Skip to content

feat(crossplane): add CNPG TLS certificates via cert-manager#7706

Merged
h0lybyte merged 1 commit intodevfrom
trunk/crossplane-cnpg-certs-1772848060
Mar 7, 2026
Merged

feat(crossplane): add CNPG TLS certificates via cert-manager#7706
h0lybyte merged 1 commit intodevfrom
trunk/crossplane-cnpg-certs-1772848060

Conversation

@h0lybyte
Copy link
Member

@h0lybyte h0lybyte commented Mar 7, 2026

Summary

  • Adds Crossplane Object resources that manage cert-manager Certificate CRDs for CNPG TLS
  • Server certificate (supabase-server-tls): 90-day duration, 30-day early renewal, covers all CNPG service DNS names (rw/r/ro)
  • Replication certificate (supabase-replication-tls): 90-day duration, 30-day early renewal, CN=streaming_replica

Context

This is PR 3b of the Phase 3 cert management externalization plan.

  • PR 3a (merged): Installed provider-kubernetes v1.2.1 + ProviderConfig + RBAC
  • PR 3b (this): Creates cert-manager Certificates via Crossplane Objects — writes to NEW secret names to avoid disrupting CNPG's current auto-managed certs
  • PR 3c (next): Switches CNPG postgres-cluster.yaml to reference these cert-manager-managed secrets

Key Design Decisions

  • Uses internal-ca-issuer (same CA chain as CNPG's internal certs)
  • New secret names (supabase-server-tls, supabase-replication-tls) — does NOT touch CNPG's existing auto-managed secrets
  • SkipDryRunOnMissingResource=true for ArgoCD compatibility (Object CRD may not exist until provider starts)

Verification

After ArgoCD sync + provider-kubernetes is HEALTHY:

kubectl get certificate -n kilobase supabase-server-tls supabase-replication-tls
# Both should show READY: True

kubectl get objects cnpg-server-certificate cnpg-replication-certificate
# Both should show SYNCED+READY

Risk

Zero disruption — creates new secrets alongside existing ones. CNPG continues using its auto-managed certs until PR 3c switches over.

Test plan

  • Crossplane Objects sync successfully (SYNCED+READY)
  • cert-manager issues both Certificates (READY: True)
  • New secrets supabase-server-tls and supabase-replication-tls exist in kilobase namespace
  • Existing CNPG auto-managed certs remain untouched
  • Database continues operating normally

🤖 Generated with Claude Code

@h0lybyte
feat(crossplane): add CNPG TLS certificates via cert-manager Objects
6c65854 
Crossplane Object resources that manage cert-manager Certificate CRDs
for CNPG server and replication TLS. Certs are signed by internal-ca-issuer
with 90-day duration and 30-day early renewal. Uses new secret names
(supabase-server-tls, supabase-replication-tls) to avoid conflicting
with CNPG auto-managed secrets during the transition period.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@h0lybyte h0lybyte merged commit e7fc5fd into dev Mar 7, 2026
5 checks passed
@h0lybyte h0lybyte deleted the trunk/crossplane-cnpg-certs-1772848060 branch March 7, 2026 02:05
@github-actions github-actions bot mentioned this pull request Mar 7, 2026
Merged
@h0lybyte h0lybyte mentioned this pull request Mar 7, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte