Certificates

Cloud Native PostgreSQL has been designed to natively support TLS certificates. In order to set up a Cluster, the operator requires:

  • a server Certification Authority (CA) certificate
  • a server TLS certificate signed by the server Certification Authority
  • a client Certification Authority certificate
  • a streaming replication client certificate generated by the client Certification Authority

Note

You can find all the secrets used by the cluster and their expiration dates in the cluster's status.

Operator managed mode

By default, the operator generates a single Certification Authority and uses it for both client and server certificates, which are then managed and renewed automatically.

Server CA Secret

The operator generates a self-signed CA and stores it in a generic secret containing the following keys:

  • ca.crt: CA certificate used to validate the server certificate, used as sslrootcert in clients' connection strings.
  • ca.key: the key used to sign Server SSL certificate automatically

Server TLS Secret

The operator uses the generated self-signed CA to sign a server TLS certificate, stored in a Secret of type kubernetes.io/tls and configured to be used as ssl_cert_file and ssl_key_file by the instances so that clients can verify their identity and connect securely.

Server alternative DNS names

You can specify DNS server alternative names that will be part of the generated server TLS secret in addition to the default ones.

User-provided server certificate mode

If required, you can also provide the two server certificates, generating them using a separate component such as cert-manager. In order to use a custom server TLS certificate for a Cluster, you must specify the following parameters:

  • serverTLSSecret: the name of a Secret of type kubernetes.io/tls, containing the server TLS certificate. It must contain both the standard tls.crt and tls.key keys.
  • serverCASecret: the name of a Secret containing the ca.crt key.

Note

The operator will still create and manage the two secrets related to client certificates.

See below for a complete example.

Example

Given the following files:

  • server-ca.crt: the certificate of the CA that signed the server TLS certificate.
  • server.crt: the certificate of the server TLS certificate.
  • server.key: the private key of the server TLS certificate.

Create a secret containing the CA certificate:

kubectl create secret generic my-postgresql-server-ca \
  --from-file=ca.crt=./server-ca.crt

Create a secret with the TLS certificate:

kubectl create secret tls my-postgresql-server \
  --cert=./server.crt --key=./server.key

Create a Cluster referencing those secrets:

kubectl apply -f - <<EOF
apiVersion: postgresql.k8s.enterprisedb.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 3
  certificates:
    serverCASecret: my-postgresql-server-ca
    serverTLSSecret: my-postgresql-server
  storage:
    storageClass: standard
    size: 1Gi
EOF

The new cluster will use the provided server certificates for TLS connections.

Cert-manager Example

Here a simple example about how to use cert-manager to set up a self-signed CA and generate the needed TLS server certificate:

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-postgres-server-cert
spec:
  secretName: my-postgres-server-cert
  usages:
    - server auth
  dnsNames:
    - cluster-example-lb.internal.mydomain.net
    - cluster-example-rw
    - cluster-example-rw.default
    - cluster-example-rw.default.svc
    - cluster-example-r
    - cluster-example-r.default
    - cluster-example-r.default.svc
    - cluster-example-ro
    - cluster-example-ro.default
    - cluster-example-ro.default.svc
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io

A Secret named my-postgres-server-cert is created by cert-manager, containing all the needed files and can be referenced from a Cluster as follows:

apiVersion: postgresql.k8s.enterprisedb.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 3
  certificates:
    serverTLSSecret: my-postgres-server-cert
    serverCASecret: my-postgres-server-cert
  storage:
    size: 1Gi