Controller to mint and manage serving certificates for Kubernetes services. This is an OpenShift ClusterOperator that manages a cluster-scoped certificate authority for automatic TLS provisioning.
The operator runs three controllers:
- Serving cert signer — Issues signed TLS certificates for Services annotated with
service.beta.openshift.io/serving-cert-secret-name. See the OKD documentation for usage. - ConfigMap CA bundle injector — Injects the CA bundle into ConfigMaps annotated with
service.beta.openshift.io/inject-cabundle=true(key:service-ca.crt) - Generic CA bundle injector — Injects the CA bundle into APIServices, MutatingWebhookConfigurations, ValidatingWebhookConfigurations, and CRDs annotated with the same annotation
- Go 1.25+
- For e2e tests: access to an OpenShift cluster with
KUBECONFIGset
make build # Build operator binary + OTE test binarymake test-unit # All unit tests
go test ./pkg/operator/ -run TestName -count 1 # Single unit test
make test-e2e # E2e tests (requires cluster)See Testing a ClusterOperator/Operand image in a cluster.
This repository uses the OpenShift Tests Extension (OTE) framework. After make build:
# List suites and tests
./service-ca-operator-tests-ext list suites
./service-ca-operator-tests-ext list tests --suite=openshift/service-ca-operator/operator/serial
# Run a suite or test
./service-ca-operator-tests-ext run-suite openshift/service-ca-operator/operator/serial
./service-ca-operator-tests-ext run-test "test-name"
# Serial execution with JUnit output
./service-ca-operator-tests-ext run-suite openshift/service-ca-operator/operator/serial -c 1 --junit-path=/tmp/junit.xml- ARCHITECTURE.md — Design decisions and component architecture
- CONTRIBUTING.md — How to submit changes
- AGENTS.md — AI agent instructions
- OWNERS — Reviewers and approvers
- openshift/library-go — Shared controller framework
- openshift/api — OpenShift API types and CRD manifests
- openshift/enhancements — Enhancement proposals and operator dev guide