Add Cert Manager to Operator

.gitignore

@@ -405,4 +405,4 @@ charts/
 Chart.lock
 
 # Test output
-*.out
+*.out

api/preview/documentdb_types.go

@@ -53,6 +53,9 @@ type DocumentDBSpec struct {
 	ExposeViaService ExposeViaService `json:"exposeViaService,omitempty"`
 
 	Timeouts Timeouts `json:"timeouts,omitempty"`
+
+	// TLS configures certificate management for DocumentDB components.
+	TLS *TLSConfiguration `json:"tls,omitempty"`
 }
 
 type Resource struct {
@@ -81,11 +84,75 @@ type Timeouts struct {
 	StopDelay int32 `json:"stopDelay,omitempty"`
 }
 
+// TLSConfiguration aggregates TLS settings across DocumentDB components.
+type TLSConfiguration struct {
+	// Gateway configures TLS for the gateway sidecar (Phase 1: certificate provisioning only).
+	Gateway *GatewayTLS `json:"gateway,omitempty"`
+
+	// Postgres configures TLS for the Postgres server (placeholder for future phases).
+	Postgres *PostgresTLS `json:"postgres,omitempty"`
+
+	// GlobalEndpoints configures TLS for global endpoints (placeholder for future phases).
+	GlobalEndpoints *GlobalEndpointsTLS `json:"globalEndpoints,omitempty"`
+}
+
+// GatewayTLS defines TLS configuration for the gateway sidecar (Phase 1: certificate provisioning only)
+type GatewayTLS struct {
+	// Mode selects the TLS management strategy.
+	// +kubebuilder:validation:Enum=Disabled;SelfSigned;CertManager;Provided
+	Mode string `json:"mode,omitempty"`
+
+	// CertManager config when Mode=CertManager.
+	CertManager *CertManagerTLS `json:"certManager,omitempty"`
+
+	// Provided secret reference when Mode=Provided.
+	Provided *ProvidedTLS `json:"provided,omitempty"`
+}
+
+// PostgresTLS acts as a placeholder for future Postgres TLS settings.
+type PostgresTLS struct{}
+
+// GlobalEndpointsTLS acts as a placeholder for future global endpoint TLS settings.
+type GlobalEndpointsTLS struct{}
+
+// CertManagerTLS holds parameters for cert-manager driven certificates.
+type CertManagerTLS struct {
+	IssuerRef IssuerRef `json:"issuerRef"`
+	// DNSNames for the certificate SANs. If empty, operator will add Service DNS names.
+	DNSNames []string `json:"dnsNames,omitempty"`
+	// SecretName optional explicit name for the target secret. If empty a default is chosen.
+	SecretName string `json:"secretName,omitempty"`
+}
+
+// ProvidedTLS references an existing secret that contains tls.crt/tls.key (and optional ca.crt).
+type ProvidedTLS struct {
+	SecretName string `json:"secretName"`
+}
+
+// IssuerRef references a cert-manager Issuer or ClusterIssuer.
+type IssuerRef struct {
+	Name string `json:"name"`
+	// Kind of issuer (Issuer or ClusterIssuer). Defaults to Issuer.
+	Kind string `json:"kind,omitempty"`
+	// Group defaults to cert-manager.io
+	Group string `json:"group,omitempty"`
+}
+
 // DocumentDBStatus defines the observed state of DocumentDB.
 type DocumentDBStatus struct {
 	// Status reflects the status field from the underlying CNPG Cluster.
 	Status           string `json:"status,omitempty"`
 	ConnectionString string `json:"connectionString,omitempty"`
+
+	// TLS reports gateway TLS provisioning status (Phase 1).
+	TLS *TLSStatus `json:"tls,omitempty"`
+}
+
+// TLSStatus captures readiness and secret information.
+type TLSStatus struct {
+	Ready      bool   `json:"ready,omitempty"`
+	SecretName string `json:"secretName,omitempty"`
+	Message    string `json:"message,omitempty"`
 }
 
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=".status.status",description="CNPG Cluster Status"

cmd/main.go

@@ -24,6 +24,7 @@ import (
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cnpgv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1"
 	dbpreview "github.com/microsoft/documentdb-operator/api/preview"
 	"github.com/microsoft/documentdb-operator/internal/controller"
@@ -41,6 +42,7 @@ func init() {
 
 	utilruntime.Must(dbpreview.AddToScheme(scheme))
 	utilruntime.Must(cnpgv1.AddToScheme(scheme))
+	utilruntime.Must(cmapi.AddToScheme(scheme))
 	utilruntime.Must(fleetv1alpha1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
@@ -193,6 +195,14 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err = (&controller.CertificateReconciler{
+		Client: mgr.GetClient(),
+		Scheme: mgr.GetScheme(),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Certificate")
+		os.Exit(1)
+	}
+
 	if err = (&controller.DocumentDBReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),