---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: postgres-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: server-ca
  namespace: postgres-system
spec:
  isCA: true
  commonName: postgres-server-ca
  secretName: postgres-server-ca
  privateKey:
    algorithm: ECDSA
    size: 384
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: postgres-server-ca-issuer
  namespace: postgres-system
spec:
  ca:
    secretName: postgres-server-ca
---
apiVersion: v1
kind: Secret
metadata:
  name: postgres-server-cert
  namespace: postgres-system
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-server-cert
  namespace: postgres-system
spec:
  secretName: postgres-server-cert
  usages:
    - server auth
  dnsNames:
    - postgres-cluster-rw.postgres-system.svc.cluster.local
    - postgres-cluster-ro.postgres-system.svc.cluster.local
    - postgres-cluster-r.postgres-system.svc.cluster.local
    - postgres.dogar.dev
  issuerRef:
    name: postgres-server-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: client-ca
  namespace: postgres-system
spec:
  isCA: true
  commonName: postgres-client-ca
  secretName: postgres-client-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: postgres-client-ca-issuer
  namespace: postgres-system
spec:
  ca:
    secretName: postgres-client-ca
---
apiVersion: v1
kind: Secret
metadata:
  name: postgres-client-cert
  namespace: postgres-system
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-client-cert
  namespace: postgres-system
spec:
  secretName: postgres-client-cert
  usages:
    - client auth
  commonName: streaming_replica
  issuerRef:
    name: postgres-client-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: postgres-cluster
  namespace: postgres-system
spec:
  instances: 3
  maxSyncReplicas: 0
  primaryUpdateStrategy: unsupervised
  certificates:
    serverCASecret: postgres-server-cert
    serverTLSSecret: postgres-server-cert
    clientCASecret: postgres-client-cert
    replicationTLSSecret: postgres-client-cert
  postgresql:
    pg_hba:
      - hostssl all      shahab   all          cert
      - hostssl sameuser all      all          cert
      - hostssl giteadb  gitea    10.42.0.0/16 scram-sha-256
  enableSuperuserAccess: false
  bootstrap:
    initdb:
      database: postgres
      secret:
        name: postgres-password
      postInitSQL:
        - 'CREATE USER shahab SUPERUSER;'
  storage:
    size: 1Gi