Clarify custom tls documentation (CrunchyData#3629)

benjaminjb · web-flow · commit 1feea566aeea · 2023-04-13T14:36:40.000-05:00
* Add documentation about custom TLS secrets, clarifying replication secret common name
* Bump streaming standby test secrets to have 10y expiration

Issue: [sc-14645]
diff --git a/docs/content/tutorial/customize-cluster.md b/docs/content/tutorial/customize-cluster.md
@@ -99,11 +99,18 @@ If you want to use the TLS infrastructure that PGO provides, you can skip the re
 
 ### How to Customize TLS
 
-There are a few different TLS endpoints that can be customized for PGO, including those of the Postgres cluster and controlling how Postgres instances authenticate with each other. Let's look at how we can customize TLS.
+There are a few different TLS endpoints that can be customized for PGO, including those of the Postgres cluster and controlling how Postgres instances authenticate with each other. Let's look at how we can customize TLS by defining
 
-Your TLS certificate should have a Common Name (CN) setting that matches the primary Service name. This is the name of the cluster suffixed with `-primary`. For example, for our `hippo` cluster this would be `hippo-primary`.
+* a `spec.customTLSSecret`, used to both identify the cluster and encrypt communications; and
+* a `spec.customReplicationTLSSecret`, used for replication authentication.
 
-To customize the TLS for a Postgres cluster, you will need to create a Secret in the Namespace of your Postgres cluster that contains the TLS key (`tls.key`), TLS certificate (`tls.crt`) and the CA certificate (`ca.crt`) to use. The Secret should contain the following values:
+(For more information on the `spec.customTLSSecret` and `spec.customReplicationTLSSecret` fields, see the [`PostgresCluster CRD`]({{< relref "references/crd.md" >}}).)
+
+To customize the TLS for a Postgres cluster, you will need to create two Secrets in the Namespace of your Postgres cluster. One of these Secrets will be the `customTLSSecret` and the other will be the `customReplicationTLSSecret`. Both secrets contain a TLS key (`tls.key`), TLS certificate (`tls.crt`) and CA certificate (`ca.crt`) to use.
+
+Note: If `spec.customTLSSecret` is provided you **must** also provide `spec.customReplicationTLSSecret` and both must contain the same `ca.crt`.
+
+The custom TLS and custom replication TLS Secrets should contain the following fields (though see below for a workaround if you cannot control the field names of the Secret's `data`):
 
 ```
 data:
@@ -112,39 +119,62 @@ data:
   tls.key: <value>
 ```
 
-For example, if you have files named `ca.crt`, `hippo.key`, and `hippo.crt` stored on your local machine, you could run the following command:
+For example, if you have files named `ca.crt`, `hippo.key`, and `hippo.crt` stored on your local machine, you could run the following command to create a Secret from those files:
 
 ```
-kubectl create secret generic -n postgres-operator hippo.tls \
+kubectl create secret generic -n postgres-operator hippo-cluster.tls \
   --from-file=ca.crt=ca.crt \
   --from-file=tls.key=hippo.key \
   --from-file=tls.crt=hippo.crt
 ```
 
-You can specify the custom TLS Secret in the `spec.customTLSSecret.name` field in your `postgrescluster.postgres-operator.crunchydata.com` custom resource, e.g.:
+After you create the Secrets, you can specify the custom TLS Secret in your `postgrescluster.postgres-operator.crunchydata.com` custom resource. For example, if you created a `hippo-cluster.tls` Secret and a `hippo-replication.tls` Secret, you would add them to your Postgres cluster:
+
+```
+spec:
+  customTLSSecret:
+    name: hippo-cluster.tls
+  customReplicationTLSSecret:
+    name: hippo-replication.tls
+```
+
+If you're unable to control the key-value pairs in the Secret, you can create a mapping to tell
+the Postgres Operator what key holds the expected value. That would look similar to this:
 
 ```
 spec:
   customTLSSecret:
     name: hippo.tls
+    items:
+      - key: <tls.crt key in the referenced hippo.tls Secret>
+        path: tls.crt
+      - key: <tls.key key in the referenced hippo.tls Secret>
+        path: tls.key
+      - key: <ca.crt key in the referenced hippo.tls Secret>
+        path: ca.crt
 ```
 
-If you're unable to control the key-value pairs in the Secret, you can create a mapping that looks similar to this:
+For instance, if the `hippo.tls` Secret had the `tls.crt` in a key named `hippo-tls.crt`, the
+`tls.key` in a key named `hippo-tls.key`, and the `ca.crt` in a key named `hippo-ca.crt`,
+then your mapping would look like:
 
 ```
 spec:
   customTLSSecret:
     name: hippo.tls
     items:
-      - key: <tls.crt key>
+      - key: hippo-tls.crt
         path: tls.crt
-      - key: <tls.key key>
+      - key: hippo-tls.key
         path: tls.key
-      - key: <ca.crt key>
+      - key: hippo-ca.crt
         path: ca.crt
 ```
 
-If `spec.customTLSSecret` is provided you **must** also provide `spec.customReplicationTLSSecret` and both must contain the same `ca.crt`.
+Note: Although the custom TLS and custom replication TLS Secrets share the same `ca.crt`, they do not share the same `tls.crt`:
+
+* Your `spec.customTLSSecret` TLS certificate should have a Common Name (CN) setting that matches the primary Service name. This is the name of the cluster suffixed with `-primary`. For example, for our `hippo` cluster this would be `hippo-primary`.
+* Your `spec.customReplicationTLSSecret` TLS certificate should have a Common Name (CN) setting that matches `_crunchyrepl`, which is the preset replication user.
 
 As with the other changes, you can roll out the TLS customizations with `kubectl apply`.
 
diff --git a/testing/kuttl/e2e/streaming-standby/00--secrets.yaml b/testing/kuttl/e2e/streaming-standby/00--secrets.yaml
@@ -1,18 +1,18 @@
 apiVersion: v1
 data:
-  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnakNDQVNpZ0F3SUJBZ0lSQU0vVDF1MXllNHZ3ek1SWEt1NGlWZVF3Q2dZSUtvWkl6ajBFQXdNd0h6RWQKTUJzR0ExVUVBeE1VY0c5emRHZHlaWE10YjNCbGNtRjBiM0l0WTJFd0hoY05Nakl3TlRJek1UZ3hNRFE0V2hjTgpNekl3TlRJd01Ua3hNRFE0V2pBZk1SMHdHd1lEVlFRREV4UndiM04wWjNKbGN5MXZjR1Z5WVhSdmNpMWpZVEJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQlArM2dEb2s3V3duaDZmNnNUV3ozUmlrS3Q4TFhyN0QKSEpGSGNXdHd3MDI5TXQrb0lubWYwUE1VS1BiVHgrSDBSZTBLcENSRUhCbytmcXJqblIzZlBXdWpSVEJETUE0RwpBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQU1CMEdBMVVkRGdRV0JCU3ErUFdhClQreTAvUjBRb1AzUS9nUnZWY3JGQ0RBS0JnZ3Foa2pPUFFRREF3TklBREJGQWlBRHl3UXR2Zk1xUEIvWXlzL1QKd2lNZExNR3JocWVXeDVjYVZ2TWNVWkJxWHdJaEFQS1NBemo5K1RsTzg0cmNFN25pT3U2K2NRWEYzcjNxTFFOYQpNYWVId3d5TAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNNVENDQWRlZ0F3SUJBZ0lRUjVzZEwwcit1S0VTUjVudzFvYkFuakFLQmdncWhrak9QUVFEQXpBZk1SMHcKR3dZRFZRUURFeFJ3YjNOMFozSmxjeTF2Y0dWeVlYUnZjaTFqWVRBZUZ3MHlNakExTWpNeE9ERXdORGhhRncweQpNekExTWpNeE9URXdORGhhTURzeE9UQTNCZ05WQkFNVE1IQnliMlIxWTNScGIyNHRjSEpwYldGeWVTNXdjbTlrCmRXTjBhVzl1TG5OMll5NWpiSFZ6ZEdWeUxteHZZMkZzTGpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUgKQTBJQUJPTWQ3ZUo5U1JtYmd0TUJ1R1hFc1UyNzBOUjhvU0pCSUJEdk1DTGpkSnB0TmVHWCt4MEhHT0ZZRGw0cgpOd0JZUk9EaUc3Z2loaVZ0ZyszTTNhejdjWk9qZ2Rnd2dkVXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01Bd0dBMVVkCkV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVxdmoxbWsvc3RQMGRFS0Q5MFA0RWIxWEt4UWd3Z1pNR0ExVWQKRVFTQml6Q0JpSUl3Y0hKdlpIVmpkR2x2Ymkxd2NtbHRZWEo1TG5CeWIyUjFZM1JwYjI0dWMzWmpMbU5zZFhOMApaWEl1Ykc5allXd3VnaUZ3Y205a2RXTjBhVzl1TFhCeWFXMWhjbmt1Y0hKdlpIVmpkR2x2Ymk1emRtT0NIWEJ5CmIyUjFZM1JwYjI0dGNISnBiV0Z5ZVM1d2NtOWtkV04wYVc5dWdoSndjbTlrZFdOMGFXOXVMWEJ5YVcxaGNua3cKQ2dZSUtvWkl6ajBFQXdNRFNBQXdSUUloQVBCai9uVU9HeHpsNXVvQnl6WHNuT3ppbTBJNHFVL21pRS9COFpOcApBSTNNQWlBOWtFeUphUGRqVHZ6cEc4LzZxbldrdGh6K1FKK3h5bGtMenNVUUNld2ZhUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlFRlpFS1ZIZ3YyT25uZkljaXlRUFlzbzBvalBVN3NIVS9KUFI3TE5CWERvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNHgzdDRuMUpHWnVDMHdHNFpjU3hUYnZRMUh5aElrRWdFTzh3SXVOMG1tMDE0WmY3SFFjWQo0VmdPWGlzM0FGaEU0T0lidUNLR0pXMkQ3Y3pkclB0eGt3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnakNDQVNlZ0F3SUJBZ0lRZUpacWMxMmR3TDh6cDNRVjZVMzg0ekFLQmdncWhrak9QUVFEQXpBZk1SMHcKR3dZRFZRUURFeFJ3YjNOMFozSmxjeTF2Y0dWeVlYUnZjaTFqWVRBZUZ3MHlNekEwTVRFeE56UTFNemhhRncwegpNekEwTURneE9EUTFNemhhTUI4eEhUQWJCZ05WQkFNVEZIQnZjM1JuY21WekxXOXdaWEpoZEc5eUxXTmhNRmt3CkV3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWEZwMU1nOFQ0aWxFRFlleVh4Nm5hRU0weEtNUStNZU0KWnM3dUtockdmTnY1cVd3N0puNzJEMEZNWE9raVNTN1BsZUhtN1lwYk1lelZ4UytjLzV6a2NLTkZNRU13RGdZRApWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUJBZjhDQVFBd0hRWURWUjBPQkJZRUZGU2JSZzdXCnpIZFdIODN2aEtTcld3dGV4K2FtTUFvR0NDcUdTTTQ5QkFNREEwa0FNRVlDSVFDK3pXTHh4bmpna1ZYYzBFOVAKbWlmZm9jeTIrM3AxREZMUkJRcHlZNFE0RVFJaEFPSDhQVEtvWnRZUWlobVlqTkd3Q1J3aTgvVFRaYWIxSnVIMAo2YnpodHZobgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNQakNDQWVXZ0F3SUJBZ0lSQU93NURHaGVVZnVNY25KYVdKNkllall3Q2dZSUtvWkl6ajBFQXdNd0h6RWQKTUJzR0ExVUVBeE1VY0c5emRHZHlaWE10YjNCbGNtRjBiM0l0WTJFd0hoY05Nak13TkRFeE1UYzBOVE01V2hjTgpNek13TkRBNE1UZzBOVE01V2pBOU1Uc3dPUVlEVlFRREV6SndjbWx0WVhKNUxXTnNkWE4wWlhJdGNISnBiV0Z5CmVTNWtaV1poZFd4MExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc0xqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDkKQXdFSEEwSUFCT3RlNytQWFlDci9RQVJkcHlwYTFHcEpkbW5wOFN3ZG9FOTIzUXoraWt4UllTalgwUHBXcytqUQpVNXlKZ0NDdGxyZmxFZVZ4S2YzaVpiVHdadFlIaHVxamdlTXdnZUF3RGdZRFZSMFBBUUgvQkFRREFnV2dNQXdHCkExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVVkp0R0R0Yk1kMVlmemUrRXBLdGJDMTdINXFZd2daNEcKQTFVZEVRU0JsakNCazRJeWNISnBiV0Z5ZVMxamJIVnpkR1Z5TFhCeWFXMWhjbmt1WkdWbVlYVnNkQzV6ZG1NdQpZMngxYzNSbGNpNXNiMk5oYkM2Q0kzQnlhVzFoY25rdFkyeDFjM1JsY2kxd2NtbHRZWEo1TG1SbFptRjFiSFF1CmMzWmpnaDl3Y21sdFlYSjVMV05zZFhOMFpYSXRjSEpwYldGeWVTNWtaV1poZFd4MGdoZHdjbWx0WVhKNUxXTnMKZFhOMFpYSXRjSEpwYldGeWVUQUtCZ2dxaGtqT1BRUURBd05IQURCRUFpQjA3Q3YzRHJTNXUxRFdaek1MQjdvbAppcjFFWEpQTnFaOXZWQUF5ZTdDMGJRSWdWQVlDM2F0ekl4a0syNHlQUU1TSjU1OGFaN3JEdkZGZXdOaVpmdSt0CjdETT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUoxYkNXMTByR3o2VWQ1K2R3WmZWcGNUNFlqck9XVG1iVW9XNXRxYTA2b1ZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNjE3djQ5ZGdLdjlBQkYybktsclVha2wyYWVueExCMmdUM2JkRFA2S1RGRmhLTmZRK2xhego2TkJUbkltQUlLMld0K1VSNVhFcC9lSmx0UEJtMWdlRzZnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
   name: cluster-cert
 type: Opaque
 ---
 apiVersion: v1
 data:
-  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnakNDQVNpZ0F3SUJBZ0lSQU0vVDF1MXllNHZ3ek1SWEt1NGlWZVF3Q2dZSUtvWkl6ajBFQXdNd0h6RWQKTUJzR0ExVUVBeE1VY0c5emRHZHlaWE10YjNCbGNtRjBiM0l0WTJFd0hoY05Nakl3TlRJek1UZ3hNRFE0V2hjTgpNekl3TlRJd01Ua3hNRFE0V2pBZk1SMHdHd1lEVlFRREV4UndiM04wWjNKbGN5MXZjR1Z5WVhSdmNpMWpZVEJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQlArM2dEb2s3V3duaDZmNnNUV3ozUmlrS3Q4TFhyN0QKSEpGSGNXdHd3MDI5TXQrb0lubWYwUE1VS1BiVHgrSDBSZTBLcENSRUhCbytmcXJqblIzZlBXdWpSVEJETUE0RwpBMVVkRHdFQi93UUVBd0lCQmpBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQU1CMEdBMVVkRGdRV0JCU3ErUFdhClQreTAvUjBRb1AzUS9nUnZWY3JGQ0RBS0JnZ3Foa2pPUFFRREF3TklBREJGQWlBRHl3UXR2Zk1xUEIvWXlzL1QKd2lNZExNR3JocWVXeDVjYVZ2TWNVWkJxWHdJaEFQS1NBemo5K1RsTzg0cmNFN25pT3U2K2NRWEYzcjNxTFFOYQpNYWVId3d5TAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJqakNDQVRXZ0F3SUJBZ0lSQU9waEYwSm16R3p1dWNJS2tLVHZGdzh3Q2dZSUtvWkl6ajBFQXdNd0h6RWQKTUJzR0ExVUVBeE1VY0c5emRHZHlaWE10YjNCbGNtRjBiM0l0WTJFd0hoY05Nakl3TlRJek1UZ3hNRFE0V2hjTgpNak13TlRJek1Ua3hNRFE0V2pBWE1SVXdFd1lEVlFRRERBeGZZM0oxYm1Ob2VYSmxjR3d3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUSldWWnphdk1xbU5NYTNwLzhBMXZta2hLZzNpRHU2TUhzc0dCS094bVYKYWdXS0RwRnlxTStYZ3F1bjdxWlUvd2NkRUZ5VFVLVCthUjVRSGozdFZYZlFvMW93V0RBT0JnTlZIUThCQWY4RQpCQU1DQmFBd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTcStQV2FUK3kwL1IwUW9QM1EvZ1J2ClZjckZDREFYQmdOVkhSRUVFREFPZ2d4ZlkzSjFibU5vZVhKbGNHd3dDZ1lJS29aSXpqMEVBd01EUndBd1JBSWcKSE5Hc0NJdEdtcVBLSEY4M2EyazBoVitVSGNDU0VmbExraStsa2RiVnovVUNJSHV0d2VWU0pITk5ieldsd3EyawpxSDhFT1JIOWMvTHJJT2htK1B3UmFqT0kKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUMyb2ZZNnBROGhlblZJd1RnTjNQYS9jLzRBeGk0NGFMdm1pWiszblhFbGJvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFeVZsV2MycnpLcGpUR3Q2Zi9BTmI1cElTb040Zzd1akI3TEJnU2pzWmxXb0ZpZzZSY3FqUApsNEtycCs2bVZQOEhIUkJjazFDay9ta2VVQjQ5N1ZWMzBBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnakNDQVNlZ0F3SUJBZ0lRZUpacWMxMmR3TDh6cDNRVjZVMzg0ekFLQmdncWhrak9QUVFEQXpBZk1SMHcKR3dZRFZRUURFeFJ3YjNOMFozSmxjeTF2Y0dWeVlYUnZjaTFqWVRBZUZ3MHlNekEwTVRFeE56UTFNemhhRncwegpNekEwTURneE9EUTFNemhhTUI4eEhUQWJCZ05WQkFNVEZIQnZjM1JuY21WekxXOXdaWEpoZEc5eUxXTmhNRmt3CkV3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWEZwMU1nOFQ0aWxFRFlleVh4Nm5hRU0weEtNUStNZU0KWnM3dUtockdmTnY1cVd3N0puNzJEMEZNWE9raVNTN1BsZUhtN1lwYk1lelZ4UytjLzV6a2NLTkZNRU13RGdZRApWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUJBZjhDQVFBd0hRWURWUjBPQkJZRUZGU2JSZzdXCnpIZFdIODN2aEtTcld3dGV4K2FtTUFvR0NDcUdTTTQ5QkFNREEwa0FNRVlDSVFDK3pXTHh4bmpna1ZYYzBFOVAKbWlmZm9jeTIrM3AxREZMUkJRcHlZNFE0RVFJaEFPSDhQVEtvWnRZUWlobVlqTkd3Q1J3aTgvVFRaYWIxSnVIMAo2YnpodHZobgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJqekNDQVRTZ0F3SUJBZ0lRRzA0MEprWjYwZkZtanpaVG1SekhyakFLQmdncWhrak9QUVFEQXpBZk1SMHcKR3dZRFZRUURFeFJ3YjNOMFozSmxjeTF2Y0dWeVlYUnZjaTFqWVRBZUZ3MHlNekEwTVRFeE56UTFNemhhRncwegpNekEwTURneE9EUTFNemhhTUJjeEZUQVRCZ05WQkFNTURGOWpjblZ1WTJoNWNtVndiREJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQk5HVHcvSmVtaGxGK28xUlRBb0VXSndzdjJ6WjIyc1p4N2NjT2VmL1NXdjYKeXphYkpaUmkvREFyK0kwUHNyTlhmand3a0xMa3hERGZsTklvcFZMNVYwT2pXakJZTUE0R0ExVWREd0VCL3dRRQpBd0lGb0RBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkZTYlJnN1d6SGRXSDgzdmhLU3JXd3RlCngrYW1NQmNHQTFVZEVRUVFNQTZDREY5amNuVnVZMmg1Y21Wd2JEQUtCZ2dxaGtqT1BRUURBd05KQURCR0FpRUEKcWVsYmUvdTQzRFRPWFdlell1b3Nva0dUbHg1U2ljUFRkNk05Q3pwU2VoWUNJUUNOOS91Znc0SUZzdDZOM1RtYQo4MmZpSElKSUpQY0RjM2ZKUnFna01RQmF0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBxeTVzNVJxWThKUmdycjJreE9zaG9hc25yTWhUUkJPYjZ0alI3T2ZqTFlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMFpQRDhsNmFHVVg2alZGTUNnUlluQ3kvYk5uYmF4bkh0eHc1NS85SmEvckxOcHNsbEdMOApNQ3Y0alEreXMxZCtQRENRc3VURU1OK1UwaWlsVXZsWFF3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
   name: replication-cert
