Introduce v1 of the Materialize CRD

[alex-hunt-materialize]

Adds a new v1 version of the Materialize CRD, and a conversion webhook in orchestratord to convert between v1 and v1alpha1.

The v1 CRD removes the requestRollout field in favor of calculating a hash over a subset of spec fields to determine when a rollout is needed.

v1alpha1 remains the storage version, and orchestratord still reconciles v1alpha1, so this is backwards compatible with existing automation. When a v1 CR is applied, the conversion webhook converts it to v1alpha1, injecting a requestRollout UUID derived deterministically (UUIDv5) from the spec hash: when the hash changes a rollout is triggered immediately (the intended v1 behavior), and when it hasn't, the same UUID is produced and no unintended rollout occurs.

The whole thing is opt-in:

• The v1 CRD and the conversion webhook are only installed when the operator.args.installV1CRD helm value is set (--install-v1-crd). Without it, only v1alpha1 is registered, no webhook serving certificate or service is created, and cert-manager is not required.
• Even with installV1CRD set, existing v1alpha1 CRs behave exactly as before; users switch individual instances by applying a v1 CR.

The webhook serving certificate is issued from a long-lived root CA (via an intermediate cert-manager issuer), so routine serving-certificate rotations don't invalidate the CA bundle registered in the CRD. orchestratord periodically reloads the certificate from disk (--webhook-cert-reload-interval) and re-registers the CRDs with the new CA bundle if the CA itself ever changes.

Separate documentation PR is at #35508

Cloud companion PR is at https://github.com/MaterializeInc/cloud/pull/12275

Motivation

Simplifying rollout behavior.
Part of https://linear.app/materializeinc/issue/DEP-7/design-simplifying-upgrade-rollouts-node-rolls-converted-to-project

Verification

Added orchestratord nightly tests for the v1 opt-in flow, webhook certificate rotation (including CA rotation and CRD re-registration), manual promotion, and CRD version checks asserting that v1 and the conversion webhook are installed if and only if installV1CRD is set. Verified the existing v1alpha1 tests still pass.

Deployed https://github.com/MaterializeInc/cloud/pull/12275 in a personal stack to validate that this works for SaaS at v1alpha1.

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).