CrunchyData
Cluster metadata is not applied to Root CA Certificate
Overview
The Root CA certificate secret does not inherit metadata (labels and annotations) from the PostgresCluster spec, preventing the application of custom labels and annotations.
Environment
- Platform: Kubernetes
- Platform Version: 1.32
- PGO Image Tag: ubi9-5.8.4-0
- Postgres Version: All supported versions
- Storage: N/A (affects all storage types)
Steps to Reproduce
REPRO
- Create a PostgresCluster with custom metadata:
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: hippocluster
spec:
metadata:
labels:
env-label: "test-label-value"
annotations:
env-annotation: "test-annotation-value"
postgresVersion: 18
# ... other spec fields
- Check the root CA certificate secret:
kubectl get secret pgo-root-cacert -o yaml
EXPECTED
Per the documentation, the metadata in the spec.metadata section of the cluster should apply to "any PGO managed object in a cluster." The root CA certificate secret should inherit the labels and annotations defined.
ACTUAL
There are no labels or annotations on the pgo-root-cacert.
Additional Information
I discovered this when deploying a database into a namespace in conjunction with some operators that copy secrets into other namespaces unless they have a specific annotation. In my testing so far, the only secret that the PGO did not annotate was the pgo-root-cacert.
