platform-mesh · akafazov · Feb 12, 2026 · Feb 12, 2026
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -19,7 +19,9 @@ type OperatorConfig struct {
 			EnableIstio                      bool   `mapstructure:"subroutines-deployment-enable-istio" default:"true"`
 		} `mapstructure:",squash"`
 		KcpSetup struct {
-			Enabled bool `mapstructure:"subroutines-kcp-setup-enabled" default:"true"`
+			Enabled                       bool   `mapstructure:"subroutines-kcp-setup-enabled" default:"true"`
+			DomainCertificateCASecretName string `mapstructure:"domain-certificate-ca-secret-name" default:"domain-certificate"`
+			DomainCertificateCASecretKey  string `mapstructure:"domain-certificate-ca-secret-key" default:"tls.crt"`
 		} `mapstructure:",squash"`
 		ProviderSecret struct {
 			Enabled bool `mapstructure:"subroutines-provider-secret-enabled" default:"true"`

diff --git a/pkg/subroutines/kcpsetup.go b/pkg/subroutines/kcpsetup.go
@@ -252,9 +252,9 @@ func (r *KcpsetupSubroutine) getCABundleInventory(
 	caBundles[validatingKey] = validatingB64Data
 
 	domainCA, err := r.getCaBundle(ctx, &corev1alpha1.WebhookConfiguration{
-		SecretData: "tls.crt",
+		SecretData: r.cfg.Subroutines.KcpSetup.DomainCertificateCASecretKey,
 		SecretRef: corev1alpha1.SecretReference{
-			Name:      "domain-certificate-ca",
+			Name:      r.cfg.Subroutines.KcpSetup.DomainCertificateCASecretName,
 			Namespace: "platform-mesh-system",
 		},
 	})

diff --git a/pkg/subroutines/kcpsetup_test.go b/pkg/subroutines/kcpsetup_test.go
@@ -33,6 +33,13 @@ import (
 
 var ManifestStructureTest = "../../manifests/kcp"
 
+func defaultTestOperatorConfig() *config.OperatorConfig {
+	cfg := &config.OperatorConfig{}
+	cfg.Subroutines.KcpSetup.DomainCertificateCASecretName = "domain-certificate"
+	cfg.Subroutines.KcpSetup.DomainCertificateCASecretKey = "tls.crt"
+	return cfg
+}
+
 type KcpsetupTestSuite struct {
 	suite.Suite
 	clientMock *mocks.Client
@@ -53,7 +60,7 @@ func (s *KcpsetupTestSuite) SetupTest() {
 	cfg.NoJSON = true
 	cfg.Name = "KcpsetupTestSuite"
 	s.log, _ = logger.New(cfg)
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "https://kcp.example.com")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, defaultTestOperatorConfig(), ManifestStructureTest, "https://kcp.example.com")
 }
 
 func (s *KcpsetupTestSuite) TearDownTest() {
@@ -71,7 +78,7 @@ func (s *KcpsetupTestSuite) Test_Constructor() {
 	helper := &subroutines.Helper{}
 
 	// create new test object
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, helper, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, helper, defaultTestOperatorConfig(), ManifestStructureTest, "")
 }
 
 func (s *KcpsetupTestSuite) Test_applyDirStructure() {
@@ -151,7 +158,7 @@ func (s *KcpsetupTestSuite) Test_getCABundleInventory() {
 
 	s.clientMock.EXPECT().
 		Get(mock.Anything, types.NamespacedName{
-			Name:      "domain-certificate-ca",
+			Name:      "domain-certificate",
 			Namespace: "platform-mesh-system",
 		}, mock.Anything).
 		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
@@ -193,7 +200,7 @@ func (s *KcpsetupTestSuite) Test_getCABundleInventory() {
 
 	// Test case 2: Secret not found
 	// Create a new instance to clear the cache
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, defaultTestOperatorConfig(), ManifestStructureTest, "")
 
 	// Mock the mutating webhook secret lookup to return error
 	s.clientMock.EXPECT().
@@ -211,6 +218,70 @@ func (s *KcpsetupTestSuite) Test_getCABundleInventory() {
 	s.clientMock.AssertExpectations(s.T())
 }
 
+func (s *KcpsetupTestSuite) Test_getCABundleInventory_CustomSecretNameAndKey() {
+	ctx := context.WithValue(context.Background(), keys.LoggerCtxKey, s.log)
+
+	customSecretName := "my-custom-ca-secret"
+	customSecretKey := "ca.pem"
+	customCfg := defaultTestOperatorConfig()
+	customCfg.Subroutines.KcpSetup.DomainCertificateCASecretName = customSecretName
+	customCfg.Subroutines.KcpSetup.DomainCertificateCASecretKey = customSecretKey
+
+	clientMock := new(mocks.Client)
+	s.testObj = subroutines.NewKcpsetupSubroutine(clientMock, s.helperMock, customCfg, ManifestStructureTest, "")
+
+	// Mock the mutating webhook secret lookup
+	clientMock.EXPECT().
+		Get(mock.Anything, types.NamespacedName{
+			Name:      subroutines.DEFAULT_WEBHOOK_CONFIGURATION.SecretRef.Name,
+			Namespace: subroutines.DEFAULT_WEBHOOK_CONFIGURATION.SecretRef.Namespace,
+		}, mock.AnythingOfType("*v1.Secret")).
+		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
+			secret := obj.(*corev1.Secret)
+			secret.Data = map[string][]byte{
+				subroutines.DEFAULT_WEBHOOK_CONFIGURATION.SecretData: []byte("test-ca-data"),
+			}
+			return nil
+		}).Once()
+
+	// Mock the validating webhook secret lookup
+	clientMock.EXPECT().
+		Get(mock.Anything, types.NamespacedName{
+			Name:      subroutines.DEFAULT_VALIDATING_WEBHOOK_CONFIGURATION.SecretRef.Name,
+			Namespace: subroutines.DEFAULT_VALIDATING_WEBHOOK_CONFIGURATION.SecretRef.Namespace,
+		}, mock.AnythingOfType("*v1.Secret")).
+		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
+			secret := obj.(*corev1.Secret)
+			secret.Data = map[string][]byte{
+				subroutines.DEFAULT_VALIDATING_WEBHOOK_CONFIGURATION.SecretData: []byte("test-ca-data"),
+			}
+			return nil
+		}).Once()
+
+	// Mock the custom-named domain CA secret lookup with custom key
+	clientMock.EXPECT().
+		Get(mock.Anything, types.NamespacedName{
+			Name:      customSecretName,
+			Namespace: "platform-mesh-system",
+		}, mock.Anything).
+		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
+			secret := obj.(*corev1.Secret)
+			secret.Data = map[string][]byte{
+				customSecretKey: []byte("custom-ca-data"),
+			}
+			return nil
+		}).Once()
+
+	inventory, err := s.testObj.GetCABundleInventory(ctx)
+	s.Assert().NoError(err)
+	s.Assert().NotNil(inventory)
+	s.Assert().Contains(inventory, "domainCA")
+	s.Assert().Contains(inventory, "domainCADec")
+	s.Assert().Equal("custom-ca-data", inventory["domainCADec"])
+
+	clientMock.AssertExpectations(s.T())
+}
+
 func (s *KcpsetupTestSuite) Test_GetCaBundle() {
 	ctx := context.WithValue(context.Background(), keys.LoggerCtxKey, s.log)
 	webhookConfig := &corev1alpha1.WebhookConfiguration{
@@ -341,7 +412,7 @@ func (s *KcpsetupTestSuite) TestProcess() {
 		})
 	s.clientMock.EXPECT().
 		Get(mock.Anything, types.NamespacedName{
-			Name:      "domain-certificate-ca",
+			Name:      "domain-certificate",
 			Namespace: "platform-mesh-system",
 		}, mock.Anything).
 		RunAndReturn(func(ctx context.Context, nn types.NamespacedName, obj client.Object, opts ...client.GetOption) error {
@@ -475,15 +546,15 @@ func (s *KcpsetupTestSuite) TestProcess() {
 	s.Assert().Equal(ctrl.Result{}, result)
 
 	// Test error case - create a new instance to clear the cache
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "https://kcp.example.com")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, defaultTestOperatorConfig(), ManifestStructureTest, "https://kcp.example.com")
 }
 
 func (s *KcpsetupTestSuite) Test_getAPIExportHashInventory() {
 	// mocks
 	mockKcpClient := new(mocks.Client)
 	mockedKcpHelper := new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil).Times(3)
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, defaultTestOperatorConfig(), ManifestStructureTest, "")
 
 	apiexport := &kcpapiv1alpha.APIExport{
 		Status: kcpapiv1alpha.APIExportStatus{
@@ -571,7 +642,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	// test err1 - expect error when NewKcpClient fails
 	mockedKcpHelper := new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(nil, errors.New("failed to create client"))
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, defaultTestOperatorConfig(), ManifestStructureTest, "")
 
 	err := s.testObj.CreateKcpResources(context.Background(), &rest.Config{}, ManifestStructureTest, &corev1alpha1.PlatformMesh{})
 	s.Assert().Error(err)
@@ -582,7 +653,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	mockKcpClient := new(mocks.Client)
 	mockedKcpHelper = new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil)
-	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, defaultTestOperatorConfig(), ManifestStructureTest, "")
 
 	// Mock both webhook secret lookups for CA bundle inventory
 	webhookConfig := subroutines.DEFAULT_WEBHOOK_CONFIGURATION
@@ -604,7 +675,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 
 		// Mock the mutating webhook secret lookup (called once due to caching)
 	mockedK8sClient.EXPECT().Get(mock.Anything, types.NamespacedName{
-		Name:      "domain-certificate-ca",
+		Name:      "domain-certificate",
 		Namespace: webhookConfig.SecretRef.Namespace,
 	}, mock.AnythingOfType("*v1.Secret")).
 		Run(func(ctx context.Context, key types.NamespacedName, obj client.Object, opts ...client.GetOption) {
@@ -676,7 +747,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	mockKcpClient = new(mocks.Client)
 	mockedKcpHelper = new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil)
-	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, defaultTestOperatorConfig(), ManifestStructureTest, "")
 
 	// Mock both secret lookups again (they should be cached from previous call)
 	// Since we're creating a new instance, the cache is cleared, so we need to mock again