feat(postgres): Support manual postgres certificate deployment (#186)

* support manual postgres certificate deployment * move option * rename param * Remove broken validation * use nats in test * doc gen
observIQ · Dec 12, 2024 · 8ed35f9 · 8ed35f9
1 parent 9ebf1f4
commit 8ed35f9
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 2 deletions.
diff --git a/charts/bindplane/Chart.yaml b/charts/bindplane/Chart.yaml
@@ -3,7 +3,7 @@ name: bindplane
 description: BindPlane OP is an observability pipeline.
 type: application
 # The chart's version
-version: 1.21.1
+version: 1.22.0
 # The BindPlane OP tagged release. If the user does not
 # set the `image.tag` values option, this version is used.
 appVersion: 1.84.0

diff --git a/charts/bindplane/README.md b/charts/bindplane/README.md
@@ -1,6 +1,6 @@
 # bindplane
 
-![Version: 1.21.1](https://img.shields.io/badge/Version-1.21.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.84.0](https://img.shields.io/badge/AppVersion-1.84.0-informational?style=flat-square)
+![Version: 1.22.0](https://img.shields.io/badge/Version-1.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.84.0](https://img.shields.io/badge/AppVersion-1.84.0-informational?style=flat-square)
 
 BindPlane OP is an observability pipeline.
 
@@ -61,6 +61,7 @@ BindPlane OP is an observability pipeline.
 | backend.postgres.maxConnections | int | `100` | Max number of connections to use when communicating with Postgres. |
 | backend.postgres.password | string | `""` | Password for the username used to connect to Postgres. |
 | backend.postgres.port | int | `5432` | TCP port used to connect to Postgres. |
+| backend.postgres.sslSource | string | `"secret"` | How to read the Postgres TLS certificate(s). Supported options include "secret" and "manual". When "secret" is set, a secret containing the Postgres TLS certificate(s) will be mounted into the BindPlane container. When "manual" is set, it is up to the user to ensure the certificates are mounted into the BindPlane container' emptyDir volume at postgres-tls-dir /postgres-tls. |
 | backend.postgres.sslmode | string | `"disable"` | SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information. |
 | backend.postgres.sslsecret.name | string | `""` | Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane container. Requires BindPlane v1.56.0 or newer. |
 | backend.postgres.sslsecret.sslcertSubPath | string | `""` | Path to the client certificate used to authenticate with the Postgres server, when mutual TLS is required. |

diff --git a/charts/bindplane/templates/bindplane-jobs.yaml b/charts/bindplane/templates/bindplane-jobs.yaml
@@ -60,6 +60,7 @@ spec:
       {{- toYaml .Values.topologySpreadConstraints.jobs | nindent 8 }}
       {{- end }}
       {{- if .Values.backend.postgres.sslsecret.name }}
+      {{- if eq .Values.backend.postgres.sslSource "secret" }}
       initContainers:
         - name: postgres-tls
           image: busybox
@@ -87,6 +88,7 @@ spec:
               subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
             {{- end }}
       {{- end }}
+      {{- end }}
       containers:
         - name: server
           image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}

diff --git a/charts/bindplane/templates/bindplane.yaml b/charts/bindplane/templates/bindplane.yaml
@@ -86,6 +86,7 @@ spec:
               mountPath: /data
       {{- end }}
       {{- if .Values.backend.postgres.sslsecret.name }}
+      {{- if eq .Values.backend.postgres.sslSource "secret" }}
         - name: postgres-tls
           image: busybox
           command:
@@ -112,6 +113,7 @@ spec:
               subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
             {{- end }}
       {{- end }}
+      {{- end }}
       containers:
         - name: server
           image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}

diff --git a/charts/bindplane/templates/configmap.yaml b/charts/bindplane/templates/configmap.yaml
@@ -10,6 +10,7 @@ data:
     chmod 0750 /data
 {{ end }}
 {{- if .Values.backend.postgres.sslsecret.name }}
+{{- if eq .Values.backend.postgres.sslSource "secret" }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -21,3 +22,4 @@ data:
     chmod 0400 /postgres-tls/*
     chown -R 65534:65534 /postgres-tls
 {{ end }}
+{{ end }}
diff --git a/charts/bindplane/values.yaml b/charts/bindplane/values.yaml
@@ -20,6 +20,11 @@ backend:
     database: ""
     # -- SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information.
     sslmode: "disable"
+    # -- How to read the Postgres TLS certificate(s). Supported options include "secret" and "manual".
+    # When "secret" is set, a secret containing the Postgres TLS certificate(s) will be mounted into the BindPlane container.
+    # When "manual" is set, it is up to the user to ensure the certificates are mounted into the BindPlane container'
+    # emptyDir volume at postgres-tls-dir /postgres-tls.
+    sslSource: "secret"
     sslsecret:
       # -- Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to
       # `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane

diff --git a/test/cases/postgres/values.yaml b/test/cases/postgres/values.yaml
@@ -40,3 +40,6 @@ jobs:
     limits:
       memory: 100Mi
       cpu: 100m
+
+eventbus:
+  type: nats