docs: Possible error in cluster-example-cert-manager.yaml certificate secrets #362
Description
In the documentation (certificates) there’s an example file: cluster-example-cert-manager.yaml.
I believe there may be an error in the Cluster spec at the bottom of that example. The certificate secrets look like they might be referenced incorrectly.
I’m not an expert in certificate handling, so I might be mistaken. But I wanted to flag this in case it needs correction.
spec:
certificates:
serverTLSSecret: my-postgres-server-cert
serverCASecret: my-postgres-server-cert # <-- looks wrong
clientCASecret: my-postgres-client-cert # <-- looks wrong
replicationTLSSecret: my-postgres-client-certWhy this is a problem:
serverTLSSecretshould point to the server certificate (my-postgres-server-cert), looks okay.serverCASecretshould point to the CA secret that signed the server certificate (server-ca-key-pair), not the same server cert secret ❌clientCASecretshould point to the CA secret that issued client certificates (client-ca-key-pair), not the client cert secret ❌replicationTLSSecretcan be a client certificate, that part looks okay.
So it should probably be:
spec:
certificates:
serverTLSSecret: my-postgres-server-cert
serverCASecret: server-ca-key-pair
clientCASecret: client-ca-key-pair
replicationTLSSecret: my-postgres-client-certThat way:
- The Postgres operator knows which CA to trust (server and client)
- And which certificates to mount into pods
I’ve also tested a corrected version of the example, and it worked as expected for me.