wip: Use cert-manager for cnpg's auth

2026-05-30 18:20:49 +00:00 · 2025-07-16 09:22:15 +02:00
parent 2387f2dab7
commit 4f19e13f3e
6 changed files with 78 additions and 40 deletions
@@ -41,3 +41,10 @@ spec:
    - http01:
        ingress:
          ingressClassName: cilium
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cnpg
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cnpg
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+    # needed because the CRDs are too long for kubectl apply
+    - ServerSideApply=true
+  source:
+    repoURL: https://cloudnative-pg.github.io/charts
+    chart: cloudnative-pg
+    targetRevision: v0.24.0
+    helm:
+      valuesObject: {}
@@ -1,52 +1,20 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: cnpg
---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: cnpg
+  name: postgres
  namespace: argocd
 spec:
  project: default
  destination:
    server: https://kubernetes.default.svc
-    namespace: cnpg
+    namespace: postgres
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true
-    # needed because the CRDs are too long for kubectl apply
-    syncOptions:
-    - ServerSideApply=true
+      selfHeal: false
+      syncOption:
+        - CreateNamespace=true
  source:
-    repoURL: https://cloudnative-pg.github.io/charts
-    chart: cloudnative-pg
-    targetRevision: v0.24.0
-    helm:
-      valuesObject: {}
---
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: postgres
---
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: postgres-cluster
-  namespace: postgres
-spec:
-  instances: 3
-
-  storage:
-    size: 10Gi
-
-  # this is here because no `Role` crd exsists yet.
-  # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
-  managed:
-    roles:
-    - name: authentik
-      login: true
-      disablePassword: true
+    repoURL: https://github.com/zoriya/snow
+    targetRevision: HEAD
+    path: apps/postgres
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-cluster-ca
+spec:
+  secretName: postgres-cluster-ca
+  secretTemplate:
+    labels:
+      cnpg.io/reload: ""
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
@@ -0,0 +1,22 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres-cluster
+  namespace: postgres
+spec:
+  instances: 3
+
+  storage:
+    size: 10Gi
+
+  certificates:
+    clientCASecret: postgres-cert-ca
+    replicationTLSSecret: postgres-cert-ca
+
+  # this is here because no `Role` crd exsists yet.
+  # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
+  managed:
+    roles:
+    - name: authentik
+      login: true
+      disablePassword: true
@@ -9,6 +9,7 @@ pkgs.mkShell {
    cmctl
    kubectx
    kubernetes-helm
+    kubectl-cnpg
  ];

  TALOSCONFIG = "./clusterconfig/talosconfig";