adding Postgres primary & replica cert to Secret

Author: szelenka-cisco

internal/controller/postgrescluster/cluster.go

@@ -238,13 +238,13 @@ func (r *Reconciler) generateClusterReplicaService(
 // replica instances.
 func (r *Reconciler) reconcileClusterReplicaService(
 	ctx context.Context, cluster *v1beta1.PostgresCluster,
-) error {
+) (*corev1.Service, error) {
 	service, err := r.generateClusterReplicaService(cluster)
 
 	if err == nil {
 		err = errors.WithStack(r.apply(ctx, service))
 	}
-	return err
+	return service, err
 }
 
 // reconcileDataSource is responsible for reconciling the data source for a PostgreSQL cluster.

internal/controller/postgrescluster/controller.go

@@ -169,6 +169,7 @@ func (r *Reconciler) Reconcile(
 		patroniLeaderService     *corev1.Service
 		primaryCertificate       *corev1.SecretProjection
 		primaryService           *corev1.Service
+		replicaService           *corev1.Service
 		rootCA                   *pki.RootCertificateAuthority
 		monitoringSecret         *corev1.Secret
 		exporterWebConfig        *corev1.ConfigMap
@@ -294,10 +295,10 @@ func (r *Reconciler) Reconcile(
 		primaryService, err = r.reconcileClusterPrimaryService(ctx, cluster, patroniLeaderService)
 	}
 	if err == nil {
-		err = r.reconcileClusterReplicaService(ctx, cluster)
+		replicaService, err = r.reconcileClusterReplicaService(ctx, cluster)
 	}
 	if err == nil {
-		primaryCertificate, err = r.reconcileClusterCertificate(ctx, rootCA, cluster, primaryService)
+		primaryCertificate, err = r.reconcileClusterCertificate(ctx, rootCA, cluster, primaryService, replicaService)
 	}
 	if err == nil {
 		err = r.reconcilePatroniDistributedConfiguration(ctx, cluster)

internal/controller/postgrescluster/pki.go

@@ -118,6 +118,7 @@ func (r *Reconciler) reconcileRootCertificate(
 func (r *Reconciler) reconcileClusterCertificate(
 	ctx context.Context, root *pki.RootCertificateAuthority,
 	cluster *v1beta1.PostgresCluster, primaryService *corev1.Service,
+	replicaService *corev1.Service,
 ) (
 	*corev1.SecretProjection, error,
 ) {
@@ -133,7 +134,7 @@ func (r *Reconciler) reconcileClusterCertificate(
 		r.Client.Get(ctx, client.ObjectKeyFromObject(existing), existing)))
 
 	leaf := &pki.LeafCertificate{}
-	dnsNames := naming.ServiceDNSNames(ctx, primaryService)
+	dnsNames := append(naming.ServiceDNSNames(ctx, primaryService), naming.ServiceDNSNames(ctx, replicaService)...)
 	dnsFQDN := dnsNames[0]
 
 	if err == nil {

internal/controller/postgrescluster/pki_test.go

@@ -86,6 +86,10 @@ func TestReconcileCerts(t *testing.T) {
 	primaryService.Namespace = namespace
 	primaryService.Name = "the-primary"
 
+	replicaService := new(corev1.Service)
+	replicaService.Namespace = namespace
+	replicaService.Name = "the-replicas"
+
 	t.Run("check root certificate reconciliation", func(t *testing.T) {
 
 		initialRoot, err := r.reconcileRootCertificate(ctx, cluster1)
@@ -295,14 +299,14 @@ func TestReconcileCerts(t *testing.T) {
 		assert.NilError(t, err)
 
 		t.Run("check standard secret projection", func(t *testing.T) {
-			secretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster1, primaryService)
+			secretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster1, primaryService, replicaService)
 			assert.NilError(t, err)
 
 			assert.DeepEqual(t, testSecretProjection, secretCertProj)
 		})
 
 		t.Run("check custom secret projection", func(t *testing.T) {
-			customSecretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster2, primaryService)
+			customSecretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster2, primaryService, replicaService)
 			assert.NilError(t, err)
 
 			assert.DeepEqual(t, customSecretProjection, customSecretCertProj)
@@ -319,7 +323,7 @@ func TestReconcileCerts(t *testing.T) {
 			testSecretProjection := clusterCertSecretProjection(testSecret)
 
 			// reconcile the secret project using the normal process
-			customSecretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster2, primaryService)
+			customSecretCertProj, err := r.reconcileClusterCertificate(ctx, initialRoot, cluster2, primaryService, replicaService)
 			assert.NilError(t, err)
 
 			// results should be the same
@@ -349,7 +353,7 @@ func TestReconcileCerts(t *testing.T) {
 			assert.NilError(t, err)
 
 			// pass in the new root, which should result in a new cluster cert
-			_, err = r.reconcileClusterCertificate(ctx, returnedRoot, cluster1, primaryService)
+			_, err = r.reconcileClusterCertificate(ctx, returnedRoot, cluster1, primaryService, replicaService)
 			assert.NilError(t, err)
 
 			// get the new cluster cert secret
@@ -371,11 +375,16 @@ func TestReconcileCerts(t *testing.T) {
 				"got %q", leaf.Certificate.CommonName())
 
 			if dnsNames := leaf.Certificate.DNSNames(); assert.Check(t, len(dnsNames) > 1) {
-				assert.DeepEqual(t, dnsNames[1:], []string{
+				assert.DeepEqual(t, dnsNames[1:4], []string{
 					"the-primary." + namespace + ".svc",
 					"the-primary." + namespace,
 					"the-primary",
 				})
+				assert.DeepEqual(t, dnsNames[5:8], []string{
+					"the-replicas." + namespace + ".svc",
+					"the-replicas." + namespace,
+					"the-replicas",
+				})
 			}
 		})
 	})