[v1.40] Set VOLTRON_CA_SIGNER_NAME env var for certificate management (#4674)

* Set CA_SIGNER_NAME env var on Voltron when certificate management is enabled

Passes the InstallationSpec CertificateManagement SignerName to the Voltron
container so it can identify the correct CA issuer public key, supporting
custom operator signer names (calico-private#11471).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Prefix CA_SIGNER_NAME env var with VOLTRON_

All Voltron env vars use the VOLTRON_ prefix to match envconfig processing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use CA cert CommonName instead of SignerName for VOLTRON_CA_SIGNER_NAME

Expose CACertCommonName() on the CertificateManager interface to provide
the parsed CN from the CA certificate. This is the actual value Voltron
needs to match against cert.Subject.CommonName in the trust bundle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Remove redundant embedded field selector for staticcheck

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: rene-dekker

pkg/controller/certificatemanager/certificatemanager.go

@@ -119,6 +119,8 @@ type CertificateManager interface {
 	// SignCertificate signs a certificate using the certificate manager's private key. The function is assuming that the
 	// public key of the requestor is already set in the certificate template.
 	SignCertificate(certificate *x509.Certificate) ([]byte, error)
+	// CACertCommonName returns the CommonName from the CA certificate's Subject field.
+	CACertCommonName() string
 }
 
 type Option func(cm *certificateManager) error
@@ -559,6 +561,14 @@ func (cm *certificateManager) GetKeyPair(cli client.Client, secretName, secretNa
 	return keyPair, err
 }
 
+// CACertCommonName returns the CommonName from the CA certificate's Subject field.
+func (cm *certificateManager) CACertCommonName() string {
+	if cm.Certificate != nil {
+		return cm.Subject.CommonName
+	}
+	return ""
+}
+
 // CertificateManagement returns the CertificateManagement object or nil if it is not configured.
 func (cm *certificateManager) CertificateManagement() *operatorv1.CertificateManagement {
 	return cm.keyPair.CertificateManagement

pkg/controller/manager/manager_controller.go

@@ -680,6 +680,7 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ
 		BindingNamespaces:       namespaces,
 		OSSTenantNamespaces:     ossTenantNamespaces,
 		Manager:                 instance,
+		CACertCommonName:        certificateManager.CACertCommonName(),
 	}
 
 	// Render the desired objects from the CRD and create or update them.

pkg/render/manager.go

@@ -187,6 +187,10 @@ type ManagerConfiguration struct {
 	ExternalElastic bool
 
 	Manager *operatorv1.Manager
+
+	// CACertCommonName is the CommonName from the CA certificate used for operator-managed certificates.
+	// Passed to Voltron so it can identify the correct CA issuer public key.
+	CACertCommonName string
 }
 
 type managerComponent struct {
@@ -549,6 +553,10 @@ func (c *managerComponent) voltronContainer() corev1.Container {
 		env = append(env, corev1.EnvVar{Name: "VOLTRON_LINSEED_SERVER_CERT", Value: linseedCertPath})
 	}
 
+	if c.cfg.CACertCommonName != "" {
+		env = append(env, corev1.EnvVar{Name: "VOLTRON_CA_SIGNER_NAME", Value: c.cfg.CACertCommonName})
+	}
+
 	if c.cfg.KeyValidatorConfig != nil {
 		env = append(env, c.cfg.KeyValidatorConfig.RequiredEnv("VOLTRON_")...)
 	}

pkg/render/manager_test.go

@@ -877,6 +877,16 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() {
 		Expect(deployment.Spec.Template.Spec.Volumes[0].Secret).To(BeNil())
 		Expect(deployment.Spec.Template.Spec.Volumes[2].Name).To(Equal(render.ManagerInternalTLSSecretName))
 		Expect(deployment.Spec.Template.Spec.Volumes[2].Secret).To(BeNil())
+
+		voltronContainer := rtest.GetContainer(deployment.Spec.Template.Spec.Containers, render.VoltronName)
+		var caSignerName string
+		for _, e := range voltronContainer.Env {
+			if e.Name == "VOLTRON_CA_SIGNER_NAME" {
+				caSignerName = e.Value
+				break
+			}
+		}
+		Expect(caSignerName).NotTo(BeEmpty(), "Expected VOLTRON_CA_SIGNER_NAME to be set")
 	})
 
 	It("should not render PodAffinity when ControlPlaneReplicas is 1", func() {
@@ -1611,6 +1621,7 @@ func renderObjects(roc renderConfig) []client.Object {
 		Tenant:                  roc.tenant,
 		Manager:                 roc.manager,
 		ExternalElastic:         roc.externalElastic,
+		CACertCommonName:        certificateManager.CACertCommonName(),
 	}
 	component, err := render.Manager(cfg)
 	Expect(err).To(BeNil(), "Expected Manager to create successfully %s", err)