percona · hors · Feb 22, 2026 · Jul 14, 2025 · Jan 20, 2026 · Jan 20, 2026
@@ -22234,6 +22234,13 @@ spec:
                   format: int64
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:

@@ -21721,6 +21721,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:

@@ -29,6 +29,7 @@
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	certmanagerscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
-	certmanagerscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
-	certmanagerscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/pgupgrade"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/postgrescluster"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/runtime"
@@ -38,6 +39,7 @@
 	"github.com/percona/percona-postgresql-operator/v2/internal/logging"
 	"github.com/percona/percona-postgresql-operator/v2/internal/naming"
 	"github.com/percona/percona-postgresql-operator/v2/internal/upgradecheck"
+	"github.com/percona/percona-postgresql-operator/v2/percona/certmanager"
 	perconaController "github.com/percona/percona-postgresql-operator/v2/percona/controller"
 	"github.com/percona/percona-postgresql-operator/v2/percona/controller/pgbackup"
 	"github.com/percona/percona-postgresql-operator/v2/percona/controller/pgcluster"
@@ -129,6 +131,10 @@
 
 	assertNoError(volumesnapshotv1.AddToScheme(mgr.GetScheme()))
 
+	// K8SPG-552
+	// Add Scheme for cert-manager resources like Issuer and Certificate.
+	assertNoError(certmanagerscheme.AddToScheme(mgr.GetScheme()))
+
 	// add all PostgreSQL Operator controllers to the runtime manager
 	err = addControllersToManager(ctx, mgr)
 	assertNoError(err)
@@ -154,11 +160,14 @@
 	os.Setenv("REGISTRATION_REQUIRED", "false")
 
 	r := &postgrescluster.Reconciler{
-		Client:      mgr.GetClient(),
-		Owner:       postgrescluster.ControllerName,
-		Recorder:    mgr.GetEventRecorderFor(postgrescluster.ControllerName),
-		Tracer:      otel.Tracer(postgrescluster.ControllerName),
-		IsOpenShift: isOpenshift(ctx, mgr.GetConfig()),
+		Client:              mgr.GetClient(),
+		Scheme:              mgr.GetScheme(),
+		Owner:               postgrescluster.ControllerName,
+		Recorder:            mgr.GetEventRecorderFor(postgrescluster.ControllerName),
+		Tracer:              otel.Tracer(postgrescluster.ControllerName),
+		IsOpenShift:         isOpenshift(ctx, mgr.GetConfig()),
+		CertManagerCtrlFunc: certmanager.NewController,
+		RestConfig:          mgr.GetConfig(),
 	}
 	cm := &perconaController.CustomManager{Manager: mgr}
 	if err := r.SetupWithManager(cm); err != nil {

@@ -22360,6 +22360,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:

@@ -22145,6 +22145,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:

@@ -83,6 +83,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -83,6 +83,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -22657,6 +22657,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:
@@ -53187,6 +53194,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:
@@ -55734,6 +55748,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -58,7 +58,9 @@ spec:
 #    customReplicationTLSSecret:
 #      name: replication1-cert
 #  tlsOnly: false
-
+#  tls:
+#    certValidityDuration: 2160h
+#    caValidityDuration: 26280h
 #  standby:
 #    enabled: true
 #    host: "<primary-ip>"

@@ -22657,6 +22657,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:
@@ -53187,6 +53194,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:

@@ -22657,6 +22657,13 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               unmanaged:
@@ -53187,6 +53194,13 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tls:
+                properties:
+                  caValidityDuration:
+                    type: string
+                  certValidityDuration:
+                    type: string
+                type: object
               tlsOnly:
                 type: boolean
               userInterface:
@@ -55734,6 +55748,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -87,6 +87,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -87,6 +87,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  - certmanager.k8s.io
+  resources:
+  - certificaterequests
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

@@ -1,5 +1,6 @@
 backup-enable-disable
 builtin-extensions
+cert-manager-tls
 custom-envs
 custom-extensions
 custom-tls

@@ -1,5 +1,6 @@
 backup-enable-disable
 builtin-extensions
+cert-manager-tls
 custom-envs
 custom-extensions
 custom-tls

@@ -0,0 +1,24 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 120
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: perconapgclusters.pgv2.percona.com
+spec:
+  group: pgv2.percona.com
+  names:
+    kind: PerconaPGCluster
+    listKind: PerconaPGClusterList
+    plural: perconapgclusters
+    singular: perconapgcluster
+  scope: Namespaced
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: check-operator-deploy-status
+timeout: 120
+commands:
+  - script: kubectl assert exist-enhanced deployment percona-postgresql-operator -n ${OPERATOR_NS:-$NAMESPACE} --field-selector status.readyReplicas=1
@@ -0,0 +1,14 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+      init_temp_dir # do this only in the first TestStep
+
+      deploy_cert_manager
+      deploy_operator
+      deploy_client