feat(acme/http01): adding overrides for parentRef

[hjoshi123]

Pull Request Motivation

This PR handles two bugs that came up recently. One was related to how we handle parentRef for the newly released ListenerSet and the other bug is about handling multiple parentRefs required in the clusterIssuer #7890. The solution to this was proposed in our last weekly meeting on 02/12/2026. This diagram also represents the solution in brief.

Kind

/kind feature

Release Note

added `parentRef` override annotations on the Certificate resource.

[hjoshi123]

/hold

Trying to add tests to this PR

[maelvls]

Let's cut our first beta once this out. How can I help?

[maelvls]

Copy-paste issue? Looks like the ingress logic 😅

[hjoshi123]

I do feel we need this check (obviously without the namespace stuff).. because what happens if someone only adds the kind annotation and forgets the name annotation

[maelvls]

Agreed, we should catch the case where name was given but kind wasn't (and vice-versa), good point.

[hjoshi123]

/unhold

[maelvls]

I built an image+helm chart out of your branch, it seems the requirement on the parentRefs in validation/issuer.go#L242-L244 needs to be relaxed:

admission webhook "webhook.cert-manager.io" denied the request: spec.acme.solvers[0].http01.gateway.parentRefs: Required value: at least 1 parentRef is required

Reproduce

Here is how I'm pushing the helm chart and image:

make ko-images-push KO_PLATFORM=linux/amd64,linux/arm64 KO_REGISTRY=ttl.sh/maelvls VERSION=v1.20.0-test.0
$ yq -i '.imageRegistry = "ttl.sh" | .imageNamespace = "maelvls" | (..| select(key=="pullPolicy")) = "Always"' deploy/charts/cert-manager/values.yaml
make helm-chart _bin/cert-manager.tgz VERSION=v1.20.0-test.0
helm push _bin/cert-manager.tgz oci://ttl.sh/maelvls

helm upgrade --install cert-manager oci://ghcr.io/maelvls/cert-manager --version v1.20.0-ttw.0 \
  --namespace cert-manager \
  --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
  --set config.kind="ControllerConfiguration" \
  --set config.enableGatewayAPI=true \
  --set config.enableGatewayAPIListenerSet=true \
  --set config.featureGates.ListenerSet=true \
  --set crds.enabled=true \
  --set crds.keep=false

This fails:

kubectl apply -f- <<EOF
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: mael.valais@cyberak.com
    privateKeySecretRef:
      name: letsencrypt-acc-key
    solvers:
      - http01:
          gatewayHTTPRoute: {}
EOF

cert-manager's RBAC might need adjusting, too:

E0219 13:23:56.296175 1 reflector.go:204] "Failed to watch" err="failed to list *v1.ListenerSet: listenersets.gateway.networking.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot list resource "listenersets" in API group "gateway.networking.k8s.io" at the cluster scope" logger="UnhandledError" reflector="k8s.io/client-go@v0.35.1/tools/cache/reflector.go:289" type="*v1.ListenerSet"

[hjoshi123]

@maelvls I think I fixed the issue now with validation and RBAC.. I forgot to update the RBAC from xlistenersets to listenersets due to the case sensitivity of XListenerSets vs xlistenersets 😅 but we should be good now

[maelvls]

I've just tested and it all works! Took me forever to get it end-to-end. I've used envoygateway's 1.5 branch. For anyone willing to this branch out, I've written a tutorial: https://hackmd.io/@maelvls/test-xlistenerset. Helm chart:

helm upgrade --install cert-manager oci://ghcr.io/maelvls/cert-manager --version v1.20.0-dev.0

[maelvls]

What happens if someone also sets parentRefs on the issuer/clusterissuer? Are they replaced with this? meaning that the clusterissuer/issuer's parentRefs is now ineffective? (fine by me, just wanted to be sure)

[hjoshi123]

The way it is it will append to the existing parentRefs right now.. we could do a replace if you think that's a better approach

[maelvls]

Would be great to have more coverage on these scenarii; I've written some test cases in case it can help: maelvls@d6c2421

In particular, the test case:

no annotations and no parentRefs on issuer

isn't clear to me: is it possible to create a valid HTTPRoute with 0 parentRef? If not, it should error out.

[hjoshi123]

Yup.. I can take a look at it and add them back

The no annotation and no parentRef is I think left for us to decide because technically on the API parentRefs is marked as optional so I think it depends on the implementation if they should throw an error. To be clear, the httpRoute would be invalid but the resource itself would be admitted at least from the API spec.

[hjoshi123]

I think given me removed the requirement from the issuer side, after checking for annotation if the number of parentRef is 0 we should return an error.. wdyt?

[hjoshi123]

@maelvls thank you for the tests :).. I modified them a bit and also added validation when parentRefs are not present after we process the annotations. The only caveat being that this validation now happens on the orders controller and not during the admission which I guess is fair because we cant control the workflow during admission of issuer.

[maelvls]

Hey. I'll run the e2e with envoygateway. If it works, I'd be happy to merge this!

[maelvls]

I managed to make the e2es pass using envoygateway! I'll opena PR to fix the e2es.

/lgtm
/approve

Here is an edited version of the diagram that I showed to a colleague in case that can help:

(Excalidraw link)

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment