kacerr/gatewayapi-certificates-operator

Fork 0

Go to file

Jan Novak 21468b9f78

Deploy to K8s / deploy (push) Successful in 12s

Details

Build and Push / build (push) Successful in 5s

Details

deploy: fix image name to match Gitea repository name

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-26 14:05:34 +01:00

.claude/commands

deploy: update image reference to use full Gitea registry path

2026-03-26 13:58:19 +01:00

.gitea/workflows

ci: also tag built image as latest

2026-03-26 13:46:49 +01:00

deploy

deploy: fix image name to match Gitea repository name

2026-03-26 14:05:34 +01:00

docs

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

internal

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

.gitignore

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

CLAUDE.md

deploy: update image reference to use full Gitea registry path

2026-03-26 13:58:19 +01:00

Dockerfile

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

go.mod

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

go.sum

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

main.go

feat: initial implementation of gateway-cert-operator

2026-03-26 10:54:33 +01:00

docs/README.md

Gateway Certificate Operator

The gateway-cert-operator automates the configuration of Gateway API Gateway listeners when using cert-manager for TLS certificate management.

Overview

When you create a Certificate resource using cert-manager, this operator automatically and dynamically creates an HTTPS Listener on your target Gateway. This eliminates the need for manual configuration of the Gateway each time a new certificate is provisioned or its DNS names change.

Architecture

The operator acts as a bridge between two standard Kubernetes APIS:

cert-manager.io/v1 Certificate
gateway.networking.k8s.io/v1 Gateway

By watching both resources, the controller ensures that the Gateway always has the correct listeners configured to serve HTTPs traffic for the domains requested in the certificates.

Prerequisites

A Kubernetes cluster.
Gateway API installed (v1 APIs).
cert-manager installed (v1 APIs).

Usage

To use the operator, simply add the appropriate annotations to your Certificate resource.

Example Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-app-cert
  namespace: default
  annotations:
    # Required: The name of the target Gateway
    gateway-cert-operator.io/gateway-name: "my-gateway"
    
    # Optional: If the Gateway is in a different namespace
    # gateway-cert-operator.io/gateway-namespace: "gateway-system"
spec:
  secretName: my-app-tls
  dnsNames:
    - "app.example.com"
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Lifecycle

Trigger: The operator detects the gateway-cert-operator.io/gateway-name annotation on the Certificate.
Gateway Lookup: It fetches the designated target Gateway (my-gateway).
Patching: For each DNS name defined in spec.dnsNames, it mathematically appends a new HTTPS Listener on port 443 terminating TLS using the secret created by cert-manager (my-app-tls).
Safe Coexistence: To safely coexist with manually defined listeners, the operator uniquely prefixes its configured listeners with auto- (e.g., auto-my-app-cert-app-example-com). It solely manages listeners with this prefix.

When a certificate is deleted or updated (for instance if a DNS name is changed), the operator will instantly reconcile the modified states by cleanly removing older auto-* listeners and inserting the new ones while preserving the manually defined resources.

Deployment

To deploy the operator, applying the provided manifest sets up the necessary RBAC permissions and the controller manager:

kubectl apply -f deploy/manifests.yaml