@@ -301,6 +301,15 @@ func (r *Reconciler) reconcileClusterSpec(dbSpec *nbv1.NooBaaDBSpec) error {
301301 Enabled : true ,
302302 }
303303
304+ if r .CNPGCluster .Spec .Certificates == nil {
305+ r .CNPGCluster .Spec .Certificates = & cnpgv1.CertificatesConfiguration {}
306+ }
307+ r .CNPGCluster .Spec .Certificates .ServerAltDNSNames = []string {
308+ r .ServiceDbPg .Name ,
309+ r .ServiceDbPg .Name + "." + r .Request .Namespace ,
310+ r .ServiceDbPg .Name + "." + r .Request .Namespace + ".svc" ,
311+ }
312+
304313 r .CNPGCluster .Spec .FailoverDelay = defaultFailoverDelaySec
305314
306315 r .setPostgresConfig ()
@@ -606,6 +615,17 @@ func (r *Reconciler) setPostgresConfig() {
606615 }
607616 r .cnpgLog ("PGTune config: memory=%dKB, cpu=%d, endpoints=%d" , totalMemoryKB , cpuNum , endpointMaxCount )
608617
618+ // propagate TLS security settings to the PostgreSQL server
619+ tlsSec := r .NooBaa .Spec .Security .APIServerSecurity
620+ if tlsSec != nil && ! util .IsTLSConfigDisabled () {
621+ if tlsSec .TLSMinVersion != nil {
622+ overrideParameters ["ssl_min_protocol_version" ] = string (* tlsSec .TLSMinVersion )
623+ }
624+ if len (tlsSec .TLSCiphers ) > 0 {
625+ overrideParameters ["ssl_ciphers" ] = util .MapCiphersToOpenSSL (tlsSec .TLSCiphers )
626+ }
627+ }
628+
609629 // apply any user-specified DBConf overrides on top of the calculated values
610630 if r .NooBaa .Spec .DBSpec .DBConf != nil {
611631 for k , v := range r .NooBaa .Spec .DBSpec .DBConf {
@@ -879,6 +899,7 @@ func (r *Reconciler) wasClusterSpecChanged(existingClusterSpec *cnpgv1.ClusterSp
879899 ! reflect .DeepEqual (existingClusterSpec .Monitoring , r .CNPGCluster .Spec .Monitoring ) ||
880900 ! reflect .DeepEqual (existingClusterSpec .PostgresConfiguration .Parameters , r .CNPGCluster .Spec .PostgresConfiguration .Parameters ) ||
881901 ! reflect .DeepEqual (existingClusterSpec .Backup , r .CNPGCluster .Spec .Backup ) ||
902+ ! reflect .DeepEqual (existingClusterSpec .Certificates , r .CNPGCluster .Spec .Certificates ) ||
882903 existingClusterSpec .PriorityClassName != r .CNPGCluster .Spec .PriorityClassName ||
883904 existingClusterSpec .FailoverDelay != r .CNPGCluster .Spec .FailoverDelay
884905}
0 commit comments