helpers (for example alongside
server.WebhookServerAppLabels) and use that in both places. Update the
annotation map construction in the webhook config methods to reference the
shared symbol instead of hardcoding cert-manager.io/inject-ca-from and
devworkspace-controller-serving-cert, so both configs stay in sync if the name
changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@webhook/workspace/mutating_cfg.go`:
- Around line 160-162: The webhook CA injection annotation and serving cert name
are duplicated in mutating_cfg.go and validating_cfg.go, so extract them into a
shared constant or helper near the webhook/server label helpers (for example
alongside server.WebhookServerAppLabels) and use that in both places. Update the
annotation map construction in the webhook config methods to reference the
shared symbol instead of hardcoding cert-manager.io/inject-ca-from and
devworkspace-controller-serving-cert, so both configs stay in sync if the name
changes.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 300da1dc-77c7-49ef-b60d-15c9b809d86d

📥 Commits

Reviewing files that changed from the base of the PR and between 6807a49 and 029b6fb.

📒 Files selected for processing (2)
  • webhook/workspace/mutating_cfg.go
  • webhook/workspace/validating_cfg.go

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.25%. Comparing base (17aefae) to head (029b6fb).
⚠️ Report is 15 commits behind head on main.

Files with missing lines Patch % Lines
webhook/workspace/mutating_cfg.go 0.00% 3 Missing ⚠️
webhook/workspace/validating_cfg.go 0.00% 3 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1669      +/-   ##
==========================================
+ Coverage   37.17%   40.25%   +3.07%     
==========================================
  Files         168      171       +3     
  Lines       14761    15613     +852     
==========================================
+ Hits         5488     6285     +797     
- Misses       8921     8942      +21     
- Partials      352      386      +34     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread webhook/workspace/mutating_cfg.go Outdated
ObjectMeta: metav1.ObjectMeta{
Name: MutateWebhookCfgName,
Labels: server.WebhookServerAppLabels(),
Annotations: map[string]string{

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it fixes issue with Kubernetes infrastructure.
For OpenShift it has to be service.beta.openshift.io/inject-cabundle: "true"
Please correct me, if I am wrong.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right when OpenShift's Native Service CA Operator is used. I have modified this PR to:

  1. Check is OCP or regulare Kubernetes
  2. If OCP, check if used OpenShift's Native Service CA Operator or cert-manager

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
webhook/workspace/annotations.go (1)

24-32: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add tests for the cert-manager/OpenShift annotation branches. Cover getWebhookAnnotations for cert-manager, OpenShift, and default behavior, plus InitializeForTestingWithCertManager.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@webhook/workspace/annotations.go` around lines 24 - 32, Add tests covering
getWebhookAnnotations for cert-manager, OpenShift, and default environments,
asserting the exact annotation maps for each branch; also add coverage for
InitializeForTestingWithCertManager, using mocks or test setup to control
infrastructure detection.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@webhook/workspace/annotations.go`:
- Around line 24-32: Add tests covering getWebhookAnnotations for cert-manager,
OpenShift, and default environments, asserting the exact annotation maps for
each branch; also add coverage for InitializeForTestingWithCertManager, using
mocks or test setup to control infrastructure detection.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ebe3e7d-1671-45ec-9838-19f3ddec4eda

📥 Commits

Reviewing files that changed from the base of the PR and between 029b6fb and d2e0eb8.

📒 Files selected for processing (4)
  • pkg/infrastructure/cluster.go
  • webhook/workspace/annotations.go
  • webhook/workspace/mutating_cfg.go
  • webhook/workspace/validating_cfg.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants