Keybard-Vagabond-Demo/manifests/infrastructure/postgresql/cert-manager-certificates.yaml

---
# Self-signed issuer for PostgreSQL certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: postgresql-selfsigned-issuer
  namespace: postgresql-system
spec:
  selfSigned: {}

---
# Server TLS certificate for PostgreSQL cluster
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgresql-shared-server-cert
  namespace: postgresql-system
  labels:
    cnpg.io/reload: ""  # Enable automatic reload by CloudNativePG
spec:
  secretName: postgresql-shared-server-cert
  commonName: postgresql-shared-rw
  usages:
    - server auth
  dnsNames:
    # Primary service (read-write)
    - postgresql-shared-rw
    - postgresql-shared-rw.postgresql-system
    - postgresql-shared-rw.postgresql-system.svc
    - postgresql-shared-rw.postgresql-system.svc.cluster.local
    # Read service (read-only from any instance)
    - postgresql-shared-r
    - postgresql-shared-r.postgresql-system
    - postgresql-shared-r.postgresql-system.svc
    - postgresql-shared-r.postgresql-system.svc.cluster.local
    # Read-only service (read-only replicas only)
    - postgresql-shared-ro
    - postgresql-shared-ro.postgresql-system
    - postgresql-shared-ro.postgresql-system.svc
    - postgresql-shared-ro.postgresql-system.svc.cluster.local
  issuerRef:
    name: postgresql-selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
  # Certificate duration (90 days to match CloudNativePG default)
  duration: 2160h # 90 days
  renewBefore: 168h # 7 days (matches CloudNativePG default)

---
# Client certificate for streaming replication
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgresql-shared-client-cert
  namespace: postgresql-system
  labels:
    cnpg.io/reload: ""  # Enable automatic reload by CloudNativePG
spec:
  secretName: postgresql-shared-client-cert
  commonName: streaming_replica
  usages:
    - client auth
  issuerRef:
    name: postgresql-selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
  # Certificate duration (90 days to match CloudNativePG default)
  duration: 2160h # 90 days
  renewBefore: 168h # 7 days (matches CloudNativePG default)