Skip to content

Add labels and annotations to TLS secrets for discoverability#4479

Open
rene-dekker wants to merge 7 commits intotigera:masterfrom
rene-dekker:ev-6449
Open

Add labels and annotations to TLS secrets for discoverability#4479
rene-dekker wants to merge 7 commits intotigera:masterfrom
rene-dekker:ev-6449

Conversation

@rene-dekker
Copy link
Member

@rene-dekker rene-dekker commented Feb 26, 2026
edited
Loading

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().

This allows filtering secrets by secret type and /or issuer. It allows us to quickly see the signer, expiry and other metadata using describe, it can really speed up troubleshooting certificate misconfigurations and other issues.

Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as annotations and add filtering labels (secret-type, signer) on TLS secrets produced by Secret() and CreateSelfSignedSecret().
Display the Degraded condition's message when running `kubectl get tigerastatus`, making it easier to see error details at a glance without needing to describe the resource.

This is now possible, which would be very helpful to our users:

$ kubectl get secrets -n tigera-operator -l operator.tigera.io/signer     -o custom-columns='NAME:.metadata.name,EXPIRY:.metadata.annotations.operator\.tigera\.io/cert-expiry,SIGNER:.metadata.annotations.operator\.tigera\.io/cert-signer'
NAME                                        EXPIRY                 SIGNER
calico-apiserver-certs                      2028-05-28T23:56:09Z   tigera-operator-signer
calico-kube-controllers-metrics-tls         2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-client-tls           2028-05-29T18:28:09Z   tigera-operator-signer
calico-node-prometheus-server-tls           2028-05-28T23:56:09Z   tigera-operator-signer
calico-node-prometheus-tls                  2028-05-29T18:28:09Z   tigera-operator-signer
deep-packet-inspection-tls                  2028-05-29T18:31:16Z   tigera-operator-signer
internal-manager-tls                        2028-05-30T22:13:17Z   tigera-operator-signer
intrusion-detection-tls                     2028-05-29T18:31:16Z   tigera-operator-signer
manager-tls                                 2028-05-30T22:13:17Z   tigera-operator-signer
node-certs                                  2028-05-28T23:56:08Z   tigera-operator-signer
policy-recommendation-tls                   2028-05-29T18:28:09Z   tigera-operator-signer
tigera-ca-private                           2126-01-30T23:56:06Z   tigera-operator-signer
tigera-ee-elasticsearch-metrics-tls         2028-05-30T22:17:24Z   tigera-operator-signer
tigera-fluentd-prometheus-tls               2028-05-29T18:28:10Z   tigera-operator-signer
tigera-secure-elasticsearch-cert            2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-internal-elasticsearch-cert   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-kibana-cert                   2028-05-30T22:17:24Z   tigera-operator-signer
tigera-secure-linseed-cert                  2028-05-30T22:17:25Z   tigera-operator-signer
typha-certs                                 2028-05-28T23:56:08Z   tigera-operator-signer
typha-certs-noncluster-host                 2028-05-28T23:56:08Z   tigera-operator-signer

The output of TigeraStatus will now look like this:

$ k get tigerastatus
NAME                          AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
apiserver                     True        False         False      4m51s   All objects available
calico                        False       False         True       106s    Pod calico-system/calico-node-tjlnv failed to pull container image for: ebpf-bootstrap
intrusion-detection           False       False         True       11m     Error creating TLS certificate: secret tigera-operator/deep-packet-inspection-tls must specify ext key usages: ExtKeyUsageClientAuth, ExtKeyUsageServerAuth
ippools                       True        False         False      5m26s   All objects available
log-collector                 True        False         False      4m26s   All objects available
log-storage                   True        False         False      3h33m   All objects available
log-storage-access            False       False         True       11m     Pod tigera-elasticsearch/tigera-linseed-58745b7574-p6zmx has crash looping container: tigera-linseed
log-storage-dashboards        True        False         False      7m51s   All objects available
log-storage-elastic           True        False         False      91s     All objects available
log-storage-esmetrics         True        False         False      5m16s   All objects available
log-storage-kubecontrollers   True        False         False      6s      All objects available
log-storage-secrets           True        False         False      3h33m   All objects available
manager                       True        False         False      6s      All objects available; Warning: user provided certificate "manager-tls" expires in 21 days
monitor                       True        False         False      4m46s   All objects available
policy-recommendation         True        False         False      5m21s   All objects available
tiers                         True        False         False      5m21s   All objects available

@rene-dekker rene-dekker requested a review from a team as a code owner February 26, 2026 02:29
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Feb 26, 2026
@rene-dekker rene-dekker force-pushed the ev-6449 branch 6 times, most recently from f7ea0a4 to 83614db Compare March 5, 2026 00:29
rene-dekker and others added 6 commits March 6, 2026 15:30
@rene-dekker @claude
Add labels and annotations to TLS secrets for discoverability
71e46d2 
Surface certificate metadata (issuer, expiry, DNS SANs, IP SANs) as
annotations and add a signer label on TLS secrets produced by Secret()
and CreateSelfSignedSecret(). Use certificates.operator.tigera.io prefix
for all cert metadata. Exclude certificates.operator.tigera.io keys from
MergeMaps to prevent stale operator state from overwriting cluster state.
Add unit tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Add Message column to TigeraStatus kubectl output
798a12c 
Display the Degraded condition's message when running
`kubectl get tigerastatus`, making it easier to see error
details at a glance without needing to describe the resource.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Add Warnings() to KeyPairInterface and warning support to StatusManager
2888377 
KeyPairInterface now exposes a Warnings() method that returns a message
when a BYO certificate is expiring within 30 days. StatusManager gains
SetWarning/ClearWarning methods that append warning text to the
Available condition message in TigeraStatus.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Wire up BYO certificate expiry warnings in core_controller
6450636 
Check Warnings() on all keypairs obtained during reconciliation
(typha, node, nodePrometheus, kubeController) and propagate them
to the status manager so they appear in `kubectl get tigerastatus`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Use static keys for certificate warnings to handle nil keypairs
a57b92a 
Ensures warnings are cleared even when a keypair becomes nil
(e.g., Enterprise-only secrets on a Calico install), preventing
stale warnings from lingering in TigeraStatus.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@rene-dekker @claude
Wire up BYO certificate expiry warnings in all controllers
b1db738 
Add SetWarning/ClearWarning calls to 9 additional controllers (apiserver,
authentication, compliance, intrusiondetection, logcollector, manager,
monitor, packetcapture, policyrecommendation) and refactor status.go to
use availableMessage() consistently across all condition types. Fix
keypair_test.go warning message assertion to match implementation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
caseydavenport
caseydavenport reviewed Mar 7, 2026
View reviewed changes
Copy link
Member

@caseydavenport caseydavenport left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, just a few comments / thoughts from me so far.

@rene-dekker @claude
Address PR review: extract CheckKeyPairWarnings helper and isOperator…
be988c6 
…Managed

- Add CheckKeyPairWarnings() helper in certificatemanagement package to
  deduplicate the warning check loop across all controllers
- Add WarningReporter interface to avoid circular dependency with status pkg
- Extract isOperatorManaged() helper in MergeMaps to consolidate operator
  annotation filtering (covers all operator.tigera.io annotations)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
caseydavenport
caseydavenport approved these changes Mar 7, 2026
View reviewed changes
Copy link
Member

@caseydavenport caseydavenport left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rene-dekker @caseydavenport @marvin-tigera