Allow disabling cert-generator with a Helm value (#4186) (#4280)

Problem: Need to allow disabling cert-generator with a Helm value.

Solution: Allow disabling cert-generator with a Helm value.

Testing: Allow disabling cert-generator with a Helm value.

Co-authored-by: Fabian Bao <fabian.v.bao@gmail.com>

Author: sjberman

charts/nginx-gateway-fabric/README.md

@@ -195,10 +195,11 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
+| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"enable":true,"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
 | `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` |
 | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` |
 | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` |
+| `certGenerator.enable` | Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets. | bool | `true` |
 | `certGenerator.nodeSelector` | The nodeSelector of the cert-generator pod. | object | `{}` |
 | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` |
 | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |

charts/nginx-gateway-fabric/templates/certs-job.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.certGenerator.enable }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -172,3 +173,4 @@ spec:
       {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }}
       {{- end }}
   ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }}
+{{- end }}

charts/nginx-gateway-fabric/values.schema.json

@@ -23,6 +23,13 @@
           "title": "annotations",
           "type": "object"
         },
+        "enable": {
+          "default": true,
+          "description": "Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.",
+          "required": [],
+          "title": "enable",
+          "type": "boolean"
+        },
         "nodeSelector": {
           "description": "The nodeSelector of the cert-generator pod.",
           "required": [],

charts/nginx-gateway-fabric/values.yaml

@@ -672,6 +672,8 @@ nginx:
 
 # -- The certGenerator section contains the configuration for the cert-generator Job.
 certGenerator:
+  # -- Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.
+  enable: true
   # -- The annotations of the cert-generator Job.
   annotations: {}