wip: Use cert-manager for cnpg's auth

apps/cert-manager.yaml

@@ -41,3 +41,10 @@ spec:
     - http01:
         ingress:
           ingressClassName: cilium
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned
+spec:
+  selfSigned: {}

apps/cnpg.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cnpg
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cnpg
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+    # needed because the CRDs are too long for kubectl apply
+    - ServerSideApply=true
+  source:
+    repoURL: https://cloudnative-pg.github.io/charts
+    chart: cloudnative-pg
+    targetRevision: v0.24.0
+    helm:
+      valuesObject: {}

apps/postgres.yaml

@@ -1,52 +1,20 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: cnpg
----
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: cnpg
+  name: postgres
   namespace: argocd
 spec:
   project: default
   destination:
     server: https://kubernetes.default.svc
-    namespace: cnpg
+    namespace: postgres
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true
+      selfHeal: false
-    # needed because the CRDs are too long for kubectl apply
+      syncOption:
-    syncOptions:
+        - CreateNamespace=true
-    - ServerSideApply=true
   source:
-    repoURL: https://cloudnative-pg.github.io/charts
+    repoURL: https://github.com/zoriya/snow
-    chart: cloudnative-pg
+    targetRevision: HEAD
-    targetRevision: v0.24.0
+    path: apps/postgres
-    helm:
-      valuesObject: {}
----
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: postgres
----
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: postgres-cluster
-  namespace: postgres
-spec:
-  instances: 3
-
-  storage:
-    size: 10Gi
-
-  # this is here because no `Role` crd exsists yet.
-  # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
-  managed:
-    roles:
-    - name: authentik
-      login: true
-      disablePassword: true

apps/postgres/certs.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-cluster-ca
+spec:
+  secretName: postgres-cluster-ca
+  secretTemplate:
+    labels:
+      cnpg.io/reload: ""
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io

apps/postgres/cluster.yaml

@@ -0,0 +1,22 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres-cluster
+  namespace: postgres
+spec:
+  instances: 3
+
+  storage:
+    size: 10Gi
+
+  certificates:
+    clientCASecret: postgres-cert-ca
+    replicationTLSSecret: postgres-cert-ca
+
+  # this is here because no `Role` crd exsists yet.
+  # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
+  managed:
+    roles:
+    - name: authentik
+      login: true
+      disablePassword: true

shell.nix

@@ -9,6 +9,7 @@ pkgs.mkShell {
     cmctl
     kubectx
     kubernetes-helm
+    kubectl-cnpg
   ];
 
   TALOSCONFIG = "./clusterconfig/talosconfig";