Certificates configuration issues

Hi all. I have some problems in configuring certificates for the cluster. Specifically, according to the documentation:

> <p style="box-sizing: border-box; line-height: 24px; font-size: 16px; margin: 0px 0px 24px; color: rgb(64, 64, 64); font-family: Lato, proxima-nova, &quot;Helvetica Neue&quot;, Arial, sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(252, 252, 252); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">CertificatesConfiguration contains the needed configurations to handle server certificates.</p><div class="wy-table-responsive" style="box-sizing: border-box; margin-bottom: 24px; max-width: 100%; overflow: auto; color: rgb(64, 64, 64); font-family: Lato, proxima-nova, &quot;Helvetica Neue&quot;, Arial, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(252, 252, 252); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">
Field | Description
-- | --
serverCASecretstring | The secret containing the Server CA certificate. If not defined, a new secret will be created with a self-signed CA and will be used to generate the TLS certificate ServerTLSSecret.&nbsp;Contains:ca.crt: CA that should be used to validate the server certificate, used as&nbsp;sslrootcert&nbsp;in client connection strings.ca.key: key used to generate Server SSL certs, if ServerTLSSecret is provided, this can be omitted.
serverTLSSecretstring | The secret of type kubernetes.io/tls containing the server TLS certificate and key that will be set as&nbsp;ssl_cert_file&nbsp;and&nbsp;ssl_key_file&nbsp;so that clients can connect to postgres securely. If not defined, ServerCASecret must provide also&nbsp;ca.key&nbsp;and a new secret will be created using the provided CA.
replicationTLSSecretstring | The secret of type kubernetes.io/tls containing the client certificate to authenticate as the&nbsp;streaming_replica&nbsp;user. If not defined, ClientCASecret must provide also&nbsp;ca.key, and a new secret will be created using the provided CA.
clientCASecretstring | The secret containing the Client CA certificate. If not defined, a new secret will be created with a self-signed CA and will be used to generate all the client certificates.&nbsp;Contains:ca.crt: CA that should be used to validate the client certificates, used as&nbsp;ssl_ca_file&nbsp;of all the instances.ca.key: key used to generate client certificates, if ReplicationTLSSecret is provided, this can be omitted.
serverAltDNSNames[]string | The list of the server alternative DNS names to be added to the generated server TLS certificates, when required.

</div>

I create certificates with cert-manager + vault pki:

```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-ca
spec:
  isCA: true
  commonName: postgres.svc.cluster.local
  secretName: postgres-ca-tls
  issuerRef:
    name: cluster-issuer
    kind: ClusterIssuer

```

Inside postgres-ca ca.key is not present.

```yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-server-tls
spec:
  commonName: postgres.svc.cluster.local
  dnsNames:
    - postgres.svc.cluster.local
  secretName: postgres-server-tls
  privateKey:
    algorithm: RSA
    size: 2048
  issuerRef:
    name: cluster-issuer
    kind: ClusterIssuer

```

```yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-replication-tls
spec:
  commonName: streaming-replica.svc.cluster.local
  secretName: postgres-replication-tls
  privateKey:
    algorithm: RSA
    size: 2048
  issuerRef:
    name: cluster-issuer
    kind: ClusterIssuer

```

Despite providing all certificates like this in values.yaml:

```yaml

  certificates:
    serverCASecret: "postgres-ca-tls"
    serverTLSSecret: "postgres-server-tls"
    clientCASecret: "postgres-ca-tls"
    replicationTLSSecret: "postgres-replication-tls"

```

From the operator logs I get:

> {"level":"error","ts":"2025-04-27T17:11:09.290719455Z","msg":"while reconciling postgres cluster objects","controller":"cluster","controllerGroup":"postgresql.cnpg.io","controllerKind":"Cluster","Cluster":{"name":"postgres-cluster","namespace":"default"},"namespace":"default","name":"postgres-cluster","reconcileID":"7cb77546-4987-41bf-8525-e2cc1e718c5d","error":"missing ca.key secret data","stacktrace":"github.com/cloudnative-pg/machinery/pkg/log.(*logger).Error\n\tpkg/mod/github.com/cloudnative-pg/machinery@v0.2.0/pkg/log/log.go:125\ngithub.com/cloudnative-pg/cloudnative-pg/internal/controller.(*ClusterReconciler).reconcile\n\tinternal/controller/cluster_controller.go:290\ngithub.com/cloudnative-pg/cloudnative-pg/internal/controller.(*ClusterReconciler).Reconcile\n\tinternal/controller/cluster_controller.go:220\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:334\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}

Instead, the ca.key should not be necessary. Am I missing something? 

Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Certificates configuration issues #573

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Field	Description
serverCASecretstring	The secret containing the Server CA certificate. If not defined, a new secret will be created with a self-signed CA and will be used to generate the TLS certificate ServerTLSSecret. Contains:ca.crt: CA that should be used to validate the server certificate, used as sslrootcert in client connection strings.ca.key: key used to generate Server SSL certs, if ServerTLSSecret is provided, this can be omitted.
serverTLSSecretstring	The secret of type kubernetes.io/tls containing the server TLS certificate and key that will be set as ssl_cert_file and ssl_key_file so that clients can connect to postgres securely. If not defined, ServerCASecret must provide also ca.key and a new secret will be created using the provided CA.
replicationTLSSecretstring	The secret of type kubernetes.io/tls containing the client certificate to authenticate as the streaming_replica user. If not defined, ClientCASecret must provide also ca.key, and a new secret will be created using the provided CA.
clientCASecretstring	The secret containing the Client CA certificate. If not defined, a new secret will be created with a self-signed CA and will be used to generate all the client certificates. Contains:ca.crt: CA that should be used to validate the client certificates, used as ssl_ca_file of all the instances.ca.key: key used to generate client certificates, if ReplicationTLSSecret is provided, this can be omitted.
serverAltDNSNames[]string	The list of the server alternative DNS names to be added to the generated server TLS certificates, when required.

Certificates configuration issues #573

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions