grafana · kimxogus · Nov 5, 2025 · Nov 5, 2025 · Nov 28, 2025 · Nov 28, 2025
@@ -85,5 +85,5 @@ Manually applying these CRDs is only required if upgrading from a chart <= v0.32
 | tolerations | list | `[]` |  |
 | webhooks.enabled | bool | `true` | Enable the rollout-operator webhooks. See https://github.com/grafana/rollout-operator/#webhooks. Note that the webhooks require custom resource definitions. If upgrading, manually apply the files in the `crds` directory. |
 | webhooks.failurePolicy | string | `"Fail"` | Validating and mutating webhook failure policy. `Ignore` or `Fail`. |
+| webhooks.selfSignedCertSecretName | string | `""` | Secret resource name for the TLS certificate to be used with the webhooks. If not set, a secret's name will be generated using the fullname template. |
 | webhooks.objectSelector | object | `{}` | objectSelector to filter which objects the webhooks apply to. |
-| webhooks.selfSignedCertSecretName | string | `"certificate"` | Secret resource name for the TLS certificate to be used with the webhooks |
@@ -92,3 +92,11 @@ Create the image name
 {{- (printf "%s:%s" .Values.image.repository $imageTag) }}
 {{- end -}}
 {{- end -}}
+
+{{- define "rollout-operator.secretName" -}}
+{{- if .Values.webhook.selfSignedCertSecretName }}
+{{- .Values.webhook.selfSignedCertSecretName }}
+{{- else }}
+{{- include "rollout-operator.fullname" . }}
+{{- end }}
+{{- end }}
@@ -53,7 +53,7 @@ spec:
           - -kubernetes.namespace={{ .Release.Namespace }}
           {{- if .Values.webhooks.enabled }}
           - -server-tls.enabled=true
-          - -server-tls.self-signed-cert.secret-name={{ .Values.webhooks.selfSignedCertSecretName }}
+          - -server-tls.self-signed-cert.secret-name={{ include "rollout-operator.secretName" . }}
           - -server-tls.self-signed-cert.dns-name={{ include "rollout-operator.fullname" . }}.{{ .Release.Namespace }}.svc
           {{- end }}
           {{- range .Values.extraArgs  }}

@@ -13,7 +13,7 @@ rules:
       - update
       - get
     resourceNames:
-      - {{ .Values.webhooks.selfSignedCertSecretName }}
+      - {{ include "rollout-operator.secretName" . }}
   - apiGroups:
       - ""
     resources:

@@ -106,8 +106,8 @@ webhooks:
   enabled: true
   # -- Validating and mutating webhook failure policy. `Ignore` or `Fail`.
   failurePolicy: "Fail"
-  # -- Secret resource name for the TLS certificate to be used with the webhooks
-  selfSignedCertSecretName: "certificate"
+  # -- Secret resource name for the TLS certificate to be used with the webhooks. If not set, a secret's name will be generated using the fullname template.
+  selfSignedCertSecretName: ""
   # -- objectSelector to filter which objects the webhooks apply to.
   objectSelector: {}
   # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector