feat: enable HA hub agents by optionally depending on cert manager

[weng271190436]

Description of your changes

Currently the in memory 10-year self-signed cert cannot be shared among replicas of hub agents so only the leader has a valid cert registered with API server

Using cert manger decouples cert management and hub agent core functionality. It also does cert rotation.

Trying to partially address Azure/fleet#1224

Fixes #

I have:

• Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Special notes for your reviewer

[codecov]

Codecov Report

❌ Patch coverage is 83.03571% with 19 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/webhook/webhook.go	83.67%	6 Missing and 2 partials ⚠️
pkg/resourcewatcher/resource_collector.go	78.26%	3 Missing and 2 partials ⚠️
pkg/resourcewatcher/change_dector.go	50.00%	1 Missing and 1 partial ⚠️
pkg/resourcewatcher/informer_populator.go	88.88%	1 Missing and 1 partial ⚠️
pkg/utils/informer/informermanager.go	88.88%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR enables High Availability (HA) deployment for hub agents by adding optional cert-manager integration for webhook certificate management. Currently, self-signed certificates generated in-memory cannot be shared across replicas, limiting hub agents to single-replica deployments. By integrating cert-manager, the PR decouples certificate management from the hub agent's core functionality, enabling certificate sharing across replicas and automatic certificate rotation.

Key changes:

• Adds cert-manager as an optional certificate provider with conditional logic based on useCertManager flag
• Implements validation rules requiring enableWebhook=true and enableWorkload=true when using cert-manager
• Updates Helm charts with cert-manager Certificate/Issuer resources and volume mounts for certificate files
• Modifies E2E test setup to install cert-manager and test with 3 replicas

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
pkg/webhook/webhook.go	Adds cert-manager support with conditional certificate loading, CA injection annotations, and new config fields
pkg/webhook/webhook_test.go	Adds tests for cert-manager certificate loading, error cases, and mock certificate setup
cmd/hubagent/options/options.go	Adds three new flags: use-cert-manager, webhook-cert-dir, and webhook-cert-secret-name
cmd/hubagent/options/validation.go	Adds validation rules requiring EnableWebhook and EnableWorkload when UseCertManager is true
cmd/hubagent/options/validation_test.go	Adds comprehensive test cases for cert-manager validation rules
cmd/hubagent/main.go	Updates webhook setup to pass new cert-manager configuration parameters
charts/hub-agent/values.yaml	Adds cert-manager configuration values and fixes namespace formatting
charts/hub-agent/templates/deployment.yaml	Adds replica validation, volume mounts for certificates, and cert-manager flags
charts/hub-agent/templates/certificate.yaml	Creates new Certificate and Issuer resources for cert-manager integration
charts/hub-agent/README.md	Documents cert-manager installation, configuration options, and certificate management modes
test/e2e/setup.sh	Installs cert-manager before hub-agent and configures 3-replica HA deployment
.github/workflows/ci.yml	Adds CERT_MANAGER_VERSION environment variable for CI consistency