orchestratord TLS for balancerd and environmentd

misc/helm-charts/operator/README.md

@@ -269,6 +269,7 @@ The following table lists the configurable parameters of the Materialize operato
 | `storage.storageClass.provisioner` |  | ``""`` |
 | `storage.storageClass.reclaimPolicy` |  | ``"Delete"`` |
 | `storage.storageClass.volumeBindingMode` |  | ``"WaitForFirstConsumer"`` |
+| `tls.defaultCertificateSpecs` |  | ``{}`` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
 

misc/helm-charts/operator/templates/clusterrole.yaml

@@ -109,5 +109,16 @@ rules:
   verbs:
   - get
   - list
+- apiGroups: ["cert-manager.io"]
+  resources:
+  - certificates
+  verbs:
+  - create
+  - update
+  - patch
+  - delete
+  - get
+  - list
+  - watch
 
 {{- end }}

misc/helm-charts/operator/templates/deployment.yaml

@@ -123,7 +123,9 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
-
+        {{- if .Values.tls.defaultCertificateSpecs }}
+        - '--default-certificate-specs={{ toJson .Values.tls.defaultCertificateSpecs }}'
+        {{- end }}
         {{/* Observability */}}
         {{- if .Values.observability.enabled }}
         {{- if .Values.observability.podMetrics.enabled }}

misc/helm-charts/operator/values.yaml

@@ -255,6 +255,25 @@ networkPolicies:
     cidrs:
       - 0.0.0.0/0
 
+tls:
+  defaultCertificateSpecs: {}
+    #balancerdExternal:
+    #  dnsNames:
+    #    - balancerd
+    #  issuerRef:
+    #    name: dns01
+    #    kind: ClusterIssuer
+    #consoleExternal:
+    #  dnsNames:
+    #    - console
+    #  issuerRef:
+    #    name: dns01
+    #    kind: ClusterIssuer
+    #internal:
+    #  issuerRef:
+    #    name: dns01
+    #    kind: ClusterIssuer
+
 # Namespace configuration
 namespace:
   # Whether to create a new namespace for the deployment

misc/helm-charts/testing/environmentd.yaml

@@ -31,3 +31,19 @@ metadata:
 spec:
   environmentdImageRef: materialize/environmentd:v0.125.2
   backendSecretName: materialize-backend
+  #balancerdExternalCertificateSpec:
+  #  dnsNames:
+  #    - balancerd
+  #  issuerRef:
+  #    name: dns01
+  #    kind: ClusterIssuer
+  #consoleExternalCertificateSpec:
+  #  dnsNames:
+  #    - console
+  #  issuerRef:
+  #    name: dns01
+  #    kind: ClusterIssuer
+  #internalCertificateSpec:
+  #  issuerRef:
+  #    name: intermediate-ca
+  #    kind: Issuer

src/cloud-resources/src/crd.rs

@@ -23,6 +23,7 @@ use tracing::{info, warn};
 
 use mz_ore::retry::Retry;
 
+pub mod gen;
 pub mod materialize;
 pub mod vpc_endpoint;
 

src/cloud-resources/src/crd/gen.rs

@@ -0,0 +1,10 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+pub mod cert_manager;

src/cloud-resources/src/crd/gen/cert_manager.rs

@@ -0,0 +1,11 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+pub mod certificates;
+pub mod issuers;