postgresql: Use a private CA-signed TLS cert

The PostgreSQL server managed by *Postgres Operator* uses a self-signed
certificate by default.  In order to enable full validation of the
server certificate, we need to use a certificate signed by a known CA
that the clients can trust.  To that end, I have added a *cert-manager*
Issuer specifically for PostgreSQL.  The CA certificate is also managed
by *cert-manager*; it is self-signed and needs to be distributed to
clients out-of-band.

postgresql/certificate.yaml

@@ -0,0 +1,53 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-ca-issuer
+spec:
+  selfSigned: {}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgresql-ca
+spec:
+  isCA: true
+  commonName: PostgreSQL CA
+  secretName: postgresql-ca
+  duration: 96360h
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: postgresql-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgresql-issuer
+spec:
+  ca:
+    secretName: postgresql-ca
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: default
+spec:
+  secretName: default-cert
+  dnsNames:
+  - default.postgresql.svc.cluster.local
+  - default.postgresql.svc
+  - default.postgresql
+  - default
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: postgresql-issuer
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

postgresql/default-cluster.yaml

@@ -10,6 +10,8 @@ spec:
   numberOfInstances: 1
   postgresql:
     version: '15'
+  tls:
+    secretName: default-cert
   users:
     dustin:
     - superuser

postgresql/postgresql-operator-configuration.yaml

@@ -100,7 +100,7 @@ configuration:
     spilo_allow_privilege_escalation: true
     # spilo_runasuser: 101
     # spilo_runasgroup: 103
-    # spilo_fsgroup: 103
+    spilo_fsgroup: 103
     spilo_privileged: false
     storage_resize_mode: pvc
     # toleration: