K8SPG-552 cert manager integration (#1233)

* K8SPG-552 cert manager integration

* fixes after merge

* fixes

* fixes on the cert config

* fixes

* fix e2e tst

* fix tests

* add check for restconfig

* add unit tests for certmanager

* imports and cert manager lib version fix

* revert cert manager version env

* regenerate go mod and sum

* fix controller runtime

* add RotationPolicyNever

* cr: get certs before trying to create them

* expose configuration for cert manager / tls

* fix test clause

* fix errors from conflicts

* Update percona/certmanager/certmanager_test.go

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* cr: remove log and remove already exists handling which is not triggered anymore

* fix namespaces for issuer and cert location - always match cluster

* fix unit tests

* fix e2e test

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: gkech

build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -22234,6 +22234,13 @@ spec:
                   format: int64
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:

build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml

@@ -21721,6 +21721,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:

cmd/postgres-operator/main.go

@@ -29,6 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	certmanagerscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/pgupgrade"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/postgrescluster"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/runtime"
@@ -38,6 +39,7 @@ import (
 	"github.com/percona/percona-postgresql-operator/v2/internal/logging"
 	"github.com/percona/percona-postgresql-operator/v2/internal/naming"
 	"github.com/percona/percona-postgresql-operator/v2/internal/upgradecheck"
+	"github.com/percona/percona-postgresql-operator/v2/percona/certmanager"
 	perconaController "github.com/percona/percona-postgresql-operator/v2/percona/controller"
 	"github.com/percona/percona-postgresql-operator/v2/percona/controller/pgbackup"
 	"github.com/percona/percona-postgresql-operator/v2/percona/controller/pgcluster"
@@ -129,6 +131,10 @@ func main() {
 
 	assertNoError(volumesnapshotv1.AddToScheme(mgr.GetScheme()))
 
+	// K8SPG-552
+	// Add Scheme for cert-manager resources like Issuer and Certificate.
+	assertNoError(certmanagerscheme.AddToScheme(mgr.GetScheme()))
+
 	// add all PostgreSQL Operator controllers to the runtime manager
 	err = addControllersToManager(ctx, mgr)
 	assertNoError(err)
@@ -154,11 +160,14 @@ func addControllersToManager(ctx context.Context, mgr manager.Manager) error {
 	os.Setenv("REGISTRATION_REQUIRED", "false")
 
 	r := &postgrescluster.Reconciler{
-		Client:      mgr.GetClient(),
-		Owner:       postgrescluster.ControllerName,
-		Recorder:    mgr.GetEventRecorderFor(postgrescluster.ControllerName),
-		Tracer:      otel.Tracer(postgrescluster.ControllerName),
-		IsOpenShift: isOpenshift(ctx, mgr.GetConfig()),
+		Client:              mgr.GetClient(),
+		Scheme:              mgr.GetScheme(),
+		Owner:               postgrescluster.ControllerName,
+		Recorder:            mgr.GetEventRecorderFor(postgrescluster.ControllerName),
+		Tracer:              otel.Tracer(postgrescluster.ControllerName),
+		IsOpenShift:         isOpenshift(ctx, mgr.GetConfig()),
+		CertManagerCtrlFunc: certmanager.NewController,
+		RestConfig:          mgr.GetConfig(),
 	}
 	cm := &perconaController.CustomManager{Manager: mgr}
 	if err := r.SetupWithManager(cm); err != nil {

config/crd/bases/pgv2.percona.com_perconapgclusters.yaml

@@ -22360,6 +22360,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -22145,6 +22145,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:

config/rbac/cluster/role.yaml

@@ -83,6 +83,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

config/rbac/namespace/role.yaml

@@ -83,6 +83,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

deploy/bundle.yaml

@@ -22657,6 +22657,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:
@@ -53187,6 +53194,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:
@@ -55734,6 +55748,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

deploy/cr.yaml

@@ -58,7 +58,9 @@ spec:
 #    customReplicationTLSSecret:
 #      name: replication1-cert
 #  tlsOnly: false
-
+#  tls:
+#    certValidityDuration: 2160h
+#    caValidityDuration: 26280h
 #  standby:
 #    enabled: true
 #    host: "<primary-ip>"

deploy/crd.yaml

@@ -22657,6 +22657,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:
@@ -53187,6 +53194,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface: