Skip to content

Fix issue #1668 about auto renew certificat on mutating / validatinf#1669

Open
disaster37 wants to merge 1 commit into
devfile:mainfrom
disaster37:fix/issue-1668
Open

Fix issue #1668 about auto renew certificat on mutating / validatinf#1669
disaster37 wants to merge 1 commit into
devfile:mainfrom
disaster37:fix/issue-1668

Conversation

@disaster37

@disaster37 disaster37 commented Jul 2, 2026

Copy link
Copy Markdown

What does this PR do?

Add cert-manager annotations on mutating and validating depoloyment to auto renew certificate and auto restart pod when it's done.

What issues does this PR fix or reference?

Fix issue #1668

Is it tested? How?

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

  • Bug Fixes
    • Improved webhook certificate handling so the cluster can automatically inject the CA bundle for both mutating and validating webhooks.
    • Helps webhook connectivity stay reliable after deployment by using the controller’s serving certificate as the CA source.

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: disaster37
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

Hi @disaster37. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds cert-manager.io/inject-ca-from annotations to both the mutating and validating webhook configurations, with values computed via fmt.Sprintf referencing the namespace and devworkspace-controller-serving-cert secret, enabling cert-manager CA bundle injection.

Changes

Webhook cert-manager annotations

Layer / File(s) Summary
Mutating webhook annotation
webhook/workspace/mutating_cfg.go
Adds fmt import and a cert-manager.io/inject-ca-from annotation to MutatingWebhookConfiguration ObjectMeta, formatted with the namespace.
Validating webhook annotation
webhook/workspace/validating_cfg.go
Adds fmt import and a cert-manager.io/inject-ca-from annotation to ValidatingWebhookConfiguration ObjectMeta, formatted with the namespace.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is clearly related to the main change: enabling automatic certificate renewal for the mutating and validating webhooks.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Warning

⚠️ This pull request shows signs of AI-generated slop (description_diff_mismatch). It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
webhook/workspace/mutating_cfg.go (1)

160-162: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider extracting the annotation to a shared constant.

The cert-manager.io/inject-ca-from key and devworkspace-controller-serving-cert name are duplicated verbatim in validating_cfg.go (Lines 41-43). Centralizing this in a shared constant/helper (e.g., alongside server.WebhookServerAppLabels()) would prevent the two copies from drifting if the secret/certificate name ever changes.

♻️ Proposed refactor
+// in a shared location, e.g. webhook/workspace/server package
+const CertManagerServingCertName = "devworkspace-controller-serving-cert"
+
+func CertManagerInjectCAAnnotation(namespace string) map[string]string {
+	return map[string]string{
+		"cert-manager.io/inject-ca-from": fmt.Sprintf("%s/%s", namespace, CertManagerServingCertName),
+	}
+}
-			Annotations: map[string]string{
-				"cert-manager.io/inject-ca-from": fmt.Sprintf("%s/devworkspace-controller-serving-cert", namespace),
-			},
+			Annotations: server.CertManagerInjectCAAnnotation(namespace),
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@webhook/workspace/mutating_cfg.go` around lines 160 - 162, The webhook CA
injection annotation and serving cert name are duplicated in mutating_cfg.go and
validating_cfg.go, so extract them into a shared constant or helper near the
webhook/server label helpers (for example alongside
server.WebhookServerAppLabels) and use that in both places. Update the
annotation map construction in the webhook config methods to reference the
shared symbol instead of hardcoding cert-manager.io/inject-ca-from and
devworkspace-controller-serving-cert, so both configs stay in sync if the name
changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@webhook/workspace/mutating_cfg.go`:
- Around line 160-162: The webhook CA injection annotation and serving cert name
are duplicated in mutating_cfg.go and validating_cfg.go, so extract them into a
shared constant or helper near the webhook/server label helpers (for example
alongside server.WebhookServerAppLabels) and use that in both places. Update the
annotation map construction in the webhook config methods to reference the
shared symbol instead of hardcoding cert-manager.io/inject-ca-from and
devworkspace-controller-serving-cert, so both configs stay in sync if the name
changes.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 300da1dc-77c7-49ef-b60d-15c9b809d86d

📥 Commits

Reviewing files that changed from the base of the PR and between 6807a49 and 029b6fb.

📒 Files selected for processing (2)
  • webhook/workspace/mutating_cfg.go
  • webhook/workspace/validating_cfg.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant