Add rootTlsSecret

[ZITADOPER-1]

src/api/v1alpha1/zitadelcluster_types.go

@@ -82,7 +82,8 @@ type ZitadelClusterSpec struct {
 	ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
 	// +kubebuilder:default=3
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:podCount"}
-	Replicas int32 `json:"replicas,omitempty"`
+	Replicas      int32                  `json:"replicas,omitempty"`
+	RootTLSSecret corev1.SecretReference `json:"rootTLSSecret"`
 }
 
 // ZitadelClusterStatus defines the observed state of ZitadelCluster

src/api/v1alpha1/zz_generated.deepcopy.go

@@ -870,6 +870,7 @@ func (in *ZitadelClusterSpec) DeepCopyInto(out *ZitadelClusterSpec) {
 			(*out)[key] = val
 		}
 	}
+	out.RootTLSSecret = in.RootTLSSecret
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZitadelClusterSpec.

src/config/crd/bases/zitadel.topmanage.com_zitadelclusters.yaml

@@ -176,6 +176,20 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                     type: object
                 type: object
+              rootTLSSecret:
+                description: SecretReference represents a Secret Reference. It has
+                  enough information to retrieve secret in any namespace
+                properties:
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               serviceAnnotations:
                 additionalProperties:
                   type: string
@@ -236,6 +250,7 @@ spec:
             - image
             - purpose
             - resources
+            - rootTLSSecret
             - smtpConfig
             type: object
           status:

src/pkg/builder/job_builder.go

@@ -37,6 +37,11 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type
 					},
 					EnableServiceLinks: &enableServiceLinks,
 					Volumes: []corev1.Volume{
+						{Name: "certs", VolumeSource: corev1.VolumeSource{
+							Secret: &corev1.SecretVolumeSource{
+								SecretName: zitadel.Spec.RootTLSSecret.Name,
+							},
+						}},
 						{Name: "zitadel-config-yaml", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: configuration.ConfigurationName(zitadel)}}}},
 					},
 					Containers: []corev1.Container{
@@ -47,8 +52,23 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type
 								"init",
 								"--config", "/config/zitadel-config-yaml",
 							},
+							Env: []corev1.EnvVar{
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT",
+									Value: "/certs/ca.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT",
+									Value: "/certs/tls.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY",
+									Value: "/certs/tls.key",
+								},
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{Name: "zitadel-config-yaml", MountPath: "/config"},
+								{Name: "certs", MountPath: "/certs"},
 							},
 						},
 					},

src/pkg/controller/configmap/controller.go

@@ -33,6 +33,9 @@ func (r *ConfigMapReconciler) ReconcileZitadelConfiguration(ctx context.Context,
 Database:
   Cockroach:
     Host: %s
+    Admin:
+     SSL:
+       Mode: require
 ExternalDomain: %s
 ExternalPort: %d
 ExternalSecure: %t