feat: Postgers | use client managed certificates

postgres/certificates.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: shahab-client-cert
+  namespace: postgres-system
+spec:
+  secretName: shahab-client-cert
+  usages:
+    - client auth
+  commonName: shahab
+  issuerRef:
+    name: postgres-client-ca-issuer
+    kind: Issuer
+    group: cert-manager.io

postgres/cluster.yaml

@@ -1,4 +1,114 @@
 ---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: postgres-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-server-ca
+  secretName: postgres-server-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-server-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-server-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-server-cert
+  usages:
+    - server auth
+  dnsNames:
+    - postgres-cluster-rw.postgres-system.svc.cluster.local
+    - postgres-cluster-ro.postgres-system.svc.cluster.local
+    - postgres-cluster-r.postgres-system.svc.cluster.local
+    - postgres.dogar.dev
+  issuerRef:
+    name: postgres-server-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: client-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-client-ca
+  secretName: postgres-client-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-client-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-client-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-client-cert
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: postgres-client-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@@ -6,16 +116,16 @@ metadata:
   namespace: postgres-system
 spec:
   instances: 3
-  minSyncReplicas: 0
   maxSyncReplicas: 0
   primaryUpdateStrategy: unsupervised
   certificates:
-    serverAltDNSNames:
+    serverCASecret: postgres-server-cert
-      - postgres.dogar.dev
+    serverTLSSecret: postgres-server-cert
+    clientCASecret: postgres-client-cert
+    replicationTLSSecret: postgres-client-cert
   postgresql:
     pg_hba:
       - hostssl all      shahab   all          cert
-      - hostssl all      dogar    all          cert
       - hostssl sameuser all      all          cert
       - hostssl giteadb  gitea    10.42.0.0/16 scram-sha-256
   enableSuperuserAccess: false
@@ -26,11 +136,5 @@ spec:
         name: postgres-password
       postInitSQL:
         - 'CREATE USER shahab SUPERUSER;'
-        - 'CREATE USER dogar SUPERUSER;'
-        - 'CREATE USER leviathan;'
-        - 'CREATE DATABASE leviathan;'
-        - 'CREATE USER "schedule-consist";'
-        - 'CREATE DATABASE "schedule-consist";'
-        - 'CREATE DATABASE giteadb;'
   storage:
     size: 1Gi