feat(charts): add new flag enable leader for cert-manager

[nutmos]

Problem Statement

Nowadays, cert-manager's Helm chart doesn't have an enable-leader-election flag setup.

This PR adds the capability to set --enable-leader-election=true flag when .Values.leaderElect is true.

Related Issue

Fixes #5737

Proposed Changes

This PR adds the capability to set --enable-leader-election=true flag when .Values.leaderElect is true.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Description

Adds support for the --enable-leader-election flag in the cert-controller Helm chart deployment template, controlled via the .Values.leaderElect configuration value. This enables leader election for cert-controller when multiple replicas are deployed, matching the behavior of the core controller.

Changes

• cert-controller-deployment.yaml: Adds conditional logic to include --enable-leader-election=true in the container args when .Values.leaderElect is enabled. Also retains hostAliases block support with fallback to global configuration.
• cert_controller_test.yaml: Adds two test cases verifying that:
  • The --enable-leader-election flag is not present by default
  • The flag is properly applied when leaderElect is set to true

Fixes

#5737

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8355df0 and b009455.

📒 Files selected for processing (2)

• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
• deploy/charts/external-secrets/tests/cert_controller_test.yaml

---

Walkthrough

Adds conditional leader-election flag support to the cert-controller Helm deployment args and corresponding tests that assert flag presence/absence based on .Values.leaderElect.

Changes

Cohort / File(s)	Summary
Cert-controller Deployment Template deploy/charts/external-secrets/templates/cert-controller-deployment.yaml	Adds conditional container arg: --enable-leader-election=true when .Values.leaderElect is enabled.
Cert-controller Deployment Tests deploy/charts/external-secrets/tests/cert_controller_test.yaml	Adds two tests: one asserting the flag is absent by default, and one asserting the flag is present when leaderElect: true.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The pull request successfully implements all coding requirements from linked issue #5737: adds --enable-leader-election flag support to cert-controller template via .Values.leaderElect attribute and includes comprehensive test coverage.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue objectives. The modifications add leader election support to the cert-controller Helm template and corresponding tests without introducing unrelated alterations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Skarlso]

Sorry, fat fingered the ready for review button.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@deploy/charts/external-secrets/templates/cert-controller-deployment.yaml`:
- Around line 92-94: Remove the trailing spaces in the Helm template conditional
that renders the --enable-leader-election flag: update the block that checks
.Values.leaderElect and emits "- --enable-leader-election=true" so the emitted
lines have no trailing whitespace (match the style used in the core-controller
deployment template); specifically trim the spaces after the closing markers in
the conditional lines that produce the flag.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

deploy/charts/external-secrets/templates/validatingwebhook.yaml (1)

36-50: ⚠️ Potential issue | 🟠 Major

Missing failurePolicy on the clustersecretstore webhook.

The validate.secretstore (line 34) and validate.externalsecret (line 84) webhooks both received the new failurePolicy field, but the validate.clustersecretstore webhook here does not. This looks like an oversight — all three webhooks should behave consistently.

Proposed fix

   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
 ---

docs/introduction/stability-support.md (1)

47-61: ⚠️ Potential issue | 🟡 Minor

Stale documentation: "has not reached stable 1.0 yet" is no longer accurate.

Line 47 states the operator hasn't reached 1.0, but the version table now lists releases up to 2.0. This entire section about treating minor bumps as breaking changes and upgrading cautiously may need revision for the post-1.0 era (or at minimum the opening sentence needs updating).

🤖 Fix all issues with AI agents

In @.github/workflows/pull-request-label.yml:
- Line 115: Update the stale inline comment on the actions checkout step: find
the line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and change the
trailing comment from "# v5" to "# v6.0.2" so it accurately reflects the
referenced release (actions/checkout v6.0.2).

In `@deploy/charts/external-secrets/tests/cert_controller_test.yaml`:
- Around line 317-375: Add two unit tests to cert_controller_test.yaml
validating the new leader election flag: one that asserts the container args do
NOT contain "--enable-leader-election=true" by default, and one that sets
leaderElect: true and asserts the container args DO contain
"--enable-leader-election=true". Target the same template
cert-controller-deployment.yaml and use notContains on path
spec.template.spec.containers[0].args for the default case and contains on the
same path when leaderElect: true; name the tests accordingly (e.g., "should not
have enable-leader-election flag by default" and "should have
enable-leader-election flag when leaderElect is true").

🧹 Nitpick comments (4)

Makefile (1)

410-417: Inconsistent indentation: spaces vs tab in conditional blocks.

Line 412 (real_OS := darwin) uses spaces for indentation, while Line 416 (real_OS := linux) uses a tab. While both work inside ifeq blocks, mixing them reduces readability and can confuse contributors.

🔧 Suggested fix: use consistent indentation

 ifeq ($(detected_OS),Darwin)
         detected_OS := mac
         real_OS := darwin
 endif
 ifeq ($(detected_OS),Linux)
         detected_OS := linux
-	real_OS := linux
+        real_OS := linux
 endif

deploy/charts/external-secrets/templates/validatingwebhook.yaml (1)

84-84: Minor formatting inconsistency: missing space before }}.

Line 34 uses {{ .Values.webhook.failurePolicy }} (with trailing space), while line 84 uses {{ .Values.webhook.failurePolicy}} (no trailing space). Helm handles both, but keeping consistent template style is preferable.

Fix

-  failurePolicy: {{ .Values.webhook.failurePolicy}}
+  failurePolicy: {{ .Values.webhook.failurePolicy }}

.github/workflows/dlc.yml (1)

28-28: fossas/fossa-action is pinned to a main branch commit, not a release tag.

The SHA pin ensures immutability, but the # main comment makes it harder to track which release version this corresponds to. Other actions in this repo use versioned tag comments (e.g., # v2.14.2). Consider identifying the corresponding release tag for the comment, if one exists.

Also applies to: 34-34

docs/provider/infisical.md (1)

313-363: Consider clarifying service account key file mounting.

The GCP IAM Auth section documents the serviceAccountKeyFilePath parameter but doesn't explain how users should make this file available in the Kubernetes environment. Consider adding a brief note or example about mounting the service account key file (e.g., via a Secret volume mount or init container).

📝 Example guidance that could be added

After the "Storing Credentials" section, consider adding:

!!! note
    The service account key file must be available at the specified path in the operator's pod. You can mount it using a Secret volume:
    
    ```yaml
    # First, create a secret with the key file content
    kubectl create secret generic gcp-sa-key --from-file=key.json=/path/to/local/key.json
    
    # Then mount it in the operator deployment
    # (This typically requires modifying the operator's deployment to add the volume mount)
    ```

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale version comment: # v5 should be # v6.0.2.

The commit SHA de0fac2e… corresponds to actions/checkout v6.0.2 (as used in all other workflow files in this PR), but the inline comment still says v5.

Proposed fix

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🤖 Prompt for AI Agents

In @.github/workflows/pull-request-label.yml at line 115, Update the stale
inline comment on the actions checkout step: find the line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and change the
trailing comment from "# v5" to "# v6.0.2" so it accurately reflects the
referenced release (actions/checkout v6.0.2).

[coderabbitai]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@deploy/charts/external-secrets/tests/cert_controller_test.yaml`:
- Around line 376-391: The review comment includes duplicate reviewer markers
("[approve_code_changes]" and "[duplicate_comment]") appended to the test
description block for the two test cases ("should not have
enable-leader-election flag by default" and "should have enable-leader-election
flag when leaderElect is true"); remove the redundant marker so only the
intended approval token remains (or remove both markers if no token is needed),
leaving the YAML test assertions unchanged for cert-controller-deployment.yaml
and keeping the two test cases as-is.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud