Add example using cert-manager

Provide any example of "bring your own TLS infrastructure"
using cert-manager[1]

[1] https://cert-manager.io/docs/

Author: cbrianpace

kustomize/certmanager/README.md

@@ -0,0 +1,44 @@
+# Using Cert-Manager with Postgres Operator 5.x
+
+## Introduction
+Starting with version 5.0 of the Crunchy Data Postgres Operator for Kubernetes, TLS is on by default to secure all communication to/from the postgres cluster.  By default, the Operator will generate the necessary certificates for the Postgres cluster and components.  It is possible to provide custom cetificates by storing the certificates in a Kubernetes Secret and pointing the Operator to those secrets in the Postgres manifest.
+
+Cert-Manager can be used to dynamically generate and manage certificates in Kubernetes.   Cert-Manager can generate self-signed certificates or certificates from several certificate authorities.
+
+This example shows how to use custom self-signed certificates generated by Cert-Manager.
+
+## Cert-Manager Installation
+The first step is to deploy Cert-Manager to the Kubernetes cluster.  To do this, follow the instructions on the Cert-Manager website (https://cert-manager.io/docs/installation/).
+
+## Setup Certificate Issuer
+After Cert-Manager has been deployed, the next step used in this example is to setup a Certificate Issuer.  The Certificate Issuer can be configured to be local to a namespace or cluster wide.  In the examples provided here, a cluster wide issuer is created.
+
+### Configure Issuer
+```kubectl apply -k certman```
+
+This Kustomize deployment performs the following actions:
+
+* Creates a cluster wide (ClusterIssuer) self-signed certificate issuer.
+* Generates a common CA certificate.
+* Creates a cluster wide (ClusterIssuer) CA certificate issuer using the generated CA certificate.
+
+By default the issues are created in the cert-manager namespace which is the default namespace for Cert-Manager.
+
+The CA certificate issuer is important as the Postgres components require that the ca.crt be the same for the certificates generated to support Postgres.
+
+## Deploy Postgres with Custom Certificates
+
+With the cluster wide certificate issuer in place, the next step is to generate certificates and then instruct the Operator to use these certicates.
+
+Two certificates will be generated by the Kustomize deployment.  The first certificate secret is named <cluster>-tls (hippo-tls in this example) and the second certificate <cluster>-repl-tls (hippo-repl-tls).  The critical different between the two certificates is the Common Name (CN).  For the replication certificate (<cluster>-repl-tls), the Common Name must be _crunchyrepl.  If the Common Name is not set properly then the replicas will fail doing bootstrap process.
+
+In the Postgres manifest, two entries are added to point to the newly created Secrets.  The customTLSSecret key references the <cluster>-tls secret while the customReplicationTLSSecret references the <cluster>-repl-tls secret.
+
+### Deploy Postgres Cluster
+```kubectl apply -k postgres```
+
+The following process takes place during the deployment:
+* Custom certificate is generated for Postgres using the CA ClusterIssuer created in the previous steps.
+* Custom certificate is generated for Postgres replication using the CA ClusterIssuer.
+* Postgres cluster deployed using the custom certificates.
+

kustomize/certmanager/certman/ca-cert.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-ca
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: postgres-operator
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-cluster-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io

kustomize/certmanager/certman/ca-issuer.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ca-issuer
+  namespace: cert-manager
+spec:
+  ca:
+    secretName: root-secret

kustomize/certmanager/certman/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- selfsigned-clusterissuer.yaml
+- ca-cert.yaml
+- ca-issuer.yaml

kustomize/certmanager/certman/selfsigned-clusterissuer.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-cluster-issuer
+  namespace: cert-manager
+spec:
+  selfSigned: {}

kustomize/certmanager/certman/selfsigned-issuer.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}

kustomize/certmanager/postgres/cert-repl.yaml

@@ -0,0 +1,39 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hippo-repl-certmanager
+spec:
+  # Secret names are always required.
+  secretName: hippo-repl-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - crunchydata
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: _crunchyrepl
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - _crunchyrepl
+  # uris:
+  # - spiffe://cluster.local/ns/zoo/hippo
+  #ipAddresses:
+  #- 192.168.0.5
+  # Issuer references are always required.
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io

kustomize/certmanager/postgres/cert.yaml

@@ -0,0 +1,39 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hippo-certmanager
+spec:
+  # Secret names are always required.
+  secretName: hippo-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - crunchydata
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: postgres-operator
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - hippo-primary
+  # uris:
+  # - spiffe://cluster.local/ns/zoo/hippo
+  #ipAddresses:
+  #- 192.168.0.5
+  # Issuer references are always required.
+  issuerRef:
+    name: ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io

kustomize/certmanager/postgres/kustomization.yaml

@@ -0,0 +1,6 @@
+namespace: zoo
+
+resources:
+- cert.yaml
+- cert-repl.yaml
+- postgres.yaml

kustomize/certmanager/postgres/postgres.yaml

@@ -0,0 +1,35 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: hippo
+spec:
+  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-ha:centos8-13.3-0
+  postgresVersion: 13
+  openshift: true
+  customReplicationTLSSecret:
+    name: hippo-repl-tls
+  customTLSSecret:
+    name: hippo-tls
+  instances:
+    - name: pgc
+      replicas: 2
+      dataVolumeClaimSpec:
+        accessModes:
+        - "ReadWriteOnce"
+        resources:
+          requests:
+            storage: 1Gi
+  backups:
+    pgbackrest:
+      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:centos8-2.33-0
+      repoHost:
+        dedicated: {}
+      repos:
+      - name: repo1
+        volume:
+          volumeClaimSpec:
+            accessModes:
+            - "ReadWriteOnce"
+            resources:
+              requests:
+                storage: 1Gi