kura-controller: reconcile fails with NoMatchError on clusters without the cert-manager CRD (decide if cert-manager is required)

GitHub issue · Open

Open on GitHub

Metadata

Source

tuist/tuist #11388

Updated

Jun 19, 2026

Domains

Kura

Details

Summary

kura-controller fails its reconcile loop — before creating the StatefulSet — on any cluster where the cert-manager Certificate CRD is not installed. client.IgnoreNotFound only absorbs apierrors.IsNotFound; it does not catch meta.NoMatchError (returned when a GVK has no REST mapping because its CRD is absent). So the error propagates, the instance never gets its workload, and the controller loops on the same error forever.

Where

Both functions touch the unstructured Certificate kind and run early in Reconcile:

reconcilePublicCertificate (infra/kura-controller/controllers/kurainstance_controller.go): its delete branch (if r.GRPCClusterIssuer == "" || instance.Spec.PublicHost == "") calls r.Delete(ctx, cert) on the Certificate kind, wrapped in client.IgnoreNotFound. Runs first in the reconcile chain.
retireLegacyGRPCCertificate → deleteIfExists: r.Get / r.Delete on the Certificate kind, same IgnoreNotFound wrapper. Runs right after.

Because the public-cert path runs first, that’s where the reconcile actually dies.

Notes

Pre-existing, not introduced by #11356. The pre-PR reconcileGRPCCertificate had the same delete-on-empty-issuer shape; reconcilePublicCertificate is unchanged by that PR.
It triggers even when --grpc-cluster-issuer is empty — the delete branch still touches the Certificate kind — so the controller effectively requires the cert-manager CRD regardless of issuer config. The function doc comments (“cert-manager must be installed before turning on --grpc-cluster-issuer”) understate this.
Managed/staging/prod are unaffected (cert-manager is installed). Impact is on self-host / on-prem operators who enable kuraController.enabled without cert-manager. Current workaround (seen in local dev): apply a stub certificates.cert-manager.io CRD and restart the controller so the RESTMapper re-resolves.

Decision to make

Decide whether cert-manager is a hard dependency of the controller or optional:

Option A — tolerate its absence (make it optional). Add a shared helper that absorbs both apierrors.IsNotFound and meta.IsNoMatchError, applied to both cert delete paths (and deleteIfExists). Reconcile then proceeds to the StatefulSet when the CRD is absent. This also makes the reviewer’s narrower “gate the retire path on the issuer” suggestion unnecessary.
Option B — make it a required prerequisite (explicit). Document cert-manager as a hard dependency, fail fast at startup with a clear message (e.g. a RESTMapper check) instead of looping on NoMatchError, and correct the doc comments to say the CRD is needed regardless of --grpc-cluster-issuer.

Acceptance

Pick Option A or B.
Implement consistently across both cert paths (reconcilePublicCertificate + retireLegacyGRPCCertificate/deleteIfExists).
Test: reconcile of a KuraInstance on a cluster without the Certificate CRD either reaches StatefulSet creation (Option A) or fails fast with a clear, actionable message (Option B).

References

Raised in review of #11356: https://github.com/tuist/tuist/pull/11356#discussion_r3440813025

Comments

No GitHub comments yet.