PostgreSQL Operator API Encryption Configuration

Configuring Encryption of PostgreSQL Operator API Connection

The PostgreSQL Operator REST API connection is encrypted with keys stored in the pgo.tls Secret.

The pgo.tls Secret can be generated prior to starting the PostgreSQL Operator or you can let the PostgreSQL Operator generate the Secret for you if the Secret does not exist.

Adjust the default keys to meet your security requirements using your own keys. The pgo.tls Secret is created when you run:

make deployoperator

The keys are generated when the RBAC script is executed by the cluster admin:

make installrbac

In some scenarios like an OLM deployment, it is preferable for the Operator to generate the Secret keys at runtime, if the pgo.tls Secret does not exit when the Operator starts, a new TLS Secret will be generated.

In this scenario, you can extract the generated Secret TLS keys using:

kubectl cp <pgo-namespace>/<pgo-pod>:/tmp/server.key /tmp/server.key -c apiserver
kubectl cp <pgo-namespace>/<pgo-pod>:/tmp/server.crt /tmp/server.crt -c apiserver

example of the command below:

kubectl cp pgo/postgres-operator-585584f57d-ntwr5:tmp/server.key /tmp/server.key -c apiserver
kubectl cp pgo/postgres-operator-585584f57d-ntwr5:tmp/server.crt /tmp/server.crt -c apiserver

This server.key and server.crt can then be used to access the pgo-apiserver from the pgo CLI by setting the following variables in your client environment:

export PGO_CA_CERT=/tmp/server.crt
export PGO_CLIENT_CERT=/tmp/server.crt
export PGO_CLIENT_KEY=/tmp/server.key

You can view the TLS secret using:

kubectl get secret pgo.tls -n pgo

or

oc get secret pgo.tls -n pgo

If you create the Secret outside of the Operator, for example using the default installation script, the key and cert that are generated by the default installation are found here:

$PGOROOT/conf/postgres-operator/server.crt 
$PGOROOT/conf/postgres-operator/server.key 

The key and cert are generated using the deploy/gen-api-keys.sh script.

That script gets executed when running:

make installrbac

You can extract the server.key and server.crt from the Secret using the following:

oc get secret pgo.tls -n $PGO_OPERATOR_NAMESPACE -o jsonpath='{.data.tls\.key}' | base64 --decode > /tmp/server.key
oc get secret pgo.tls -n $PGO_OPERATOR_NAMESPACE -o jsonpath='{.data.tls\.crt}' | base64 --decode > /tmp/server.crt

This server.key and server.crt can then be used to access the pgo-apiserver REST API from the pgo CLI on your client host.