Remove TLS cert generation for API server from installer

Jonathan S. Katz · jkatz · commit 93f7f99e4aca · 2021-05-03T14:22:04.000-04:00
The apiserver will reconcile its own TLS certificate -- it has been
doing so for awhile. This unifies the method to ensure that only
the apiserver will generate its certificate, unless the user explicitly
provides one.

Issue: [ch11380]
diff --git a/docs/content/installation/other/ansible/installing-operator.md b/docs/content/installation/other/ansible/installing-operator.md
@@ -56,38 +56,53 @@ oc get deployments -n <NAMESPACE_NAME>
 oc get pods -n <NAMESPACE_NAME>
 ```
 
-## Configure Environment Variables
-
-After the Crunchy PostgreSQL Operator has successfully been installed we will need
-to configure local environment variables before using the `pgo` client.
+## Install the `pgo` Client
 
 {{% notice info %}}
-
 If TLS authentication was disabled during installation, please see the [TLS Configuration Page] ({{< relref "Configuration/tls.md" >}}) for additional configuration information.
-
 {{% / notice %}}
 
-To configure the environment variables used by `pgo` run the following command:
+During or after the installation of PGO: the Postgres Operator, download the `pgo` client set up script. This will help set up your local environment for using the Postgres Operator:
 
-Note: `<PGO_NAMESPACE>` should be replaced with the namespace the Crunchy PostgreSQL
-Operator was deployed to.
+```
+curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v{{< param operatorVersion >}}/installers/kubectl/client-setup.sh > client-setup.sh
+chmod +x client-setup.sh
+```
 
-```bash
-cat <<EOF >> ~/.bashrc
-export PGOUSER="${HOME?}/.pgo/<PGO_NAMESPACE>/pgouser"
-export PGO_CA_CERT="${HOME?}/.pgo/<PGO_NAMESPACE>/client.crt"
-export PGO_CLIENT_CERT="${HOME?}/.pgo/<PGO_NAMESPACE>/client.crt"
-export PGO_CLIENT_KEY="${HOME?}/.pgo/<PGO_NAMESPACE>/client.key"
+When the Postgres Operator is done installing, run the client setup script:
+
+```
+./client-setup.sh
+```
+
+This will download the `pgo` client and provide instructions for how to easily use it in your environment. It will prompt you to add some environmental variables for you to set up in your session, which you can do with the following commands:
+
+```
+export PGOUSER="${HOME?}/.pgo/pgo/pgouser"
+export PGO_CA_CERT="${HOME?}/.pgo/pgo/client.crt"
+export PGO_CLIENT_CERT="${HOME?}/.pgo/pgo/client.crt"
+export PGO_CLIENT_KEY="${HOME?}/.pgo/pgo/client.key"
 export PGO_APISERVER_URL='https://127.0.0.1:8443'
-EOF
+export PGO_NAMESPACE=pgo
 ```
 
-Apply those changes to the current session by running:
+If you wish to permanently add these variables to your environment, you can run the following:
+
+```
+cat <<EOF >> ~/.bashrc
+export PGOUSER="${HOME?}/.pgo/pgo/pgouser"
+export PGO_CA_CERT="${HOME?}/.pgo/pgo/client.crt"
+export PGO_CLIENT_CERT="${HOME?}/.pgo/pgo/client.crt"
+export PGO_CLIENT_KEY="${HOME?}/.pgo/pgo/client.key"
+export PGO_APISERVER_URL='https://127.0.0.1:8443'
+export PGO_NAMESPACE=pgo
+EOF
 
-```bash
 source ~/.bashrc
 ```
 
+**NOTE**: For macOS users, you must use `~/.bash_profile` instead of `~/.bashrc`
+
 ## Verify `pgo` Connection
 
 In a separate terminal we need to setup a port forward to the Crunchy PostgreSQL
diff --git a/installers/ansible/roles/pgo-operator/tasks/certs.yml b/installers/ansible/roles/pgo-operator/tasks/certs.yml
diff --git a/installers/ansible/roles/pgo-operator/tasks/main.yml b/installers/ansible/roles/pgo-operator/tasks/main.yml
@@ -44,10 +44,6 @@
   tags:
     - uninstall
 
-- include_tasks: certs.yml
-  tags:
-    - install
-
 - name: Use kubectl or oc
   set_fact:
     kubectl_or_oc: "{{ openshift_oc_bin if openshift_oc_bin is defined else 'kubectl' }}"
@@ -274,24 +270,6 @@
             - (backrest_aws_s3_key | default('') != '') or
               (backrest_aws_s3_secret | default('') != '')
 
-    - name: PGO API Secret
-      tags:
-        - install
-        - update
-      block:
-        - name: Check PGO API Secret
-          shell: "{{ kubectl_or_oc }} get secret pgo.tls -n {{ pgo_operator_namespace }}"
-          register: pgo_tls_result
-          failed_when: false
-
-        - name: Create PGO API Secret
-          command: |
-            {{ kubectl_or_oc }} create secret tls pgo.tls \
-              --cert='{{ output_dir }}/server.crt' \
-              --key='{{ output_dir }}/server.key' \
-              -n {{ pgo_operator_namespace }}
-          when: pgo_tls_result.rc == 1
-
     - name: PGO ConfigMap
       tags:
         - install
