diff --git a/postgres/certificates.yaml b/postgres/certificates.yaml new file mode 100644 index 0000000..56d3361 --- /dev/null +++ b/postgres/certificates.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: shahab-client-cert + namespace: postgres-system +spec: + secretName: shahab-client-cert + usages: + - client auth + commonName: shahab + issuerRef: + name: postgres-client-ca-issuer + kind: Issuer + group: cert-manager.io diff --git a/postgres/cluster.yaml b/postgres/cluster.yaml index bb8bae3..08bd079 100644 --- a/postgres/cluster.yaml +++ b/postgres/cluster.yaml @@ -1,4 +1,114 @@ --- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: postgres-system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: server-ca + namespace: postgres-system +spec: + isCA: true + commonName: postgres-server-ca + secretName: postgres-server-ca + privateKey: + algorithm: ECDSA + size: 384 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: postgres-server-ca-issuer + namespace: postgres-system +spec: + ca: + secretName: postgres-server-ca +--- +apiVersion: v1 +kind: Secret +metadata: + name: postgres-server-cert + namespace: postgres-system + labels: + cnpg.io/reload: "" +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-server-cert + namespace: postgres-system +spec: + secretName: postgres-server-cert + usages: + - server auth + dnsNames: + - postgres-cluster-rw.postgres-system.svc.cluster.local + - postgres-cluster-ro.postgres-system.svc.cluster.local + - postgres-cluster-r.postgres-system.svc.cluster.local + - postgres.dogar.dev + issuerRef: + name: postgres-server-ca-issuer + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: client-ca + namespace: postgres-system +spec: + isCA: true + commonName: postgres-client-ca + secretName: postgres-client-ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: postgres-client-ca-issuer + namespace: postgres-system +spec: + ca: + secretName: postgres-client-ca +--- +apiVersion: v1 +kind: Secret +metadata: + name: postgres-client-cert + namespace: postgres-system + labels: + cnpg.io/reload: "" +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-client-cert + namespace: postgres-system +spec: + secretName: postgres-client-cert + usages: + - client auth + commonName: streaming_replica + issuerRef: + name: postgres-client-ca-issuer + kind: Issuer + group: cert-manager.io +--- apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: @@ -6,16 +116,16 @@ metadata: namespace: postgres-system spec: instances: 3 - minSyncReplicas: 0 maxSyncReplicas: 0 primaryUpdateStrategy: unsupervised certificates: - serverAltDNSNames: - - postgres.dogar.dev + serverCASecret: postgres-server-cert + serverTLSSecret: postgres-server-cert + clientCASecret: postgres-client-cert + replicationTLSSecret: postgres-client-cert postgresql: pg_hba: - hostssl all shahab all cert - - hostssl all dogar all cert - hostssl sameuser all all cert - hostssl giteadb gitea 10.42.0.0/16 scram-sha-256 enableSuperuserAccess: false @@ -26,11 +136,5 @@ spec: name: postgres-password postInitSQL: - 'CREATE USER shahab SUPERUSER;' - - 'CREATE USER dogar SUPERUSER;' - - 'CREATE USER leviathan;' - - 'CREATE DATABASE leviathan;' - - 'CREATE USER "schedule-consist";' - - 'CREATE DATABASE "schedule-consist";' - - 'CREATE DATABASE giteadb;' storage: size: 1Gi