Support Non-K8s Certificate Authority for the Operator

[johnrk-zz]

EKS does not support the K8s CA. For customers that need to create a secure cluster and want to use EKS, the flexibility to support a non-K8s CA is needed.

As described in this Github issue and demonstrated in this forum post, customers trying to use CockroachDB with EKS have run into this pain point.

cc @taroface

[chrislovecnm]

We already have this functionality build in. I have not tested it, but see

https://github.com/cockroachdb/cockroach-operator/blob/master/api/v1alpha1/cluster_types.go#L48

[taroface]

@chrislovecnm Which parameter does that line refer to? TLSEnabled is a bool. I couldn't find a place in the config to specify ca.crt.

[chrislovecnm]

cockroach-operator/api/v1alpha1/cluster_types.go

Lines 48 to 54 in 9e4ced6

	// (Optional) The secret with certificates and a private key for the TLS endpoint
	// on the database port. The standard naming of files is expected (tls.key, tls.crt, ca.crt)
	// Default: ""
	NodeTLSSecret string `json:"nodeTLSSecret,omitempty"`
	// (Optional) The secret with a certificate and a private key for root database user
	// Default: ""
	ClientTLSSecret string `json:"clientTLSSecret,omitempty"`

These two values

[johnrk-zz]

@taroface , this issue is still open but was determined to be a non-MVP issue.