SG cluster certificate expiration handling
I run Stackgres version 1.14.1
. In my SGCluster
definition, Postgresql is specified to use ssl
, i.e. it looks like this:
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: cluster-staging
namespace: postgres-staging
spec:
instances: 1
postgres:
version: '16'
ssl:
enabled: true
certificateSecretKeySelector:
name: postgres-staging-tls
key: tls.crt
privateKeySecretKeySelector:
name: postgres-staging-tls
key: tls.key
[...]
I also have a Cert Manager running that does certificate renewal in K8s, in other words it updates the postgres-staging-tls
secret when needed. This worked fine for a couple of months. However, it seems like the SGCluster somehow caches the secret such that even though postgres-staging-tls
gets updated by the Cert Manager, the SGCluster does not notice this. Thus, it uses the old expired certificate and I am unable to connect. To solve this, I have to restart the cluster.
Is there some fix you guys could do upstream so that it won't be necessary to restart the cluster when the TLS secret gets updated in K8s?