postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon CrunchyData

Allow specifying ca secret and tls secret separately

Open brandonavant opened this issue 3 years ago • 1 comments
trafficstars

Overview

In older versions of PGO, the PgCluster spec allowed for specifying spec.tls.caSecret and spec.tls.tlsSecret as separate values. For my team, this was a requirement as we use an ACME ClusterIssuer to obtain wildcard certificates (i.e. *.ourdomainname.com). With an ACME certificate, the generated secret contains a tls.crt and tls.key but not ca.crt.

In the 5.1.1 Operator, the PostgresCluster resource doesn't appear to provide a way to discern between the ca secret and the tls secret; it's all rolled into one (i.e. customTLSSecret as per the official documentation on the matter).

I'm looking to be able to specify those two secrets separately so that our PGO TLS setup will work as it did in 4.x.

Use Case

We are generating certificates from an ACME ClusterIssuer, whose generated secrets do not include a ca.crt in the data. As such, we generate a secret containing the ca.crt separately.

Desired Behavior

Please add a spec configuration (similar to what was possible in the PgCluster resource in 4.x) which will allow us to specify the tls.crt and tls.key in one secret and the ca.crt in a separate secret. This is how that used to look:

spec:
  tls:
    caSecret: my-ca-secret
    tlsSecret: my-tls-secret

Version 5.x would support something similar.

Environment

  • Platform: AKS
  • Platform Version: Kubernetes 1.23
  • PGO Image Tag: ubi8-5.1.1-0
  • Postgres Version: 14
  • Storage: 1Gi (ReadWriteOnce)
  • Number of Postgres clusters: 1

brandonavant avatar Jun 23 '22 16:06 brandonavant

Thanks for reaching our @brandonavant. It appears as though this is a well known issue with ACME issuers and Cert Manager, specifically per this thread (which is now quite old): https://github.com/cert-manager/cert-manager/issues/1571.

Are you still running into issues using ACME certs with CPK? I did want to check considering the age of this issue. But otherwise, I do see how v4 made it easier to deal with the limitations of the Secrets provisioned for these certs (i.e., a null ca.crt).

andrewlecuyer avatar Mar 06 '24 16:03 andrewlecuyer

Hi @brandonavant, Since we haven't heard back on this issue for some time, I am closing this issue. If you need further assistance, feel free to re-open this issue or ask a question in our Discord server.

ValClarkson avatar Apr 30 '24 21:04 ValClarkson