Skip to content

fix(helm): generate namespace-aware SANs in certgen and cert-manager templates#2062

Merged
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
akram:fix/certgen-namespace-aware-sans
Jun 30, 2026
Merged

fix(helm): generate namespace-aware SANs in certgen and cert-manager templates#2062
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
akram:fix/certgen-namespace-aware-sans

Conversation

@akram

@akram akram commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The certgen hook and cert-manager Certificate template hardcoded openshell.openshell.svc.cluster.local in server certificate SANs, breaking deployments in any namespace other than openshell. This PR adds an openshell.defaultServerDnsNames helper that derives SANs from .Release.Namespace, so the server certificate matches the actual service FQDN regardless of the target namespace.

Summary

The certgen hook and cert-manager Certificate template hardcoded openshell.openshell.svc.cluster.local in server certificate SANs, breaking deployments in any namespace other than openshell. This PR adds an openshell.defaultServerDnsNames helper that derives SANs from .Release.Namespace, so the server certificate matches the actual service FQDN regardless of the target namespace.

Related Issue

Closes #2060 by implementing option B (Helm-generated SANs).

Changes

  • _helpers.tpl: new openshell.defaultServerDnsNames helper that builds the default SAN list using .Release.Namespace via list + toYaml
  • certgen.yaml: iterate the helper output with fromYamlArray to pass namespace-aware --server-san args to the certgen binary
  • cert-manager-pki.yaml: replace toYaml .Values.certManager.serverDnsNames with the same helper loop for the Certificate dnsNames field, appending user-provided extra SANs from values

Note: the Rust DEFAULT_SERVER_SANS constant in pki.rs still adds the hardcoded openshell.openshell.svc SANs alongside the Helm-generated ones. This results in harmless duplicate/extra SANs in the certificate. Fully removing the Rust defaults is tracked as option A in #2060.

Testing

  • Deployed the patched chart in namespace openshell-system on OpenShift (ROSA HCP 4.21)
  • Verified the generated server certificate contains openshell.openshell-system.svc.cluster.local in SANs
  • Confirmed sandbox supervisor mTLS connections succeed (no BadCertificate errors) — previously failed with TLS handshake failed error=received fatal alert: BadCertificate
  • Verified helm template renders correctly for both openshell and openshell-system namespaces
  • Verified cert-manager path renders correctly with --set certManager.enabled=true
  • mise run pre-commit — helm:lint fails on main too (missing postgresql dependency, pre-existing)
  • Unit tests added/updated
  • E2E tests added/updated (if applicable) — N/A, Helm template change only

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable) — N/A
…templates

The certgen hook and cert-manager Certificate template hardcoded
openshell.openshell.svc.cluster.local in server certificate SANs,
breaking deployments in any namespace other than openshell. Use
.Release.Namespace in the templates so the SANs match the actual
service FQDN regardless of the target namespace.

Closes NVIDIA#2060

Signed-off-by: Akram <akram.benaissi@gmail.com>
@akram akram requested review from a team, derekwaynecarr, maxamillion and mrunalp as code owners June 30, 2026 15:25
@copy-pr-bot

copy-pr-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch

Copy link
Copy Markdown
Collaborator

/ok to test 4e65dc8

@TaylorMutch TaylorMutch self-assigned this Jun 30, 2026
@TaylorMutch

Copy link
Copy Markdown
Collaborator

Looks good, thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants