mirror of
https://github.com/holos-run/holos.git
synced 2026-03-19 08:44:58 +00:00
7b215bb8f1
The [Streaming Standby][standby] architecture requires custom tls certs for two clusters in two regions to connect to each other. This patch manages the custom certs following the configuration described in the article [Using Cert Manager to Deploy TLS for Postgres on Kubernetes][article]. NOTE: One thing not mentioned anywhere in the crunchy documentation is how custom tls certs work with pgbouncer. The pgbouncer service uses a tls certificate issued by the pgo root cert, not by the custom certificate authority. For this reason, we use kustomize to patch the zitadel Deployment and the zitadel-init and zitadel-setup Jobs. The patch projects the ca bundle from the `zitadel-pgbouncer` secret into the zitadel pods at /pgbouncer/ca.crt [standby]: https://access.crunchydata.com/documentation/postgres-operator/latest/architecture/disaster-recovery#streaming-standby-with-an-external-repo [article]: https://www.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes