CrunchyData · poggenpower · Aug 29, 2024
diff --git a/helm/postgres/templates/_helpers.tpl b/helm/postgres/templates/_helpers.tpl
@@ -0,0 +1,3 @@
+{{- define "certmanager.prefix" -}}
+{{- default .Release.Name .Values.name -}}
+{{- end -}}
diff --git a/helm/postgres/templates/certs.yaml b/helm/postgres/templates/certs.yaml
@@ -0,0 +1,70 @@
+{{- if .Values.certmanager }}
+{{- $prefix := (include "certmanager.prefix" .) -}}
+{{ $organisation := printf "%s-org" $prefix -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ $prefix -}}-certmanager
+spec:
+  # Secret names are always required.
+  secretName: "{{- $prefix -}}-tls"
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - "{{ .Values.certmanager.org | default $organisation -}}"
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: {{ $prefix }}-primary
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - digital signature
+    - key encipherment
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - {{ $prefix }}-primary
+  - {{ $prefix }}-primary.postgres-operator
+  - {{ $prefix }}-primary.postgres-operator.svc
+  - {{ $prefix }}-primary.postgres-operator.svc.cluster.local
+  issuerRef:
+    name: {{ required ".certmanager.issuerName reqired" .Values.certmanager.issuerName }}
+    {{ if .Values.certmanager.issuerKind -}} kind: {{ .Values.certmanager.issuerKind }}
+    {{ end -}}
+    {{ if .Values.certmanager.issuerGroup -}} group: {{ .Values.certmanager.issuerGroup }}
+    {{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ $prefix }}-repl-certmanager
+spec:
+  # Secret names are always required.
+  secretName: {{ $prefix }}-repl-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - "{{ .Values.certmanager.org | default $organisation -}}"
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: _crunchyrepl
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - digital signature
+    - key encipherment
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - _crunchyrepl
+  issuerRef:
+    name: {{ required ".certmanager.issuerName reqired" .Values.certmanager.issuerName }}
+    {{ if .Values.certmanager.issuerKind -}} kind: {{ .Values.certmanager.issuerKind }}
+    {{ end -}}
+    {{ if .Values.certmanager.issuerGroup -}} group: {{ .Values.certmanager.issuerGroup }}
+    {{- end }}
+{{- end }}
diff --git a/helm/postgres/templates/postgres.yaml b/helm/postgres/templates/postgres.yaml
@@ -204,11 +204,24 @@ spec:
   {{- else if eq .Values.openshift false }}
   openshift: false
   {{- end }}
-  {{- if .Values.customTLSSecret }}
+  {{- $certmanagerEnable := default false .Values.certmanager -}}
+  {{- if or .Values.customTLSSecret .Values.certmanager }}
   customTLSSecret:
+  {{- if .Values.customTLSSecret }}
 {{ toYaml .Values.customTLSSecret | indent 4 }}
+  {{- else }}
+  {{- $prefix := (include "certmanager.prefix" .) }}
+  {{- $tlsSecret :=  printf "%s-tls" $prefix }}
+    name: {{ $tlsSecret }}    
   {{- end }}
-  {{- if .Values.customReplicationTLSSecret }}
+  {{- end }}
+  {{- if or .Values.customTLSSecret .Values.certmanager }}
   customReplicationTLSSecret:
+  {{- if .Values.customReplicationTLSSecret }}
 {{ toYaml .Values.customReplicationTLSSecret | indent 4 }}
+  {{- else }}
+  {{- $prefix := (include "certmanager.prefix" .) }}
+  {{- $tlsSecret :=  printf "%s-repl-tls" $prefix }}
+    name: {{ $tlsSecret }}    
+  {{- end }}
   {{- end }}
diff --git a/helm/postgres/values.yaml b/helm/postgres/values.yaml
@@ -149,6 +149,19 @@ postgresVersion: 16
 # provides the information for the replication user.
 # customReplicationTLSSecret: {}
 
+# certmanagerto generate required certificates
+# issuerName according to your certmanager setup must be set 
+# customTLSSecret and customReplicationTLSSecret will overwrite certmanager certificates
+# Optional: 
+#   set org otherwise it default to "<.resource.name>-org"
+#   overwrite issuerKind e.g. to ClusterIssuer if not using the Issuer in the namespace
+#   overwrite issuerGroup if needed by you issuer
+# certmanager:
+#   issuerName: <must be configured>
+#   org: "hippo-org"
+#   issuerKind: ClusterIssuer
+#   issuerGroup: cert-manager.io
+
 # databaseInitSQL references a ConfigMap that contains a SQL file that should be
 # run a cluster bootstrap.
 # databaseInitSQL: