--- # Self-signed issuer for PostgreSQL certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: postgresql-selfsigned-issuer namespace: postgresql-system spec: selfSigned: {} --- # Server TLS certificate for PostgreSQL cluster apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: postgresql-shared-server-cert namespace: postgresql-system labels: cnpg.io/reload: "" # Enable automatic reload by CloudNativePG spec: secretName: postgresql-shared-server-cert commonName: postgresql-shared-rw usages: - server auth dnsNames: # Primary service (read-write) - postgresql-shared-rw - postgresql-shared-rw.postgresql-system - postgresql-shared-rw.postgresql-system.svc - postgresql-shared-rw.postgresql-system.svc.cluster.local # Read service (read-only from any instance) - postgresql-shared-r - postgresql-shared-r.postgresql-system - postgresql-shared-r.postgresql-system.svc - postgresql-shared-r.postgresql-system.svc.cluster.local # Read-only service (read-only replicas only) - postgresql-shared-ro - postgresql-shared-ro.postgresql-system - postgresql-shared-ro.postgresql-system.svc - postgresql-shared-ro.postgresql-system.svc.cluster.local issuerRef: name: postgresql-selfsigned-issuer kind: Issuer group: cert-manager.io # Certificate duration (90 days to match CloudNativePG default) duration: 2160h # 90 days renewBefore: 168h # 7 days (matches CloudNativePG default) --- # Client certificate for streaming replication apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: postgresql-shared-client-cert namespace: postgresql-system labels: cnpg.io/reload: "" # Enable automatic reload by CloudNativePG spec: secretName: postgresql-shared-client-cert commonName: streaming_replica usages: - client auth issuerRef: name: postgresql-selfsigned-issuer kind: Issuer group: cert-manager.io # Certificate duration (90 days to match CloudNativePG default) duration: 2160h # 90 days renewBefore: 168h # 7 days (matches CloudNativePG default)