mz_orchestratord/controller/materialize/
tls.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10use mz_cloud_resources::crd::generated::cert_manager::certificates::{
11    Certificate, CertificatePrivateKey, CertificatePrivateKeyAlgorithm,
12    CertificatePrivateKeyEncoding, CertificatePrivateKeyRotationPolicy, CertificateSpec,
13};
14use mz_cloud_resources::crd::materialize::v1alpha1::{Materialize, MaterializeCertSpec};
15
16pub fn create_certificate(
17    default_spec: Option<MaterializeCertSpec>,
18    mz: &Materialize,
19    mz_cert_spec: Option<MaterializeCertSpec>,
20    cert_name: String,
21    secret_name: String,
22    additional_dns_names: Option<Vec<String>>,
23    algorithm: CertificatePrivateKeyAlgorithm,
24    size: Option<i64>,
25) -> Option<Certificate> {
26    let default_spec = default_spec.unwrap_or_else(MaterializeCertSpec::default);
27    let mz_cert_spec = mz_cert_spec.unwrap_or_else(MaterializeCertSpec::default);
28    let Some(issuer_ref) = mz_cert_spec.issuer_ref.or(default_spec.issuer_ref) else {
29        return None;
30    };
31    let mut secret_template = mz_cert_spec
32        .secret_template
33        .or(default_spec.secret_template)
34        .unwrap_or_default();
35    secret_template.labels = Some(
36        secret_template
37            .labels
38            .unwrap_or_default()
39            .into_iter()
40            .chain(mz.default_labels())
41            .collect(),
42    );
43    let mut dns_names = mz_cert_spec
44        .dns_names
45        .or(default_spec.dns_names)
46        .unwrap_or_default();
47    if let Some(names) = additional_dns_names {
48        dns_names.extend(names);
49    }
50    Some(Certificate {
51        metadata: mz.managed_resource_meta(cert_name),
52        spec: CertificateSpec {
53            dns_names: Some(dns_names),
54            duration: mz_cert_spec.duration.or(default_spec.duration),
55            issuer_ref,
56            private_key: Some(CertificatePrivateKey {
57                algorithm: Some(algorithm),
58                encoding: Some(CertificatePrivateKeyEncoding::Pkcs8),
59                rotation_policy: Some(CertificatePrivateKeyRotationPolicy::Always),
60                size,
61            }),
62            renew_before: mz_cert_spec.renew_before.or(default_spec.renew_before),
63            secret_name,
64            secret_template: Some(secret_template),
65            ..Default::default()
66        },
67        status: None,
68    })
69}
70
71pub fn issuer_ref_defined(
72    defaults: &Option<MaterializeCertSpec>,
73    overrides: &Option<MaterializeCertSpec>,
74) -> bool {
75    overrides
76        .as_ref()
77        .and_then(|spec| spec.issuer_ref.as_ref())
78        .is_some()
79        || defaults
80            .as_ref()
81            .and_then(|spec| spec.issuer_ref.as_ref())
82            .is_some()
83}