🐛 (go/v4): Replace custom CertWatcher with controller-runtime’s built-in implementation for webhook and metrics server cert reloads. Ensures non-leader replicas update certificates correctly.

[DustinChaloupka]

Fixes #4792

Updating the main.go template for the webhook and metrics server certificate handling. Instead of creating a separate CertWatcher, this supplies the three fields to the options. When controller-runtime has those three values, it will set up its own CertWatcher.

This allows non-leader replicas to properly reload the cert and key when updated, which is necessary for the webhook and metrics server that end up serving the endpoints even when they are not leaders.

This was tested with our own currently running controller by deleting the cert-manager managed Certificate resource, letting it recreate a new one, which updated the Secret and then the file in the Pods. Reloading the certificate and key can be seen in the logs:

2025-08-12T15:10:02Z	INFO	setup	Initializing webhook certificate watcher using provided certificates	{"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"}
2025-08-12T15:10:02Z	INFO	setup	Initializing metrics certificate watcher using provided certificates	{"metrics-cert-path": "/tmp/k8s-metrics-server/metrics-certs", "metrics-cert-name": "tls.crt", "metrics-cert-key": "tls.key"}
2025-08-12T15:10:02Z	INFO	controller-runtime.builder	Registering a mutating webhook	{"GVK": "my-group.example.com/v1alpha1, kind=Thing", "path": "/mutate-my-group-example-com-v1alpha1-thing"}
2025-08-12T15:10:02Z	INFO	controller-runtime.webhook	Registering webhook	{"path": "/mutate-my-group-example-com-v1alpha1-thing"}
2025-08-12T15:10:02Z	INFO	controller-runtime.builder	Registering a validating webhook	{"GVK": "my-group.example.com/v1alpha1, kind=Thing", "path": "/validate-my-group-example-com-v1alpha1-thing"}
2025-08-12T15:10:02Z	INFO	controller-runtime.webhook	Registering webhook	{"path": "/validate-my-group-example-com-v1alpha1-thing"}
2025-08-12T15:10:02Z	INFO	setup	starting manager
2025-08-12T15:10:02Z	INFO	controller-runtime.metrics	Starting metrics server
2025-08-12T15:10:02Z	INFO	setup	disabling http/2
2025-08-12T15:10:02Z	INFO	starting server	{"name": "health probe", "addr": "[::]:8081"}
2025-08-12T15:10:02Z	INFO	controller-runtime.webhook	Starting webhook server
2025-08-12T15:10:02Z	INFO	setup	disabling http/2
I0812 15:10:02.713385       1 leaderelection.go:257] attempting to acquire leader lease my-namespace/84d4f733.example.com...
2025-08-12T15:10:02Z	INFO	controller-runtime.certwatcher	Updated current TLS certificate
2025-08-12T15:10:02Z	INFO	controller-runtime.metrics	Serving metrics server	{"bindAddress": ":8443", "secure": true}
2025-08-12T15:10:02Z	INFO	controller-runtime.certwatcher	Updated current TLS certificate
2025-08-12T15:10:02Z	INFO	controller-runtime.certwatcher	Starting certificate poll+watcher	{"interval": "10s"}
2025-08-12T15:10:02Z	INFO	controller-runtime.webhook	Serving webhook server	{"host": "", "port": 9443}
2025-08-12T15:10:02Z	INFO	controller-runtime.certwatcher	Starting certificate poll+watcher	{"interval": "10s"}
2025-08-12T15:15:50Z	DEBUG	controller-runtime.certwatcher	certificate event	{"event": "CHMOD         \"/tmp/k8s-webhook-server/serving-certs/tls.crt\""}
2025-08-12T15:15:50Z	DEBUG	controller-runtime.certwatcher	certificate event	{"event": "REMOVE        \"/tmp/k8s-webhook-server/serving-certs/tls.crt\""}
2025-08-12T15:15:50Z	DEBUG	controller-runtime.certwatcher	certificate event	{"event": "CHMOD         \"/tmp/k8s-webhook-server/serving-certs/tls.key\""}

[k8s-ci-robot]

Hi @DustinChaloupka. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[camilamacedo86]

/ok-to-test

[camilamacedo86]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, DustinChaloupka

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [camilamacedo86]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment