From bc9d52a49fae98433adbaa8b8aec995706f06e4a Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Thu, 4 Jun 2026 11:35:50 +0200 Subject: [PATCH 1/3] Enabling trust-manager featuregate by default Signed-off-by: Evgeny Slutsky --- .../cert-manager/manager/kustomization.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/assets/optional/cert-manager/manager/kustomization.yaml b/assets/optional/cert-manager/manager/kustomization.yaml index 3689551b81..4ef57738bc 100644 --- a/assets/optional/cert-manager/manager/kustomization.yaml +++ b/assets/optional/cert-manager/manager/kustomization.yaml @@ -4,6 +4,24 @@ resources: - manager.yaml - images.yaml +patches: + - target: + kind: Deployment + name: controller-manager + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: controller-manager + spec: + template: + spec: + containers: + - name: cert-manager-operator + env: + - name: UNSUPPORTED_ADDON_FEATURES + value: TrustManager=true + replacements: - source: kind: ConfigMap From 34fdb663a69d874fcb331f2b2cdb6bad808af4d4 Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Thu, 4 Jun 2026 11:36:23 +0200 Subject: [PATCH 2/3] testing cert-manager trust-manager deployment with RF Signed-off-by: Evgeny Slutsky --- .../assets/cert-manager/trust-manager-cr.yaml | 6 + test/suites/optional/cert-manager.robot | 260 ++++++++++++++++-- 2 files changed, 242 insertions(+), 24 deletions(-) create mode 100644 test/assets/cert-manager/trust-manager-cr.yaml diff --git a/test/assets/cert-manager/trust-manager-cr.yaml b/test/assets/cert-manager/trust-manager-cr.yaml new file mode 100644 index 0000000000..a439635ba1 --- /dev/null +++ b/test/assets/cert-manager/trust-manager-cr.yaml @@ -0,0 +1,6 @@ +apiVersion: operator.openshift.io/v1alpha1 +kind: TrustManager +metadata: + name: cluster +spec: + trustManagerConfig: {} diff --git a/test/suites/optional/cert-manager.robot b/test/suites/optional/cert-manager.robot index 2109feec75..7a81e4df8c 100644 --- a/test/suites/optional/cert-manager.robot +++ b/test/suites/optional/cert-manager.robot @@ -23,30 +23,36 @@ Test Tags cert-manager certificates tls *** Variables *** -${CERT_NAME} test-certificate -${SECRET_NAME} test-cert-secret -${ISSUER_NAME} test-issuer -${CERT_COMMON_NAME} example.com -${CERT_DNS_NAME} example.com -${ROUTE_NAME} hello-app -${CERT_ISSUER_YAML} SEPARATOR=\n -... --- -... apiVersion: cert-manager.io/v1 -... kind: ClusterIssuer -... metadata: -... \ \ name: ${ISSUER_NAME} -... spec: -... \ \ selfSigned: {} - -${HTTP01_ISSUER_NAME} letsencrypt-http01 -${HTTP01_CERT_NAME} cert-from-${HTTP01_ISSUER_NAME} -${HTTP01_SECRET_NAME} ${HTTP01_CERT_NAME} -${PEBBLE_DEPLOYMENT_FILE} ./assets/cert-manager/pebble-server.yaml -${HOSTSFILE_ENABLED} SEPARATOR=\n -... --- -... dns: -... \ \ hosts: -... \ \ \ \ status: Enabled +${CERT_NAME} test-certificate +${SECRET_NAME} test-cert-secret +${ISSUER_NAME} test-issuer +${CERT_COMMON_NAME} example.com +${CERT_DNS_NAME} example.com +${ROUTE_NAME} hello-app +${CERT_ISSUER_YAML} SEPARATOR=\n +... --- +... apiVersion: cert-manager.io/v1 +... kind: ClusterIssuer +... metadata: +... \ \ name: ${ISSUER_NAME} +... spec: +... \ \ selfSigned: {} + +${HTTP01_ISSUER_NAME} letsencrypt-http01 +${HTTP01_CERT_NAME} cert-from-${HTTP01_ISSUER_NAME} +${HTTP01_SECRET_NAME} ${HTTP01_CERT_NAME} +${PEBBLE_DEPLOYMENT_FILE} ./assets/cert-manager/pebble-server.yaml +${HOSTSFILE_ENABLED} SEPARATOR=\n +... --- +... dns: +... \ \ hosts: +... \ \ \ \ status: Enabled + +${TRUST_MANAGER_BUNDLE_NAME} test-trust-bundle +${TRUST_MANAGER_OPERATOR_NS} cert-manager-operator +${TRUST_MANAGER_NS} cert-manager +${TRUST_MANAGER_DEPLOYMENT} cert-manager-operator-controller-manager +${TRUST_MANAGER_MANIFESTS_DIR} /etc/microshift/manifests.d/trust-manager *** Test Cases *** @@ -95,6 +101,72 @@ Test Cert manager with local acme server ... Cleanup HTTP01 Resources ... AND Cleanup DNS For Test ${dns_name} +Trust Manager Deployment + [Documentation] Verify trust-manager can be enabled and deploys successfully + [Tags] trust-manager + [Setup] Enable Trust Manager + Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS} + ${status}= Oc Get JsonPath trustmanager ${EMPTY} cluster + ... .status.conditions[?(@.type=="Ready")].status + Should Be Equal ${status} True msg=TrustManager CR is not ready + [Teardown] Disable Trust Manager + +Trust Manager Bundle Creates ConfigMap + [Documentation] Verify trust-manager Bundle CR syncs a CA cert into a ConfigMap + [Tags] trust-manager + [Setup] Enable Trust Manager + + Create CA Secret For Trust Manager + ${bundle_yaml}= Create Trust Bundle From Source Secret YAML + Apply Trust Manager YAML ${bundle_yaml} + Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME} + ... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT} + + ${cm_data}= Oc Get JsonPath + ... configmap + ... ${NAMESPACE} + ... ${TRUST_MANAGER_BUNDLE_NAME} + ... .data.ca-bundle\\.crt + Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data + + [Teardown] Run Keywords + ... Cleanup Trust Bundle + ... AND Run With Kubeconfig oc delete secret ca-source-secret -n ${TRUST_MANAGER_NS} --ignore-not-found + ... AND Disable Trust Manager + +Trust Manager Bundle With Cert Manager CA + [Documentation] Verify trust-manager Bundle can use a cert-manager CA secret as a source + [Tags] trust-manager + [Setup] Enable Trust Manager + + ${issuer_yaml}= Create Cert Issuer YAML + Apply Trust Manager YAML ${issuer_yaml} + Oc Wait -n ${NAMESPACE} clusterissuer ${ISSUER_NAME} + ... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT} + + ${ca_cert_yaml}= Create CA Certificate YAML + Apply Trust Manager YAML ${ca_cert_yaml} + Oc Wait -n ${TRUST_MANAGER_NS} certificate ca-certificate + ... --for="condition=Ready" --timeout=${DEFAULT_WAIT_TIMEOUT} + + ${bundle_yaml}= Create Trust Bundle From Secret YAML + Apply Trust Manager YAML ${bundle_yaml} + Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME} + ... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT} + + ${cm_data}= Oc Get JsonPath + ... configmap + ... ${NAMESPACE} + ... ${TRUST_MANAGER_BUNDLE_NAME} + ... .data.ca-bundle\\.crt + Should Contain ${cm_data} BEGIN CERTIFICATE msg=ConfigMap does not contain CA certificate data + + [Teardown] Run Keywords + ... Cleanup Trust Bundle + ... AND Oc Delete certificate/ca-certificate -n ${TRUST_MANAGER_NS} + ... AND Remove ClusterIssuer + ... AND Disable Trust Manager + *** Keywords *** Setup @@ -432,3 +504,143 @@ Cleanup DNS For Test Remove Entry From Hosts ${dns_name} Remove Drop In MicroShift Config 20-dns Restart MicroShift + +Enable Trust Manager + [Documentation] Deploy trust-manager by creating a TrustManager CR via manifests.d + ... and restarting MicroShift. The UNSUPPORTED_ADDON_FEATURES=TrustManager=true + ... feature gate is already set in the system cert-manager kustomization. + Create Trust Manager CR Manifests + Restart MicroShift + Wait Until Keyword Succeeds 30x 10s + ... Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS} + +Disable Trust Manager + [Documentation] Remove the TrustManager CR manifests.d and restart MicroShift. + Run With Kubeconfig oc delete trustmanager cluster --ignore-not-found + Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found + Run With Kubeconfig oc delete deployment trust-manager -n ${TRUST_MANAGER_NS} --ignore-not-found + Remove Trust Manager CR Manifests + Restart MicroShift + Wait Until Keyword Succeeds 12x 10s + ... Trust Manager Pod Should Not Exist + +Trust Manager Pod Should Not Exist + [Documentation] Verify trust-manager pod no longer exists in cert-manager namespace + ${output}= Run With Kubeconfig + ... oc get pods -n ${TRUST_MANAGER_NS} -l app.kubernetes.io/name\=cert-manager-trust-manager --no-headers + ... allow_fail=True + Should Be Empty ${output} msg=trust-manager pod still exists + +Create Trust Manager CR Manifests + [Documentation] Create the manifests.d kustomization with the TrustManager CR + ${stdout} ${stderr} ${rc}= Execute Command + ... mkdir -p ${TRUST_MANAGER_MANIFESTS_DIR} + ... sudo=True return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers ${rc} 0 + ${kustomization}= CATENATE SEPARATOR=\n + ... apiVersion: kustomize.config.k8s.io/v1beta1 + ... kind: Kustomization + ... resources: + ... \ \ - trust-manager-cr.yaml + Upload String To File ${kustomization} ${TRUST_MANAGER_MANIFESTS_DIR}/kustomization.yaml + ${tm_cr}= CATENATE SEPARATOR=\n + ... apiVersion: operator.openshift.io/v1alpha1 + ... kind: TrustManager + ... metadata: + ... \ \ name: cluster + ... spec: + ... \ \ trustManagerConfig: {} + Upload String To File ${tm_cr} ${TRUST_MANAGER_MANIFESTS_DIR}/trust-manager-cr.yaml + +Remove Trust Manager CR Manifests + [Documentation] Remove the trust-manager manifests.d directory + ${stdout} ${stderr} ${rc}= Execute Command + ... rm -rf ${TRUST_MANAGER_MANIFESTS_DIR} + ... sudo=True return_rc=True return_stdout=True return_stderr=True + Should Be Equal As Integers ${rc} 0 + +Create CA Secret For Trust Manager + [Documentation] Generate a self-signed CA cert locally and create a secret in the trust namespace + ${cert_file}= Create Random Temp File + ${result}= Process.Run Process + ... openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + ... -nodes -keyout /dev/null -out ${cert_file} -days 365 + ... -subj /CN\=test-ca.example.com + ... stderr=STDOUT + Should Be Equal As Integers ${result.rc} 0 + Run With Kubeconfig + ... oc create secret generic ca-source-secret -n ${TRUST_MANAGER_NS} --from-file=tls.crt=${cert_file} + Remove File ${cert_file} + +Create Trust Bundle From Source Secret YAML + [Documentation] Creates a Bundle CR YAML sourced from a manually created secret in the trust namespace + ${yaml}= CATENATE SEPARATOR=\n + ... --- + ... apiVersion: trust.cert-manager.io/v1alpha1 + ... kind: Bundle + ... metadata: + ... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME} + ... spec: + ... \ \ sources: + ... \ \ \ \ - secret: + ... \ \ \ \ \ \ \ \ name: ca-source-secret + ... \ \ \ \ \ \ \ \ key: tls.crt + ... \ \ target: + ... \ \ \ \ configMap: + ... \ \ \ \ \ \ key: ca-bundle.crt + ... \ \ \ \ namespaceSelector: + ... \ \ \ \ \ \ matchLabels: + ... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE} + RETURN ${yaml} + +Create CA Certificate YAML + [Documentation] Creates a cert-manager CA Certificate in the trust namespace + ${yaml}= CATENATE SEPARATOR=\n + ... --- + ... apiVersion: cert-manager.io/v1 + ... kind: Certificate + ... metadata: + ... \ \ name: ca-certificate + ... \ \ namespace: ${TRUST_MANAGER_NS} + ... spec: + ... \ \ isCA: true + ... \ \ commonName: test-ca.example.com + ... \ \ secretName: ca-certificate-secret + ... \ \ issuerRef: + ... \ \ \ \ name: ${ISSUER_NAME} + ... \ \ \ \ kind: ClusterIssuer + RETURN ${yaml} + +Create Trust Bundle From Secret YAML + [Documentation] Creates a Bundle CR YAML sourced from a cert-manager CA secret in the trust namespace + ${yaml}= CATENATE SEPARATOR=\n + ... --- + ... apiVersion: trust.cert-manager.io/v1alpha1 + ... kind: Bundle + ... metadata: + ... \ \ name: ${TRUST_MANAGER_BUNDLE_NAME} + ... spec: + ... \ \ sources: + ... \ \ \ \ - secret: + ... \ \ \ \ \ \ \ \ name: ca-certificate-secret + ... \ \ \ \ \ \ \ \ key: tls.crt + ... \ \ target: + ... \ \ \ \ configMap: + ... \ \ \ \ \ \ key: ca-bundle.crt + ... \ \ \ \ namespaceSelector: + ... \ \ \ \ \ \ matchLabels: + ... \ \ \ \ \ \ \ \ kubernetes.io/metadata.name: ${NAMESPACE} + RETURN ${yaml} + +Apply Trust Manager YAML + [Documentation] Apply YAML manifest, allowing both created and configured/unchanged results + [Arguments] ${yaml_content} + ${temp_file}= Create Random Temp File ${yaml_content} + ${result}= Oc Apply -f ${temp_file} + Remove File ${temp_file} + Log Applied manifest: ${result} + +Cleanup Trust Bundle + [Documentation] Remove the test trust-manager Bundle CR and its target ConfigMap + Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found + Run With Kubeconfig oc delete configmap ${TRUST_MANAGER_BUNDLE_NAME} -n ${NAMESPACE} --ignore-not-found From 91faa52ad07399feeb4bf160fc8c1203b9315f07 Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Tue, 9 Jun 2026 17:25:59 +0200 Subject: [PATCH 3/3] update kustomization with RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER image Signed-off-by: Evgeny Slutsky --- .../cert-manager/manager/kustomization.yaml | 10 ++ test/suites/optional/cert-manager.robot | 109 +++++++----------- 2 files changed, 52 insertions(+), 67 deletions(-) diff --git a/assets/optional/cert-manager/manager/kustomization.yaml b/assets/optional/cert-manager/manager/kustomization.yaml index 4ef57738bc..2df3255384 100644 --- a/assets/optional/cert-manager/manager/kustomization.yaml +++ b/assets/optional/cert-manager/manager/kustomization.yaml @@ -73,6 +73,16 @@ replacements: name: controller-manager fieldPaths: - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_ISTIOCSR].value + - source: + kind: ConfigMap + name: cert-manager-images + fieldPath: data.cert-manager-trust-manager + targets: + - select: + kind: Deployment + name: controller-manager + fieldPaths: + - spec.template.spec.containers.[name=cert-manager-operator].env.[name=RELATED_IMAGE_CERT_MANAGER_TRUST_MANAGER].value - source: kind: ConfigMap name: cert-manager-images diff --git a/test/suites/optional/cert-manager.robot b/test/suites/optional/cert-manager.robot index 7a81e4df8c..7b8a7fc2ac 100644 --- a/test/suites/optional/cert-manager.robot +++ b/test/suites/optional/cert-manager.robot @@ -23,36 +23,35 @@ Test Tags cert-manager certificates tls *** Variables *** -${CERT_NAME} test-certificate -${SECRET_NAME} test-cert-secret -${ISSUER_NAME} test-issuer -${CERT_COMMON_NAME} example.com -${CERT_DNS_NAME} example.com -${ROUTE_NAME} hello-app -${CERT_ISSUER_YAML} SEPARATOR=\n -... --- -... apiVersion: cert-manager.io/v1 -... kind: ClusterIssuer -... metadata: -... \ \ name: ${ISSUER_NAME} -... spec: -... \ \ selfSigned: {} - -${HTTP01_ISSUER_NAME} letsencrypt-http01 -${HTTP01_CERT_NAME} cert-from-${HTTP01_ISSUER_NAME} -${HTTP01_SECRET_NAME} ${HTTP01_CERT_NAME} -${PEBBLE_DEPLOYMENT_FILE} ./assets/cert-manager/pebble-server.yaml -${HOSTSFILE_ENABLED} SEPARATOR=\n -... --- -... dns: -... \ \ hosts: -... \ \ \ \ status: Enabled - -${TRUST_MANAGER_BUNDLE_NAME} test-trust-bundle -${TRUST_MANAGER_OPERATOR_NS} cert-manager-operator -${TRUST_MANAGER_NS} cert-manager -${TRUST_MANAGER_DEPLOYMENT} cert-manager-operator-controller-manager -${TRUST_MANAGER_MANIFESTS_DIR} /etc/microshift/manifests.d/trust-manager +${CERT_NAME} test-certificate +${SECRET_NAME} test-cert-secret +${ISSUER_NAME} test-issuer +${CERT_COMMON_NAME} example.com +${CERT_DNS_NAME} example.com +${ROUTE_NAME} hello-app +${CERT_ISSUER_YAML} SEPARATOR=\n +... --- +... apiVersion: cert-manager.io/v1 +... kind: ClusterIssuer +... metadata: +... \ \ name: ${ISSUER_NAME} +... spec: +... \ \ selfSigned: {} + +${HTTP01_ISSUER_NAME} letsencrypt-http01 +${HTTP01_CERT_NAME} cert-from-${HTTP01_ISSUER_NAME} +${HTTP01_SECRET_NAME} ${HTTP01_CERT_NAME} +${PEBBLE_DEPLOYMENT_FILE} ./assets/cert-manager/pebble-server.yaml +${HOSTSFILE_ENABLED} SEPARATOR=\n +... --- +... dns: +... \ \ hosts: +... \ \ \ \ status: Enabled + +${TRUST_MANAGER_BUNDLE_NAME} test-trust-bundle +${TRUST_MANAGER_OPERATOR_NS} cert-manager-operator +${TRUST_MANAGER_NS} cert-manager +${TRUST_MANAGER_DEPLOYMENT} cert-manager-operator-controller-manager *** Test Cases *** @@ -506,21 +505,25 @@ Cleanup DNS For Test Restart MicroShift Enable Trust Manager - [Documentation] Deploy trust-manager by creating a TrustManager CR via manifests.d - ... and restarting MicroShift. The UNSUPPORTED_ADDON_FEATURES=TrustManager=true - ... feature gate is already set in the system cert-manager kustomization. - Create Trust Manager CR Manifests - Restart MicroShift + [Documentation] Deploy trust-manager by applying the TrustManager CR directly. + ... The UNSUPPORTED_ADDON_FEATURES=TrustManager=true feature gate is already + ... set in the system cert-manager kustomization. + ${tm_cr}= CATENATE SEPARATOR=\n + ... apiVersion: operator.openshift.io/v1alpha1 + ... kind: TrustManager + ... metadata: + ... \ \ name: cluster + ... spec: + ... \ \ trustManagerConfig: {} + Apply Trust Manager YAML ${tm_cr} Wait Until Keyword Succeeds 30x 10s ... Labeled Pod Should Be Ready app.kubernetes.io/name=cert-manager-trust-manager ns=${TRUST_MANAGER_NS} Disable Trust Manager - [Documentation] Remove the TrustManager CR manifests.d and restart MicroShift. + [Documentation] Remove the TrustManager CR and wait for cleanup. Run With Kubeconfig oc delete trustmanager cluster --ignore-not-found Run With Kubeconfig oc delete bundle ${TRUST_MANAGER_BUNDLE_NAME} --ignore-not-found Run With Kubeconfig oc delete deployment trust-manager -n ${TRUST_MANAGER_NS} --ignore-not-found - Remove Trust Manager CR Manifests - Restart MicroShift Wait Until Keyword Succeeds 12x 10s ... Trust Manager Pod Should Not Exist @@ -529,35 +532,7 @@ Trust Manager Pod Should Not Exist ${output}= Run With Kubeconfig ... oc get pods -n ${TRUST_MANAGER_NS} -l app.kubernetes.io/name\=cert-manager-trust-manager --no-headers ... allow_fail=True - Should Be Empty ${output} msg=trust-manager pod still exists - -Create Trust Manager CR Manifests - [Documentation] Create the manifests.d kustomization with the TrustManager CR - ${stdout} ${stderr} ${rc}= Execute Command - ... mkdir -p ${TRUST_MANAGER_MANIFESTS_DIR} - ... sudo=True return_rc=True return_stdout=True return_stderr=True - Should Be Equal As Integers ${rc} 0 - ${kustomization}= CATENATE SEPARATOR=\n - ... apiVersion: kustomize.config.k8s.io/v1beta1 - ... kind: Kustomization - ... resources: - ... \ \ - trust-manager-cr.yaml - Upload String To File ${kustomization} ${TRUST_MANAGER_MANIFESTS_DIR}/kustomization.yaml - ${tm_cr}= CATENATE SEPARATOR=\n - ... apiVersion: operator.openshift.io/v1alpha1 - ... kind: TrustManager - ... metadata: - ... \ \ name: cluster - ... spec: - ... \ \ trustManagerConfig: {} - Upload String To File ${tm_cr} ${TRUST_MANAGER_MANIFESTS_DIR}/trust-manager-cr.yaml - -Remove Trust Manager CR Manifests - [Documentation] Remove the trust-manager manifests.d directory - ${stdout} ${stderr} ${rc}= Execute Command - ... rm -rf ${TRUST_MANAGER_MANIFESTS_DIR} - ... sudo=True return_rc=True return_stdout=True return_stderr=True - Should Be Equal As Integers ${rc} 0 + Should Not Contain ${output} trust-manager msg=trust-manager pod still exists Create CA Secret For Trust Manager [Documentation] Generate a self-signed CA cert locally and create a secret in the trust namespace