Starting with version 5.0 of PGO, the Postgres Operator from Crunchy Data, TLS is on by default to secure all communication to/from the postgres cluster. By default, the Operator will generate the necessary certificates for the Postgres cluster and components. It is possible to provide custom certificates by storing the certificates in a Kubernetes Secret and pointing the Operator to those secrets in the Postgres manifest.

Cert-Manager can be used to dynamically generate and manage certificates in Kubernetes. Cert-Manager can generate self-signed certificates or certificates from several certificate authorities.

This example shows how to use custom self-signed certificates generated by Cert-Manager.

The first step is to deploy Cert-Manager to the Kubernetes cluster. To do this, follow the instructions on the Cert-Manager website (https://docs.openshift.com/container-platform/4.13/security/cert_manager_operator/cert-manager-operator-install.html).

After Cert-Manager has been deployed, the next step used in this example is to set up a Certificate Issuer. The Certificate Issuer can be configured to be local to a namespace or cluster wide. In the examples provided here, a cluster wide issuer is created.

You need a service with a external IP address for DC1 and make sure the port 5432 (if you have not change the default value) is accessable from internet.

• Update dc1/ext-service.yaml with the IP/s of your host/worker nodes.
• Update dc2/postgres.yaml with the correct IP that you provided in the last step.

oc apply -k certman

This Kustomize deployment performs the following actions:

• Creates a cluster wide (ClusterIssuer) self-signed certificate issuer.
• Generates a common CA certificate.
• Creates a cluster wide (ClusterIssuer) CA certificate issuer using the generated CA certificate.

By default, the issues are created in the cert-manager namespace which is the default namespace for Cert-Manager.

The CA certificate issuer is important as the Postgres components require that the ca.crt be the same for the certificates generated to support Postgres.

Login to OPENSHIFT that you plan to have your master Postgresql "dc1" and create a new project:

oc create aap-db

Go to the operatorHub and select "Crunchy Postgres for Kubernetes" certified. Click on install and in secound page select A specific namespace on the cluster and pick "aap-db"

NOTE: at the time of this test the latest version of the operator is 5.3.0

With the cluster wide certificate issuer in place, the next step is to generate certificates and then instruct the Operator to use these certicates.

Two certificates will be generated by the Kustomize deployment. The first certificate secret is named -tls (aap-dr-tls in this example) and the second certificate -repl-tls (aap-dr-repl-tls). The critical different between the two certificates is the Common Name (CN). For the replication certificate (-repl-tls), the Common Name must be _crunchyrepl. If the Common Name is not set properly then the replicas will fail doing bootstrap process.

In the Postgres manifest, two entries are added to point to the newly created Secrets. The customTLSSecret key references the -tls secret while the customReplicationTLSSecret references the -repl-tls secret.

oc apply -k dc1

The following process takes place during the deployment:

• Custom certificate is generated for Postgres using the CA ClusterIssuer created in the previous steps.
• Custom certificate is generated for Postgres replication using the CA ClusterIssuer.
• Postgres cluster deployed using the custom certificates.

Steps to setup DR postgres cluster:

• Follow the README in the certman-dr folder to setup the certificate on the secound openshift cluster

Login to OPENSHIFT that you plan to have your DR Postgresql "dc2" and create a new project:

oc create aap-db

Go to the operatorHub and select "Crunchy Postgres for Kubernetes" certified. Click on install and in secound page select A specific namespace on the cluster and pick "aap-db"

NOTE: at the time of this test the latest version of the operator is 5.3.0

• Change directory to the root of project "Crunchy-DR"

oc apply -k dc2