ab67a48fe7
TestBootstrapKit_BlueprintCardsHaveRequiredFields was failing on main for
9 blueprints because their platform/<name>/chart/Chart.yaml version had
been bumped without a matching update to platform/<name>/blueprint.yaml
spec.version. The pre-existing failure forced 7 recent PRs to self-merge
with --admin, masking real CI failures.
Aligned spec.version to match Chart.yaml version on:
cert-manager 1.1.1 -> 1.1.2
flux 1.1.3 -> 1.1.4
crossplane 1.1.3 -> 1.1.4
sealed-secrets 1.1.1 -> 1.1.2
spire 1.1.4 -> 1.1.7
nats-jetstream 1.1.1 -> 1.1.2
openbao 1.2.0 -> 1.2.14
keycloak 1.3.1 -> 1.3.2
gitea 1.2.1 -> 1.2.3
Verified locally:
$ go test ./... -run TestBootstrapKit_BlueprintCardsHaveRequiredFields -count=1
--- PASS: TestBootstrapKit_BlueprintCardsHaveRequiredFields (0.01s)
... all 10 sub-tests pass (cilium + the 9 above)
The existing test (tests/e2e/bootstrap-kit/main_test.go:145) is itself
the drift guardrail: it fails CI whenever Chart.yaml is bumped without a
matching blueprint.yaml bump. No additional script needed.
Closes #817 once verified on main.
Co-authored-by: Hatice Yildiz <hatice.yildiz@openova.io>
|
||
|---|---|---|
| .. | ||
| chart | ||
| blueprint.yaml | ||
| README.md | ||
cert-manager
TLS certificate automation. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.3) — runs on every host cluster a Sovereign owns.
Status: Accepted | Updated: 2026-04-27
Overview
cert-manager provides automated TLS certificate management using Let's Encrypt with automatic renewal and Kubernetes-native integration.
Architecture
flowchart TB
subgraph CM["cert-manager"]
Controller[Controller]
Webhook[Webhook]
CAInjector[CA Injector]
end
subgraph Issuers["Issuers"]
LE[Let's Encrypt]
CA[Internal CA]
end
subgraph Resources["K8s Resources"]
Cert[Certificate]
Secret[TLS Secret]
Ingress[Gateway/Ingress]
end
Controller --> LE
Controller --> CA
Cert --> Controller
Controller --> Secret
Secret --> Ingress
Challenge Types
| Challenge | Use Case | DNS Provider |
|---|---|---|
| HTTP-01 | Public endpoints | Not required |
| DNS-01 | Wildcards, internal | Cloudflare, Route53, etc. |
Recommended: DNS-01 for wildcard certificates
Configuration
ClusterIssuer (Let's Encrypt)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@<domain>
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
namespace: cilium-gateway
spec:
secretName: wildcard-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- "*.<domain>"
- "<domain>"
Gateway API Integration
cert-manager integrates with Cilium Gateway API:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
namespace: cilium-gateway
spec:
gatewayClassName: cilium
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: wildcard-tls
Renewal
| Setting | Value |
|---|---|
| Renewal window | 30 days before expiry |
| Check interval | 24 hours |
| Retry interval | 1 hour on failure |
cert-manager automatically renews certificates before expiration.
Monitoring
| Metric | Description |
|---|---|
certmanager_certificate_expiration_timestamp_seconds |
Certificate expiry time |
certmanager_certificate_ready_status |
Certificate readiness |
certmanager_http_acme_client_request_count |
ACME requests |
Part of OpenOva