From 7698e039d1fcc71362a468d185b6f0a6f0c7c665 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 18 Oct 2023 18:30:27 -0500
Subject: [PATCH] postgresql: Use a private CA-signed TLS cert

The PostgreSQL server managed by *Postgres Operator* uses a self-signed
certificate by default.  In order to enable full validation of the
server certificate, we need to use a certificate signed by a known CA
that the clients can trust.  To that end, I have added a *cert-manager*
Issuer specifically for PostgreSQL.  The CA certificate is also managed
by *cert-manager*; it is self-signed and needs to be distributed to
clients out-of-band.
---
 postgresql/certificate.yaml                   | 53 +++++++++++++++++++
 postgresql/default-cluster.yaml               |  2 +
 .../postgresql-operator-configuration.yaml    |  2 +-
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 postgresql/certificate.yaml

diff --git a/postgresql/certificate.yaml b/postgresql/certificate.yaml
new file mode 100644
index 0000000..e553eac
--- /dev/null
+++ b/postgresql/certificate.yaml
@@ -0,0 +1,53 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-ca-issuer
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgresql-ca
+spec:
+  isCA: true
+  commonName: PostgreSQL CA
+  secretName: postgresql-ca
+  duration: 96360h
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: postgresql-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-issuer
+spec:
+  ca:
+    secretName: postgresql-ca
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: default
+spec:
+  secretName: default-cert
+  dnsNames:
+  - default.postgresql.svc.cluster.local
+  - default.postgresql.svc
+  - default.postgresql
+  - default
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: postgresql-issuer
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
diff --git a/postgresql/default-cluster.yaml b/postgresql/default-cluster.yaml
index 1c84727..3483b82 100644
--- a/postgresql/default-cluster.yaml
+++ b/postgresql/default-cluster.yaml
@@ -10,6 +10,8 @@ spec:
   numberOfInstances: 1
   postgresql:
     version: '15'
+  tls:
+    secretName: default-cert
   users:
     dustin:
     - superuser
diff --git a/postgresql/postgresql-operator-configuration.yaml b/postgresql/postgresql-operator-configuration.yaml
index 92d3809..05c3907 100644
--- a/postgresql/postgresql-operator-configuration.yaml
+++ b/postgresql/postgresql-operator-configuration.yaml
@@ -100,7 +100,7 @@ configuration:
     spilo_allow_privilege_escalation: true
     # spilo_runasuser: 101
     # spilo_runasgroup: 103
-    # spilo_fsgroup: 103
+    spilo_fsgroup: 103
     spilo_privileged: false
     storage_resize_mode: pvc
     # toleration: