Skip to content

Commit a23f407

Browse files
Materialize CRD changes to use hash of the spec
1 parent b9fcfc4 commit a23f407

22 files changed

Lines changed: 2112 additions & 363 deletions

File tree

Cargo.lock

Lines changed: 43 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,7 @@ aws-smithy-types = { version = "1.1.8", features = ["byte-stream-poll-next"] }
290290
aws-types = "1.3.9"
291291
axum = { version = "0.8.8", features = ["ws"] }
292292
axum-extra = { version = "0.12.5", features = ["typed-header"] }
293+
axum-server = { version = "0.8.0", features = ["tls-openssl"] }
293294
azure_core = "0.21.0"
294295
azure_identity = "0.21.0"
295296
azure_storage = "0.21.0"

ci/nightly/pipeline.template.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2439,6 +2439,32 @@ steps:
24392439
agents:
24402440
queue: hetzner-aarch64-16cpu-32gb
24412441

2442+
- id: orchestratord-v1alpha2-opt-in
2443+
label: "Orchestratord v1alpha2 opt-in tests"
2444+
artifact_paths: ["mz_debug_*.zip"]
2445+
depends_on: devel-docker-tags
2446+
timeout_in_minutes: 120
2447+
plugins:
2448+
- ./ci/plugins/mzcompose:
2449+
composition: orchestratord
2450+
run: v1alpha2-opt-in
2451+
ci-builder: stable
2452+
agents:
2453+
queue: hetzner-aarch64-16cpu-32gb
2454+
2455+
- id: orchestratord-manually-promote
2456+
label: "Orchestratord ManuallyPromote tests"
2457+
artifact_paths: ["mz_debug_*.zip"]
2458+
depends_on: devel-docker-tags
2459+
timeout_in_minutes: 120
2460+
plugins:
2461+
- ./ci/plugins/mzcompose:
2462+
composition: orchestratord
2463+
run: manually-promote
2464+
ci-builder: stable
2465+
agents:
2466+
queue: hetzner-aarch64-16cpu-32gb
2467+
24422468
- id: emulator
24432469
label: Materialize Emulator
24442470
depends_on: build-aarch64

doc/user/content/self-managed-deployments/installation/install-on-local-kind.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,19 @@ Starting in v26.0, Self-Managed Materialize requires a license key.
107107
kubectl get nodes --show-labels
108108
```
109109

110+
1. Install cert-manager
111+
112+
Cert-manager is used for generating TLS certificates needed by the materialize operator
113+
for CRD conversion webhooks.
114+
115+
```shell
116+
helm install cert-manager oci://quay.io/jetstack/charts/cert-manager \
117+
--version v1.19.2 \
118+
--namespace cert-manager \
119+
--create-namespace \
120+
--set crds.enabled=true
121+
```
122+
110123
1. To help you get started for local evaluation/testing, Materialize provides
111124
some sample configuration files. Download the sample configuration files from
112125
the Materialize repo:

misc/helm-charts/operator/README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,8 @@ The following table lists the configurable parameters of the Materialize operato
144144
| `operator.args.enableInternalStatementLogging` | | ``true`` |
145145
| `operator.args.enableLicenseKeyChecks` | | ``false`` |
146146
| `operator.args.startupLogFilter` | Log filtering settings for startup logs | ``"INFO,mz_orchestratord=TRACE"`` |
147+
| `operator.certificate.secretName` | Name of a secret in the operator's namespace containing ca.crt, tls.crt, and tls.key entries. Only used if `source` is "secret". | ``nil`` |
148+
| `operator.certificate.source` | Where to obtain the certificate for orchestratord. Valid values are 'cert-manager' and 'secret'. | ``"cert-manager"`` |
147149
| `operator.cloudProvider.providers.aws.accountID` | When using AWS, accountID is required | ``""`` |
148150
| `operator.cloudProvider.providers.aws.enabled` | | ``false`` |
149151
| `operator.cloudProvider.providers.aws.iam.roles.connection` | ARN for CREATE CONNECTION feature | ``""`` |
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Copyright Materialize, Inc. and contributors. All rights reserved.
2+
#
3+
# Use of this software is governed by the Business Source License
4+
# included in the LICENSE file at the root of this repository.
5+
#
6+
# As of the Change Date specified in that file, in accordance with
7+
# the Business Source License, use of this software will be governed
8+
# by the Apache License, Version 2.0.
9+
10+
{{- if eq .Values.operator.certificate.source "cert-manager" -}}
11+
---
12+
apiVersion: cert-manager.io/v1
13+
kind: Issuer
14+
metadata:
15+
name: {{ include "materialize-operator.fullname" . }}-self-signed
16+
namespace: {{ .Release.Namespace }}
17+
labels:
18+
{{- include "materialize-operator.labels" . | nindent 4 }}
19+
spec:
20+
selfSigned: {}
21+
22+
---
23+
apiVersion: cert-manager.io/v1
24+
kind: Certificate
25+
metadata:
26+
name: {{ include "materialize-operator.fullname" . }}-self-signed
27+
namespace: {{ .Release.Namespace }}
28+
labels:
29+
{{- include "materialize-operator.labels" . | nindent 4 }}
30+
spec:
31+
dnsNames:
32+
- {{ include "materialize-operator.fullname" . }}.{{ .Release.Namespace }}.svc
33+
secretName: {{ include "materialize-operator.fullname" . }}-cert
34+
privateKey:
35+
algorithm: ECDSA
36+
rotationPolicy: Always
37+
issuerRef:
38+
name: {{ include "materialize-operator.fullname" . }}-self-signed
39+
kind: Issuer
40+
group: cert-manager.io
41+
{{- end -}}

misc/helm-charts/operator/templates/clusterrole.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ rules:
7676
- apiGroups: ["apiextensions.k8s.io"]
7777
resources:
7878
- customresourcedefinitions
79+
- customresourcedefinitions/status
7980
verbs:
8081
- create
8182
- update

misc/helm-charts/operator/templates/deployment.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,9 +242,15 @@ spec:
242242
- >
243243
--additional-crd-columns={{ toJson .Values.operator.additionalMaterializeCRDColumns }}
244244
{{- end }}
245+
- "--webhook-service-name"
246+
- {{ include "materialize-operator.fullname" . }}
247+
- "--webhook-service-namespace"
248+
- {{ .Release.Namespace }}
245249
ports:
246250
- containerPort: 3100
247251
name: metrics
252+
- containerPort: 8001
253+
name: webhook
248254
resources:
249255
{{- toYaml .Values.operator.resources | nindent 10 }}
250256
securityContext:
@@ -256,3 +262,27 @@ spec:
256262
runAsNonRoot: true
257263
seccompProfile:
258264
type: RuntimeDefault
265+
livenessProbe:
266+
httpGet:
267+
path: /healthz
268+
port: webhook
269+
scheme: HTTPS
270+
failureThreshold: 3
271+
periodSeconds: 10
272+
readinessProbe:
273+
httpGet:
274+
path: /healthz
275+
port: webhook
276+
scheme: HTTPS
277+
failureThreshold: 1
278+
periodSeconds: 10
279+
volumeMounts:
280+
- mountPath: /etc/tls
281+
name: certificate
282+
readOnly: true
283+
volumes:
284+
- name: certificate
285+
secret:
286+
defaultMode: 256
287+
optional: false
288+
secretName: {{ if eq .Values.operator.certificate.source "cert-manager" }}{{ include "materialize-operator.fullname" . }}-cert{{ else }}{{ .Values.operator.certificate.secretName }}{{ end }}
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
# Copyright Materialize, Inc. and contributors. All rights reserved.
2+
#
3+
# Use of this software is governed by the Business Source License
4+
# included in the LICENSE file at the root of this repository.
5+
#
6+
# As of the Change Date specified in that file, in accordance with
7+
# the Business Source License, use of this software will be governed
8+
# by the Apache License, Version 2.0.
9+
10+
---
11+
apiVersion: v1
12+
kind: Service
13+
metadata:
14+
name: {{ include "materialize-operator.fullname" . }}
15+
namespace: {{ .Release.Namespace }}
16+
labels:
17+
{{- include "materialize-operator.labels" . | nindent 4 }}
18+
spec:
19+
selector:
20+
{{- include "materialize-operator.selectorLabels" . | nindent 4 }}
21+
ports:
22+
- name: webhook
23+
protocol: TCP
24+
port: 8001
25+
targetPort: 8001

misc/helm-charts/operator/values.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,13 @@ operator:
3434
# priority: 2
3535
# type: "string"
3636

37+
certificate:
38+
# -- (string) Where to obtain the certificate for orchestratord. Valid values are 'cert-manager' and 'secret'.
39+
source: cert-manager
40+
# -- (string) Name of a secret in the operator's namespace containing ca.crt, tls.crt, and tls.key entries. Only used if `source` is "secret".
41+
secretName: null
42+
43+
3744
# Cloud provider configuration
3845
cloudProvider:
3946
# -- Specifies cloud provider. Valid values are 'aws', 'gcp', 'azure' , 'generic', or 'local'

0 commit comments

Comments
 (0)