`pgo-root-cacert` secret shared across `PerconaPGCluster` installations ?

Question

`pgo-root-cacert` secret shared across `PerconaPGCluster` installations ?

Opened this issue a year ago · 3 comments

About the context:

In a single namespace named postgres, i have two PerconaPGCluster CR which created two different Postgres databases named archive and analytics

I did not specify any certificates in the CR, so that Postgres Operator generates them automatically

My Postgres Operator runs cluster wide in a namespace named postgres-operator

Observations:

All secrets created by the Operator in namespace postgres are prefixed with each cluster name. But there is a secret pgo-root-cacert which is not prefixed, and which contains two Owner references (might have been added by Kapp deployer)

I am not sure if this is a problem, or if that means that both Postgres clusters share the same certificates, or if that simply means that cluster certificates are different but simply signed by the same CA

NAME                                 TYPE     DATA   AGE
analytics-analytics-hcdj-certs       Opaque   4      13h
analytics-cluster-cert               Opaque   3      13h
analytics-pgbackrest                 Opaque   1      13h
analytics-pgbouncer                  Opaque   6      13h
analytics-pguser-cocolis-analytics   Opaque   12     13h
analytics-replication-cert           Opaque   3      13h
archive-archive-mww4-certs           Opaque   4      2m2s
archive-cluster-cert                 Opaque   3      2m2s
archive-pgbackrest                   Opaque   1      2m3s
archive-pgbouncer                    Opaque   6      2m1s
archive-pguser-cocolis-archive       Opaque   12     2m2s
archive-replication-cert             Opaque   3      2m3s
pgo-root-cacert                      Opaque   2      13h       <- here

[alex@adell] k8s $ kubectl -n postgres get secret/pgo-root-cacert -o yaml
apiVersion: v1
data:
  root.crt: blabla==
  root.key: blabla=
kind: Secret
metadata:
  creationTimestamp: "2023-11-27T21:09:39Z"
  name: pgo-root-cacert
  namespace: postgres
  ownerReferences:
  - apiVersion: postgres-operator.crunchydata.com/v1beta1
    kind: PostgresCluster
    name: analytics                                               <- here
    uid: d0398d46-b70c-49bb-950c-75c98b6cb92c
  - apiVersion: postgres-operator.crunchydata.com/v1beta1
    kind: PostgresCluster
    name: archive                                                 <- here
    uid: 70bc1488-aeb1-421c-b36b-5670025f21f5
  resourceVersion: "3699654823"
  uid: 268a0f49-aef4-416f-958d-23efa9fef550
type: Opaque

Answer 1 · 2023-12-04T10:44:57.000Z

@alexfouche yes, it is CA for both clusters.
We need to document it properly.

Answer 2 · 2023-12-04T12:11:13.000Z

Should I close the issue,
Or let it open for documentation?

Answer 3 · 2023-12-08T10:28:22.000Z

Let's keep it open. We have the following JIRA issues to capture it in the docs:
https://jira.percona.com/browse/K8SPG-468
https://jira.percona.com/browse/K8SPG-465

Thank you.