diff --git a/helm/postgres/templates/_helpers.tpl b/helm/postgres/templates/_helpers.tpl new file mode 100644 index 00000000..9ef3312e --- /dev/null +++ b/helm/postgres/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "certmanager.prefix" -}} +{{- default .Release.Name .Values.name -}} +{{- end -}} diff --git a/helm/postgres/templates/certs.yaml b/helm/postgres/templates/certs.yaml new file mode 100644 index 00000000..b23484be --- /dev/null +++ b/helm/postgres/templates/certs.yaml @@ -0,0 +1,70 @@ +{{- if .Values.certmanager }} +{{- $prefix := (include "certmanager.prefix" .) -}} +{{ $organisation := printf "%s-org" $prefix -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $prefix -}}-certmanager +spec: + # Secret names are always required. + secretName: "{{- $prefix -}}-tls" + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - "{{ .Values.certmanager.org | default $organisation -}}" + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: {{ $prefix }}-primary + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + usages: + - digital signature + - key encipherment + # At least one of a DNS Name, URI, or IP address is required. + dnsNames: + - {{ $prefix }}-primary + - {{ $prefix }}-primary.postgres-operator + - {{ $prefix }}-primary.postgres-operator.svc + - {{ $prefix }}-primary.postgres-operator.svc.cluster.local + issuerRef: + name: {{ required ".certmanager.issuerName reqired" .Values.certmanager.issuerName }} + {{ if .Values.certmanager.issuerKind -}} kind: {{ .Values.certmanager.issuerKind }} + {{ end -}} + {{ if .Values.certmanager.issuerGroup -}} group: {{ .Values.certmanager.issuerGroup }} + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $prefix }}-repl-certmanager +spec: + # Secret names are always required. + secretName: {{ $prefix }}-repl-tls + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - "{{ .Values.certmanager.org | default $organisation -}}" + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: _crunchyrepl + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + usages: + - digital signature + - key encipherment + # At least one of a DNS Name, URI, or IP address is required. + dnsNames: + - _crunchyrepl + issuerRef: + name: {{ required ".certmanager.issuerName reqired" .Values.certmanager.issuerName }} + {{ if .Values.certmanager.issuerKind -}} kind: {{ .Values.certmanager.issuerKind }} + {{ end -}} + {{ if .Values.certmanager.issuerGroup -}} group: {{ .Values.certmanager.issuerGroup }} + {{- end }} +{{- end }} diff --git a/helm/postgres/templates/postgres.yaml b/helm/postgres/templates/postgres.yaml index 53261360..d8963568 100644 --- a/helm/postgres/templates/postgres.yaml +++ b/helm/postgres/templates/postgres.yaml @@ -204,11 +204,24 @@ spec: {{- else if eq .Values.openshift false }} openshift: false {{- end }} - {{- if .Values.customTLSSecret }} + {{- $certmanagerEnable := default false .Values.certmanager -}} + {{- if or .Values.customTLSSecret .Values.certmanager }} customTLSSecret: + {{- if .Values.customTLSSecret }} {{ toYaml .Values.customTLSSecret | indent 4 }} + {{- else }} + {{- $prefix := (include "certmanager.prefix" .) }} + {{- $tlsSecret := printf "%s-tls" $prefix }} + name: {{ $tlsSecret }} {{- end }} - {{- if .Values.customReplicationTLSSecret }} + {{- end }} + {{- if or .Values.customTLSSecret .Values.certmanager }} customReplicationTLSSecret: + {{- if .Values.customReplicationTLSSecret }} {{ toYaml .Values.customReplicationTLSSecret | indent 4 }} + {{- else }} + {{- $prefix := (include "certmanager.prefix" .) }} + {{- $tlsSecret := printf "%s-repl-tls" $prefix }} + name: {{ $tlsSecret }} + {{- end }} {{- end }} diff --git a/helm/postgres/values.yaml b/helm/postgres/values.yaml index 38dffbd6..a83d4e8a 100644 --- a/helm/postgres/values.yaml +++ b/helm/postgres/values.yaml @@ -149,6 +149,19 @@ postgresVersion: 16 # provides the information for the replication user. # customReplicationTLSSecret: {} +# certmanagerto generate required certificates +# issuerName according to your certmanager setup must be set +# customTLSSecret and customReplicationTLSSecret will overwrite certmanager certificates +# Optional: +# set org otherwise it default to "<.resource.name>-org" +# overwrite issuerKind e.g. to ClusterIssuer if not using the Issuer in the namespace +# overwrite issuerGroup if needed by you issuer +# certmanager: +# issuerName: +# org: "hippo-org" +# issuerKind: ClusterIssuer +# issuerGroup: cert-manager.io + # databaseInitSQL references a ConfigMap that contains a SQL file that should be # run a cluster bootstrap. # databaseInitSQL: