Operators can automatically generate certificates and use MTLS for communication between containers to improve safety.

If cert-manager is installed in the Kubernetes environment, use cert-manager; if cert-manager is not installed, use the openssl command in the container to generate the certificate.

If the certificate is automatically generated, the default connection method to PostgreSQL is only mutual authentication TLS communication.

If you want to change the authentication method for each user, define the connection method for each user in spec.fepChildCrVal.customPgHba.

To change the automatic certificate generation feature, create the ConfigMap "fepopr-cert-method" below before installing the operator. cert-manager, openssl, and disable can be specified for data.fepopr-cert-method. To disable the automatic certificate generation feature, specify disable.

$ cat > /tmp/cert-method.yaml <<EOF
kind: ConfigMap
apiVersion: v1
metadata:
  name: fepopr-cert-method
immutable: true
data:
  fepopr-cert-method: disable
EOF

$ kubectl -n <namespace> apply -f /tmp/cert-method.yaml

When using the ClusterScope Operator, creating the ConfigMap "fepopr-cert-methood" in the Namespace where the Operator is installed applies the same definition to all Namespaces.

If you want to use a manually created certificate, refer to "4.8.2 When Using Your Own Certificate". If you want to use your own certificate, disable the automatic certificate generation feature.

The automatic certificate generation feature automatically generates system user certificates for database management. If you want to create a certificate for a general user who connects to the database, refer to the following steps.

This section explains how to create a Secret resource containing a certificate to be mounted in the client container. The created Secret resource can mounte on the client's Pod and used to connect to FEPCluster using certificate authentication.

When using cert-manager to generate certificates

1. Verify that the Issuer resource "<namespace>-ca-issuer" exists.

2. Create a template for the Certificate resource.

   $ cat mydbuser-cert.yaml
   apiVersion:cert-manager.io/v1
   kind:Certificate
   metadata:
   name: "<fepclustername>-<username>-cert"
   namespace: "<namespace>"
   spec:
   commonName: "< username >"
   issuerRef:
   name: <namespace>-ca-issuer
   secretName: "<fepclustername>-<username>-cert"

3. Apply the Certificate resource.

   $ kubectl apply -f mydbuser-cert.yaml

When using openssl to generate certificates

1. Get the CA certificate stored in the Secret "fepopr-root-secret".

   $ kubectl -n <namespace> get secret fepopr-root-secret-o jsonpath='{.data.tls\.key}' | base64 -d > <namespace>-ca.key
   
   $ kubectl -n <namespace> get secret fepopr-root-secret-o jsonpath=’{.data.tls\.crt}’ | base64 -d > <namespace>-ca.crt

2. Create the certificate using the following command.

   $ serial=$(openssl rand -hex 8)
   $ openssl genrsa -out <fepclustername>-<username>.key 2048
   $ openssl req -new -key <fepclustername>-<username>.key -out <fepclustername>-<username>.csr -subj "/CN=<username>"
   $ openssl x509 -req -in <fepclustername>-<username>.csr -CA <namespace>-ca.crt -CAkey <namespace>-ca.key -set_serial "0x${serial}" -out <fepclustername>-<username>.crt -days 365

3. Create a secret to store the certificate.

   $ kubectl -n <namespace> create secret tls <fepclustername>-<username>-cert --cert <fepclustername>-<username>.crt -key=<fepclustername>-<username>.key