From 7dd9905b78a880cfe12534bc7560d5869985b9a6 Mon Sep 17 00:00:00 2001
From: Max Roby <max@lil-mac.lan>
Date: Fri, 3 Nov 2023 08:54:02 +0100
Subject: [PATCH] add cert-manager based mtls

---
 charts/cloudnative-pg-tenant/Chart.yaml       |  2 +-
 charts/cloudnative-pg-tenant/README.md        |  4 +-
 .../templates/client_certificates.yaml        | 21 ++++++++++
 .../templates/cluster_certificates.yaml       | 39 +++++++++++++++++++
 .../templates/scheduled_backups.yaml          | 12 ++++++
 .../templates/tenant.yaml                     | 30 ++++----------
 charts/cloudnative-pg-tenant/values.yaml      |  5 +--
 7 files changed, 85 insertions(+), 28 deletions(-)
 create mode 100644 charts/cloudnative-pg-tenant/templates/client_certificates.yaml
 create mode 100644 charts/cloudnative-pg-tenant/templates/cluster_certificates.yaml
 create mode 100644 charts/cloudnative-pg-tenant/templates/scheduled_backups.yaml

diff --git a/charts/cloudnative-pg-tenant/Chart.yaml b/charts/cloudnative-pg-tenant/Chart.yaml
index 84cc257..c17d445 100644
--- a/charts/cloudnative-pg-tenant/Chart.yaml
+++ b/charts/cloudnative-pg-tenant/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: cnpg-tenant
 description: Create postgres tenant clusters managed by the CNPG Operator
 type: application
-version: 0.0.2
+version: 0.0.3
 
 maintainers:
   - name: "cloudymax"
diff --git a/charts/cloudnative-pg-tenant/README.md b/charts/cloudnative-pg-tenant/README.md
index f634693..983cf4e 100644
--- a/charts/cloudnative-pg-tenant/README.md
+++ b/charts/cloudnative-pg-tenant/README.md
@@ -1,6 +1,6 @@
 # cnpg-tenant
 
-![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Create postgres tenant clusters managed by the CNPG Operator
 
@@ -26,7 +26,7 @@ Create postgres tenant clusters managed by the CNPG Operator
 | bootstrap.initdb.secret.name | string | `"app-secret"` |  |
 | instances | int | `3` |  |
 | monitoring.enablePodMonitor | bool | `true` |  |
-| name | string | `"example"` |  |
+| name | string | `"cnpg"` |  |
 | postgresql.pg_hba[0] | string | `"hostnossl all all 0.0.0.0/0 reject"` |  |
 | postgresql.pg_hba[1] | string | `"hostssl all all 0.0.0.0/0 cert clientcert=verify-full"` |  |
 | scheduledBackup.name | string | `"example-backup"` |  |
diff --git a/charts/cloudnative-pg-tenant/templates/client_certificates.yaml b/charts/cloudnative-pg-tenant/templates/client_certificates.yaml
new file mode 100644
index 0000000..e6f578e
--- /dev/null
+++ b/charts/cloudnative-pg-tenant/templates/client_certificates.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.name }}-client-cert"
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ .Values.name }}-client-cert"
+spec:
+  secretName: "{{ .Values.name }}-client-cert"
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: "{{ .Values.name }}-selfsigned-issuer"
+    kind: Issuer
+    group: cert-manager.io
diff --git a/charts/cloudnative-pg-tenant/templates/cluster_certificates.yaml b/charts/cloudnative-pg-tenant/templates/cluster_certificates.yaml
new file mode 100644
index 0000000..6ac2732
--- /dev/null
+++ b/charts/cloudnative-pg-tenant/templates/cluster_certificates.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: "{{ .Values.name }}-selfsigned-issuer"
+spec:
+  selfSigned: {}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ .Values.name }}-server-secret"
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ .Values.name }}-server-cert"
+spec:
+  secretName: "{{ .Values.name }}-server-cert"
+  usages:
+    - server auth
+  dnsNames:
+    - "{{ .Values.name }}-lb.internal.mydomain.net"
+    - "{{ .Values.name }}-rw"
+    - "{{ .Values.name }}-rw.default"
+    - "{{ .Values.name }}-rw.default.svc"
+    - "{{ .Values.name }}-r"
+    - "{{ .Values.name }}-r.default"
+    - "{{ .Values.name }}-r.default.svc"
+    - "{{ .Values.name }}-ro"
+    - "{{ .Values.name }}-ro.default"
+    - "{{ .Values.name }}-ro.default.svc"
+  issuerRef:
+    name: "{{ .Values.name }}-selfsigned-issuer"
+    kind: Issuer
+    group: cert-manager.io
+
diff --git a/charts/cloudnative-pg-tenant/templates/scheduled_backups.yaml b/charts/cloudnative-pg-tenant/templates/scheduled_backups.yaml
new file mode 100644
index 0000000..af0039b
--- /dev/null
+++ b/charts/cloudnative-pg-tenant/templates/scheduled_backups.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.scheduledBackup }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Values.scheduledBackup.name }}
+spec:
+  schedule: {{ .Values.scheduledBackup.spec.schedule }}
+  backupOwnerReference: {{ .Values.scheduledBackup.spec.backupOwnerReference }} 
+  cluster:
+    name: {{ .Values.scheduledBackup.spec.cluster.name }}
+{{- end }}
diff --git a/charts/cloudnative-pg-tenant/templates/tenant.yaml b/charts/cloudnative-pg-tenant/templates/tenant.yaml
index cfcb845..cc526a4 100644
--- a/charts/cloudnative-pg-tenant/templates/tenant.yaml
+++ b/charts/cloudnative-pg-tenant/templates/tenant.yaml
@@ -2,25 +2,21 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: cluster-example
+  name: {{ .Values.name }}
 spec:
   instances: {{ .Values.instances}}
+  certificates:
+    clientCASecret: "{{ .Values.name}}-client-cert"
+    replicationTLSSecret: "{{ .Values.name }}-client-cert"
+  {{- with .Values.backup }}
   backup:
-    barmanObjectStore:
-      destinationPath: {{ .Values.destinationPath }}
-      s3Credentials:
-        accessKeyId:
-          name: {{ .Values.backup.s3Credentials.accessKeyId.name }}
-          key: {{ .Values.backup.s3Credentials.accessKeyId.key }}
-        secretAccessKey:
-          name: {{ .Values.backup.s3Credentials.secretAccessKey.name }}
-          key: {{ .Values.backup.s3Credentials.secretAccessKey.key }}
-    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   monitoring:
     enablePodMonitor: {{ .Values.monitoring.enablePodMonitor }}
   {{- with .Values.postgresql }}
   postgresql:
-    {{- toYaml . | nindent 4}}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   storage:
     size: {{ .Values.storage.size }}
@@ -28,13 +24,3 @@ spec:
   bootstrap:
     {{- toYaml . | nindent 4 }}
   {{- end }}
----
-apiVersion: postgresql.cnpg.io/v1
-kind: ScheduledBackup
-metadata:
-  name: {{ .Values.scheduledBackup.name }}
-spec:
-  schedule: {{ .Values.scheduledBackup.spec.schedule }}
-  backupOwnerReference: {{ .Values.scheduledBackup.spec.backupOwnerReference }} 
-  cluster:
-    name: {{ .Values.scheduledBackup.spec.cluster.name }}
diff --git a/charts/cloudnative-pg-tenant/values.yaml b/charts/cloudnative-pg-tenant/values.yaml
index 15709a7..48c15ab 100644
--- a/charts/cloudnative-pg-tenant/values.yaml
+++ b/charts/cloudnative-pg-tenant/values.yaml
@@ -1,4 +1,4 @@
-name: "example"
+name: "cnpg"
 
 instances: 3
 
@@ -25,6 +25,7 @@ backup:
       name: "aws-creds"
       key : "ACCESS_SECRET_KEY"
 
+
 scheduledBackup:
   name: example-backup
   spec:
@@ -43,5 +44,3 @@ postgresql:
 
 storage: 
   size: 1Gi
-
-