What happened?
The Helm chart template operator/charts/templates/webhook-server-cert-secret.yaml renders a grove-webhook-server-cert Secret with empty tls.crt and tls.key fields when certProvisionMode is auto (the default). The cert-controller populates this secret with auto-generated certificates at startup, but on subsequent deploys via helm template | kubectl apply, the empty values overwrite the populated certificates, breaking webhook TLS until the cert-controller repopulates the secret.
The same issue occurs with GitOps tools (ArgoCD/FluxCD) that detect the populated cert data as drift from the desired empty state and may reset it on sync.
The underlying constraint is that the upstream cert-controller library (open-policy-agent/cert-controller) only updates existing secrets — it does not create them. This is why the chart pre-creates the empty secret. However, the operator has full CRUD RBAC permissions on secrets, so it could create the secret itself.
What did you expect to happen?
Deploying the Helm chart via helm template | kubectl apply should not overwrite previously populated webhook TLS certificates. The operator should be able to manage the webhook cert secret lifecycle independently of Helm.
Environment
- Affects all Grove versions with
certProvisionMode: auto (default)
- Reproducible with
helm template | kubectl apply or GitOps tools (ArgoCD, FluxCD)
- Not affected when using standard
helm upgrade (Helm 3's three-way merge preserves live data)
What happened?
The Helm chart template
operator/charts/templates/webhook-server-cert-secret.yamlrenders agrove-webhook-server-certSecret with emptytls.crtandtls.keyfields whencertProvisionModeisauto(the default). The cert-controller populates this secret with auto-generated certificates at startup, but on subsequent deploys viahelm template | kubectl apply, the empty values overwrite the populated certificates, breaking webhook TLS until the cert-controller repopulates the secret.The same issue occurs with GitOps tools (ArgoCD/FluxCD) that detect the populated cert data as drift from the desired empty state and may reset it on sync.
The underlying constraint is that the upstream cert-controller library (
open-policy-agent/cert-controller) only updates existing secrets — it does not create them. This is why the chart pre-creates the empty secret. However, the operator has full CRUD RBAC permissions on secrets, so it could create the secret itself.What did you expect to happen?
Deploying the Helm chart via
helm template | kubectl applyshould not overwrite previously populated webhook TLS certificates. The operator should be able to manage the webhook cert secret lifecycle independently of Helm.Environment
certProvisionMode: auto(default)helm template | kubectl applyor GitOps tools (ArgoCD, FluxCD)helm upgrade(Helm 3's three-way merge preserves live data)