From 4f19e13f3e923a78fa8d349b7d2c19a7ab9cf138 Mon Sep 17 00:00:00 2001 From: Zoe Roux Date: Wed, 16 Jul 2025 09:22:15 +0200 Subject: [PATCH] wip: Use cert-manager for cnpg's auth --- apps/cert-manager.yaml | 7 ++++++ apps/cnpg.yaml | 24 +++++++++++++++++++ apps/postgres.yaml | 48 +++++++------------------------------- apps/postgres/certs.yaml | 16 +++++++++++++ apps/postgres/cluster.yaml | 22 +++++++++++++++++ shell.nix | 1 + 6 files changed, 78 insertions(+), 40 deletions(-) create mode 100644 apps/cnpg.yaml create mode 100644 apps/postgres/certs.yaml create mode 100644 apps/postgres/cluster.yaml diff --git a/apps/cert-manager.yaml b/apps/cert-manager.yaml index e2cd161..607b8bf 100644 --- a/apps/cert-manager.yaml +++ b/apps/cert-manager.yaml @@ -41,3 +41,10 @@ spec: - http01: ingress: ingressClassName: cilium +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} diff --git a/apps/cnpg.yaml b/apps/cnpg.yaml new file mode 100644 index 0000000..eb591f9 --- /dev/null +++ b/apps/cnpg.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cnpg + namespace: argocd +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: cnpg + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + # needed because the CRDs are too long for kubectl apply + - ServerSideApply=true + source: + repoURL: https://cloudnative-pg.github.io/charts + chart: cloudnative-pg + targetRevision: v0.24.0 + helm: + valuesObject: {} diff --git a/apps/postgres.yaml b/apps/postgres.yaml index 2a9a514..0199e39 100644 --- a/apps/postgres.yaml +++ b/apps/postgres.yaml @@ -1,52 +1,20 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: cnpg ---- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: cnpg + name: postgres namespace: argocd spec: project: default destination: server: https://kubernetes.default.svc - namespace: cnpg + namespace: postgres syncPolicy: automated: prune: true - selfHeal: true - # needed because the CRDs are too long for kubectl apply - syncOptions: - - ServerSideApply=true + selfHeal: false + syncOption: + - CreateNamespace=true source: - repoURL: https://cloudnative-pg.github.io/charts - chart: cloudnative-pg - targetRevision: v0.24.0 - helm: - valuesObject: {} ---- -kind: Namespace -apiVersion: v1 -metadata: - name: postgres ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: postgres-cluster - namespace: postgres -spec: - instances: 3 - - storage: - size: 10Gi - - # this is here because no `Role` crd exsists yet. - # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341 - managed: - roles: - - name: authentik - login: true - disablePassword: true + repoURL: https://github.com/zoriya/snow + targetRevision: HEAD + path: apps/postgres diff --git a/apps/postgres/certs.yaml b/apps/postgres/certs.yaml new file mode 100644 index 0000000..350f750 --- /dev/null +++ b/apps/postgres/certs.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-cluster-ca +spec: + secretName: postgres-cluster-ca + secretTemplate: + labels: + cnpg.io/reload: "" + usages: + - client auth + commonName: streaming_replica + issuerRef: + name: selfsigned + kind: ClusterIssuer + group: cert-manager.io diff --git a/apps/postgres/cluster.yaml b/apps/postgres/cluster.yaml new file mode 100644 index 0000000..76d1c18 --- /dev/null +++ b/apps/postgres/cluster.yaml @@ -0,0 +1,22 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgres-cluster + namespace: postgres +spec: + instances: 3 + + storage: + size: 10Gi + + certificates: + clientCASecret: postgres-cert-ca + replicationTLSSecret: postgres-cert-ca + + # this is here because no `Role` crd exsists yet. + # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341 + managed: + roles: + - name: authentik + login: true + disablePassword: true diff --git a/shell.nix b/shell.nix index 1b3eba3..cadb7ca 100644 --- a/shell.nix +++ b/shell.nix @@ -9,6 +9,7 @@ pkgs.mkShell { cmctl kubectx kubernetes-helm + kubectl-cnpg ]; TALOSCONFIG = "./clusterconfig/talosconfig";