Allow specifying ca secret and tls secret separately

[brandonavant]

Overview

In older versions of PGO, the PgCluster spec allowed for specifying spec.tls.caSecret and spec.tls.tlsSecret as separate values. For my team, this was a requirement as we use an ACME ClusterIssuer to obtain wildcard certificates (i.e. *.ourdomainname.com). With an ACME certificate, the generated secret contains a tls.crt and tls.key but not ca.crt.

In the 5.1.1 Operator, the PostgresCluster resource doesn't appear to provide a way to discern between the ca secret and the tls secret; it's all rolled into one (i.e. customTLSSecret as per the official documentation on the matter).

I'm looking to be able to specify those two secrets separately so that our PGO TLS setup will work as it did in 4.x.

Use Case

We are generating certificates from an ACME ClusterIssuer, whose generated secrets do not include a ca.crt in the data. As such, we generate a secret containing the ca.crt separately.

Desired Behavior

Please add a spec configuration (similar to what was possible in the PgCluster resource in 4.x) which will allow us to specify the tls.crt and tls.key in one secret and the ca.crt in a separate secret. This is how that used to look:

spec:
  tls:
    caSecret: my-ca-secret
    tlsSecret: my-tls-secret

Version 5.x would support something similar.

Environment

• Platform: AKS
• Platform Version: Kubernetes 1.23
• PGO Image Tag: ubi8-5.1.1-0
• Postgres Version: 14
• Storage: 1Gi (ReadWriteOnce)
• Number of Postgres clusters: 1