141 lines
2.9 KiB
YAML
141 lines
2.9 KiB
YAML
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: selfsigned-issuer
|
|
namespace: postgres-system
|
|
spec:
|
|
selfSigned: {}
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: server-ca
|
|
namespace: postgres-system
|
|
spec:
|
|
isCA: true
|
|
commonName: postgres-server-ca
|
|
secretName: postgres-server-ca
|
|
privateKey:
|
|
algorithm: ECDSA
|
|
size: 384
|
|
issuerRef:
|
|
name: selfsigned-issuer
|
|
kind: Issuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: postgres-server-ca-issuer
|
|
namespace: postgres-system
|
|
spec:
|
|
ca:
|
|
secretName: postgres-server-ca
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: postgres-server-cert
|
|
namespace: postgres-system
|
|
labels:
|
|
cnpg.io/reload: ""
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: postgres-server-cert
|
|
namespace: postgres-system
|
|
spec:
|
|
secretName: postgres-server-cert
|
|
usages:
|
|
- server auth
|
|
dnsNames:
|
|
- postgres-cluster-rw.postgres-system.svc.cluster.local
|
|
- postgres-cluster-ro.postgres-system.svc.cluster.local
|
|
- postgres-cluster-r.postgres-system.svc.cluster.local
|
|
- postgres.dogar.dev
|
|
issuerRef:
|
|
name: postgres-server-ca-issuer
|
|
kind: Issuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: client-ca
|
|
namespace: postgres-system
|
|
spec:
|
|
isCA: true
|
|
commonName: postgres-client-ca
|
|
secretName: postgres-client-ca
|
|
privateKey:
|
|
algorithm: ECDSA
|
|
size: 256
|
|
issuerRef:
|
|
name: selfsigned-issuer
|
|
kind: Issuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: postgres-client-ca-issuer
|
|
namespace: postgres-system
|
|
spec:
|
|
ca:
|
|
secretName: postgres-client-ca
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: postgres-client-cert
|
|
namespace: postgres-system
|
|
labels:
|
|
cnpg.io/reload: ""
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: postgres-client-cert
|
|
namespace: postgres-system
|
|
spec:
|
|
secretName: postgres-client-cert
|
|
usages:
|
|
- client auth
|
|
commonName: streaming_replica
|
|
issuerRef:
|
|
name: postgres-client-ca-issuer
|
|
kind: Issuer
|
|
group: cert-manager.io
|
|
---
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: postgres-cluster
|
|
namespace: postgres-system
|
|
spec:
|
|
instances: 3
|
|
maxSyncReplicas: 0
|
|
primaryUpdateStrategy: unsupervised
|
|
certificates:
|
|
serverCASecret: postgres-server-cert
|
|
serverTLSSecret: postgres-server-cert
|
|
clientCASecret: postgres-client-cert
|
|
replicationTLSSecret: postgres-client-cert
|
|
postgresql:
|
|
pg_hba:
|
|
- hostssl all shahab all cert
|
|
- hostssl sameuser all all cert
|
|
- hostssl giteadb gitea 10.42.0.0/16 scram-sha-256
|
|
enableSuperuserAccess: false
|
|
bootstrap:
|
|
initdb:
|
|
database: postgres
|
|
secret:
|
|
name: postgres-password
|
|
postInitSQL:
|
|
- 'CREATE USER shahab SUPERUSER;'
|
|
storage:
|
|
size: 1Gi
|