Skip to content

feat: add external CA support#135

Open
slauger wants to merge 4 commits intomainfrom
feat/54-external-ca-support
Open

feat: add external CA support#135
slauger wants to merge 4 commits intomainfrom
feat/54-external-ca-support

Conversation

@slauger
Copy link
Owner

@slauger slauger commented Mar 16, 2026

Summary

  • Add spec.external to CertificateAuthority for connecting to an external Puppet/OpenVox CA running outside the cluster
  • Support optional mTLS client authentication and custom CA certificate for TLS verification
  • Add External phase to CA lifecycle, accepted by Certificate controller alongside Ready
  • Refactor HTTP client creation into shared buildExternalCAHTTPClient() and caHTTPClientForCA() methods
  • Add CEL validation: external and custom storage are mutually exclusive

Closes #54
Replaces #133 and #134

Files Changed

  • api/v1alpha1/certificateauthority_types.go -- ExternalCASpec struct, External field, CEL validation, External phase
  • internal/controller/certificateauthority_controller.go -- reconcileExternalCA() method
  • internal/controller/certificateauthority_crl.go -- caBaseURL resolution, caHTTPClientForCA()
  • internal/controller/certificate_controller.go -- accept External phase, resolve caBaseURL
  • internal/controller/certificate_signing.go -- caHTTPClientForCA(), caServiceName -> caBaseURL
  • config/samples/certificateauthority-external.yaml -- example with external CA + mTLS
  • docs/guides/ca-import.md -- guide covering CA import and external CA setup

Test plan

  • make generate -- deepcopy generation succeeds
  • make manifests -- CRD manifests regenerated with new fields
  • make build -- compiles without errors
  • go test ./internal/controller/... -- all existing unit tests pass
  • Deploy with external CA and verify CSR signing + CRL refresh work end-to-end

slauger added 4 commits March 16, 2026 23:46
@slauger
feat: add external CA support (#54)
d6e8b52 
Add spec.external to CertificateAuthority, allowing the operator to
delegate CSR signing and CRL fetching to an external Puppet/OpenVox CA
running outside the cluster with optional mTLS client authentication.
@slauger
fix: replace Unicode smart quote in CEL validation rule with ASCII si…
9315f35 
…ngle quotes
@slauger
fix: use CEL size() instead of string comparison in XValidation rule
f51478e 
Avoids Go 1.26 go fmt smart quote regression (#30).
@slauger
test: add unit tests for external CA support
0d5017f 
Add 13 new tests covering reconcileExternalCA, buildExternalCAHTTPClient,
and external CA phase acceptance in the certificate controller.

- testutil_test.go: add caOption type with withExternal, withExternalCASecret,
  withExternalTLSSecret, withExternalInsecureSkipVerify options
- certificateauthority_controller_test.go: 6 tests for external CA reconciler
  (basic flow, custom CA secret, missing secret, missing key, no PVC/Job, no Config)
- certificate_controller_test.go: 1 test for External phase acceptance
- certificate_signing_test.go: 6 tests for buildExternalCAHTTPClient
  (minimal, insecure skip verify, CA secret, missing secret, mTLS, missing key)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: support external CA — spec.external in CertificateAuthority + CA import guide

1 participant

@slauger