mz_orchestratord/controller/materialize/
tls.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10use mz_cloud_resources::crd::generated::cert_manager::certificates::{
11    Certificate, CertificatePrivateKey, CertificatePrivateKeyAlgorithm,
12    CertificatePrivateKeyEncoding, CertificatePrivateKeyRotationPolicy, CertificateSpec,
13};
14use mz_cloud_resources::crd::materialize::v1alpha1::{Materialize, MaterializeCertSpec};
15
16pub fn create_certificate(
17    default_spec: Option<MaterializeCertSpec>,
18    mz: &Materialize,
19    mz_cert_spec: Option<MaterializeCertSpec>,
20    cert_name: String,
21    secret_name: String,
22    additional_dns_names: Option<Vec<String>>,
23) -> Option<Certificate> {
24    let default_spec = default_spec.unwrap_or_else(MaterializeCertSpec::default);
25    let mz_cert_spec = mz_cert_spec.unwrap_or_else(MaterializeCertSpec::default);
26    let Some(issuer_ref) = mz_cert_spec.issuer_ref.or(default_spec.issuer_ref) else {
27        return None;
28    };
29    let mut secret_template = mz_cert_spec
30        .secret_template
31        .or(default_spec.secret_template)
32        .unwrap_or_default();
33    secret_template.labels = Some(
34        secret_template
35            .labels
36            .unwrap_or_default()
37            .into_iter()
38            .chain(mz.default_labels())
39            .collect(),
40    );
41    let mut dns_names = mz_cert_spec
42        .dns_names
43        .or(default_spec.dns_names)
44        .unwrap_or_default();
45    if let Some(names) = additional_dns_names {
46        dns_names.extend(names);
47    }
48    Some(Certificate {
49        metadata: mz.managed_resource_meta(cert_name),
50        spec: CertificateSpec {
51            dns_names: Some(dns_names),
52            duration: mz_cert_spec.duration.or(default_spec.duration),
53            issuer_ref,
54            private_key: Some(CertificatePrivateKey {
55                algorithm: Some(CertificatePrivateKeyAlgorithm::Rsa),
56                encoding: Some(CertificatePrivateKeyEncoding::Pkcs8),
57                rotation_policy: Some(CertificatePrivateKeyRotationPolicy::Always),
58                size: Some(4096),
59            }),
60            renew_before: mz_cert_spec.renew_before.or(default_spec.renew_before),
61            secret_name,
62            secret_template: Some(secret_template),
63            ..Default::default()
64        },
65        status: None,
66    })
67}
68
69pub fn issuer_ref_defined(
70    defaults: &Option<MaterializeCertSpec>,
71    overrides: &Option<MaterializeCertSpec>,
72) -> bool {
73    overrides
74        .as_ref()
75        .and_then(|spec| spec.issuer_ref.as_ref())
76        .is_some()
77        || defaults
78            .as_ref()
79            .and_then(|spec| spec.issuer_ref.as_ref())
80            .is_some()
81}