Skip to content

operator/charts: add extraDNSNames to TLS certificates for failover SANs#1561

Draft
david-yu wants to merge 2 commits into
mainfrom
dyu/tls-extra-dns-names
Draft

operator/charts: add extraDNSNames to TLS certificates for failover SANs#1561
david-yu wants to merge 2 commits into
mainfrom
dyu/tls-extra-dns-names

Conversation

@david-yu
Copy link
Copy Markdown
Contributor

@david-yu david-yu commented May 29, 2026

What

Adds an extraDNSNames field to the broker TLS Certificate configuration, letting users specify additional Subject Alternative Names (SANs) on the generated server certificate.

  • Chart path (Redpanda CRD / Helm chart): tls.certs.<name>.extraDNSNames
  • Multicluster path (StretchCluster / RedpandaBrokerPool): per-pool tls.certs.<name>.extraDNSNames (each pool is its own cluster)

The names are always appended regardless of whether an issuerRef is supplied, and are ignored when a secretRef is set (the operator doesn't generate the cert in that case).

Why

The motivating use case is TLS failover between clusters. Today there is no way to add custom SANs to broker certs — only the automatic internal service names plus the applyInternalDNSNames toggle. By baking a single, stable, shared hostname (e.g. redpanda.failover.example.com) into the server certificates of two clusters, clients can fail over between them (e.g. by repointing DNS) without hitting a TLS hostname mismatch.

This pairs naturally with the shadow-link DR story, where clients may need to switch from a source cluster to a shadow cluster transparently.

Example

tls:
  certs:
    default:
      caEnabled: true
      extraDNSNames:
        - redpanda.failover.example.com
        - "*.redpanda.failover.example.com"

Implementation

Layer File
Chart values type charts/redpanda/values.go (TLSCert.ExtraDNSNames)
Chart cert generation charts/redpanda/certs.go
Operator API type operator/api/redpanda/v1alpha2/redpanda_clusterspec_types.go (Certificate.ExtraDNSNames)
Nil-safe accessor operator/api/redpanda/v1alpha2/stretch_cluster_helpers.go (GetExtraDNSNames)
Multicluster cert generation operator/multicluster/certs.go

Generated artifacts (CRDs, values.schema.json, partials, applyconfigurations, deepcopy, chart templates) were regenerated via task generate.

Tests

  • charts/redpanda: new TestClientCertsExtraDNSNames asserts both automatic and extra SANs appear on the generated server cert.
  • operator/multicluster: new tls-extra-dns-names render golden case proves the SANs flow through per-pool cert generation.
  • All existing chart TestTemplate and multicluster TestRender golden tests pass with no unrelated drift.

Notes / open questions for review

  • In the multicluster path, cluster-level TLS cert config does not propagate to pools today (the same is already true for issuerRef), so extraDNSNames is honored at the pool level. That granularity is arguably correct for failover (per-cluster SANs), but flagging it in case reviewers want cluster→pool TLS propagation addressed separately.
  • Scoped to dnsNames. If IP-based SANs are wanted, a follow-up extraIPAddresses field wiring into Spec.IPAddresses would be straightforward.

🤖 Generated with Claude Code

david-yu and others added 2 commits May 29, 2026 12:48
@david-yu @claude
operator/charts: add extraDNSNames to TLS certificates for failover SANs
fa469dd 
Add an `extraDNSNames` field to the broker TLS `Certificate` configuration so
users can specify additional Subject Alternative Names on the generated server
certificate. The names are always appended regardless of whether an `issuerRef`
is supplied, and are ignored when a `secretRef` is provided (the operator does
not generate the certificate in that case).

The motivating use case is TLS failover between clusters: baking a stable,
shared hostname into the server certificates of two clusters lets clients fail
over (e.g. via DNS repointing) without hitting a TLS hostname mismatch.

The field is wired into both certificate generators:
  - charts/redpanda (the Redpanda CRD / Helm chart path), via
    `tls.certs.<name>.extraDNSNames`
  - operator/multicluster (StretchCluster / RedpandaBrokerPool), per pool,
    since each pool is its own cluster

Generated CRDs, schemas, partials, applyconfigurations, deepcopy, and chart
templates are regenerated accordingly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@david-yu @claude
operator: scope extraDNSNames to Redpanda CRD; fix lifecycle golden
653a372 
The extraDNSNames TLS SAN feature is scoped to the Redpanda CRD only,
dropping the multicluster broker-pool wiring (GetExtraDNSNames helper,
certs.go usage, and the tls-extra-dns-names render case). The lifecycle
values golden file is regenerated so TestV2ResourceClient picks up the
new extraDNSNames cert field.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafalKorepta RafalKorepta Awaiting requested review from RafalKorepta RafalKorepta will be requested when the pull request is marked ready for review RafalKorepta is a code owner

@chrisseto chrisseto Awaiting requested review from chrisseto chrisseto will be requested when the pull request is marked ready for review chrisseto is a code owner

@andrewstucki andrewstucki Awaiting requested review from andrewstucki andrewstucki will be requested when the pull request is marked ready for review andrewstucki is a code owner

@gene-redpanda gene-redpanda Awaiting requested review from gene-redpanda gene-redpanda will be requested when the pull request is marked ready for review gene-redpanda is a code owner

@hidalgopl hidalgopl Awaiting requested review from hidalgopl hidalgopl will be requested when the pull request is marked ready for review hidalgopl is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@david-yu