Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgo-root-cacert secret shared across PerconaPGCluster installations ? #589

Open
alexfouche opened this issue Nov 28, 2023 · 3 comments
Open

pgo-root-cacert secret shared across PerconaPGCluster installations ? #589

alexfouche opened this issue Nov 28, 2023 · 3 comments

Comments

@alexfouche
Copy link

alexfouche commented Nov 28, 2023
edited
Loading

About the context:

In a single namespace named postgres, i have two PerconaPGCluster CR which created two different Postgres databases named archive and analytics

I did not specify any certificates in the CR, so that Postgres Operator generates them automatically

My Postgres Operator runs cluster wide in a namespace named postgres-operator

Observations:

All secrets created by the Operator in namespace postgres are prefixed with each cluster name. But there is a secret pgo-root-cacert which is not prefixed, and which contains two Owner references (might have been added by Kapp deployer)

I am not sure if this is a problem, or if that means that both Postgres clusters share the same certificates, or if that simply means that cluster certificates are different but simply signed by the same CA

NAME                                 TYPE     DATA   AGE
analytics-analytics-hcdj-certs       Opaque   4      13h
analytics-cluster-cert               Opaque   3      13h
analytics-pgbackrest                 Opaque   1      13h
analytics-pgbouncer                  Opaque   6      13h
analytics-pguser-cocolis-analytics   Opaque   12     13h
analytics-replication-cert           Opaque   3      13h
archive-archive-mww4-certs           Opaque   4      2m2s
archive-cluster-cert                 Opaque   3      2m2s
archive-pgbackrest                   Opaque   1      2m3s
archive-pgbouncer                    Opaque   6      2m1s
archive-pguser-cocolis-archive       Opaque   12     2m2s
archive-replication-cert             Opaque   3      2m3s
pgo-root-cacert                      Opaque   2      13h       <- here

[alex@adell] k8s $ kubectl -n postgres get secret/pgo-root-cacert -o yaml
apiVersion: v1
data:
  root.crt: blabla==
  root.key: blabla=
kind: Secret
metadata:
  creationTimestamp: "2023-11-27T21:09:39Z"
  name: pgo-root-cacert
  namespace: postgres
  ownerReferences:
  - apiVersion: postgres-operator.crunchydata.com/v1beta1
    kind: PostgresCluster
    name: analytics                                               <- here
    uid: d0398d46-b70c-49bb-950c-75c98b6cb92c
  - apiVersion: postgres-operator.crunchydata.com/v1beta1
    kind: PostgresCluster
    name: archive                                                 <- here
    uid: 70bc1488-aeb1-421c-b36b-5670025f21f5
  resourceVersion: "3699654823"
  uid: 268a0f49-aef4-416f-958d-23efa9fef550
type: Opaque
@spron-in
Copy link
Collaborator

spron-in commented Dec 4, 2023

@alexfouche yes, it is CA for both clusters.
We need to document it properly.

@alexfouche
Copy link
Author

Should I close the issue,
Or let it open for documentation?

@spron-in
Copy link
Collaborator

spron-in commented Dec 8, 2023

Let's keep it open. We have the following JIRA issues to capture it in the docs:
https://jira.percona.com/browse/K8SPG-468
https://jira.percona.com/browse/K8SPG-465

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexfouche @spron-in