snow/apps/postgres/ca.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-ca
  # cert needs to be on the cluster's default resource ns aka cert-manager by default
  namespace: cert-manager
spec:
  isCA: true
  commonName: postgres-ca
  secretName: postgres-ca
  secretTemplate:
    labels:
      cnpg.io/reload: ""
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: postgres-ca
  namespace: postgres
spec:
  ca:
    secretName: postgres-ca