Helm chart requires cert-manager even with createSelfSignedIssuer enabled

[bgruszka]

Problem

The Helm chart currently requires cert-manager to be installed even when webhook.certManager.createSelfSignedIssuer is set to true. This creates confusion for users who expect that enabling createSelfSignedIssuer would allow the chart to work without cert-manager.

Current Behavior

1. Default values.yaml has:

   webhook:
     certManager:
       enabled: false
       createSelfSignedIssuer: true

2. The templates/certificate.yaml template is wrapped with:

   {{- if .Values.webhook.certManager.enabled }}

3. When deployed with defaults, the deployment fails with:

   MountVolume.SetUp failed for volume "webhook-certs" : secret "contextforge-webhook-certs" not found
   

Root Cause

• The entire certificate generation logic (including self-signed issuer creation) is gated behind certManager.enabled
• The selfSigned.validityDays value in values.yaml is never used in any template
• There's no fallback mechanism to create certificates without cert-manager

Expected Behavior

When certManager.enabled: false but self-signed certificates are needed, the chart should:

1. Generate self-signed certificates automatically (using a Kubernetes Job)
2. Create the webhook-certs secret without requiring cert-manager
3. Make the deployment succeed out-of-the-box

Proposed Solution

Add a Kubernetes Job template that:

• Runs when certManager.enabled: false and selfSigned.enabled: true
• Uses an initContainer approach with OpenSSL to generate certificates
• Creates the contextforge-webhook-certs secret with proper SANs:
  • {name}-webhook.{namespace}.svc
  • {name}-webhook.{namespace}.svc.cluster.local
• Uses the existing selfSigned.validityDays configuration
• Includes proper RBAC for secret creation

This would allow users to:

• Use cert-manager if they have it (preferred for production)
• Use auto-generated self-signed certs for testing/development
• Manually provide certificates if needed

Testing Requirements

The implementation should include:

1. Helm Chart Tests (new):

   • Test certificate secret creation with certManager.enabled: false
   • Test certificate secret creation with certManager.enabled: true
   • Validate certificate SANs and expiry
   • Test RBAC permissions for Job

2. E2E Test Coverage:

   • Webhook functionality already tested by tests/e2e/keepalive_isolation_test.go
   • Ensure webhook works with both cert-manager and self-signed certificates
   • Validate certificate rotation scenario (cert-manager only)

3. Integration Testing:

   • Deploy with default values and verify webhook is functional
   • Test webhook certificate expiry handling
   • Verify proper cleanup of Job resources

Impact

This affects new users trying to deploy the chart with default values, as the deployment currently fails without cert-manager installed. This is a barrier to adoption for users wanting to quickly test the operator.

Related Files

• deploy/helm/contextforge/values.yaml (lines 73-99)
• deploy/helm/contextforge/templates/certificate.yaml
• deploy/helm/contextforge/templates/deployment.yaml (lines 74-81)
• deploy/helm/contextforge/templates/webhook.yaml
• tests/e2e/keepalive_isolation_test.go (webhook functionality tests)