feat: SSL connectivity to postgres db

README.md

@@ -258,7 +258,7 @@ values which are defined [here](https://github.com/grafana/helm-charts/tree/main
 | global.dashboards.timerange | string | `"12h"` | how far back dashboards should look |
 | global.externalScheme | string | `"http"` |  |
 | global.externalZone | string | `"svc.cluster.local"` |  |
-| global.postgres | object | `{"alerts":{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}},"database":"coder","exporter":{"image":"quay.io/prometheuscommunity/postgres-exporter"},"hostname":"localhost","mountSecret":"secret-postgres","password":null,"port":5432,"sslmode":"disable","username":"coder"}` | postgres connection information NOTE: these settings are global so we can parameterise some values which get rendered by subcharts |
+| global.postgres | object | `{"alerts":{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}},"database":"coder","exporter":{"image":"quay.io/prometheuscommunity/postgres-exporter"},"hostname":"localhost","mountSecret":"secret-postgres","password":null,"port":5432,"sslmode":"disable","sslrootcert":"/home/coder/.postgresql/rootcert.pem","username":"coder","volumeMounts":[{"mountPath":"/home/coder/.postgresql","name":"pg-certs-mount","readOnly":true}],"volumes":[{"configMap":{"name":"pg-certs-mount-config-map"},"name":"pg-certs-mount"}]}` | postgres connection information NOTE: these settings are global so we can parameterise some values which get rendered by subcharts |
 | global.postgres.alerts | object | `{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}}` | alerts for postgres |
 | global.telemetry | object | `{"metrics":{"scrape_interval":"15s","scrape_timeout":"12s"}}` | control telemetry collection |
 | global.telemetry.metrics | object | `{"scrape_interval":"15s","scrape_timeout":"12s"}` | control metric collection |

coder-observability/templates/_helpers.tpl

@@ -63,10 +63,14 @@ Create the name of the service account to use
 
 {{/* Postgres connector string */}}
 {{- define "postgres-connector-string" -}}
-{{- if .Values.global.postgres.password -}}
+{{- if and .Values.global.postgres.password (eq .Values.global.postgres.sslmode "disable") -}}
 postgresql://{{ .Values.global.postgres.username }}:{{ urlquery .Values.global.postgres.password }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
-{{- else if .Values.global.postgres.mountSecret -}}
+{{- else if and .Values.global.postgres.password (ne .Values.global.postgres.sslmode "disable") -}}
+postgresql://{{ .Values.global.postgres.username }}:{{ urlquery .Values.global.postgres.password }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}&sslrootcert={{ .Values.global.postgres.sslrootcert }}
+{{- else if and .Values.global.postgres.mountSecret (eq .Values.global.postgres.sslmode "disable") -}}
 postgresql://{{ .Values.global.postgres.username }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
+{{- else if and .Values.global.postgres.mountSecret (ne .Values.global.postgres.sslmode "disable") -}}
+postgresql://{{ .Values.global.postgres.username }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}&sslrootcert={{ .Values.global.postgres.sslrootcert }}
 {{- else -}}
 {{ fail "either postgres.password or postgres.mountSecret must be defined" }}
 {{- end -}}

coder-observability/templates/statefulset-postgres-exporter.yaml

@@ -29,4 +29,10 @@ spec:
           env:
             - name: DATA_SOURCE_NAME
               value: '{{ include "postgres-connector-string" . }}'
-          {{ include "postgres-secret-mount" . | nindent 10 }}
+          {{ include "postgres-secret-mount" . | nindent 10 }}
+
+          volumeMounts:
+          {{ toYaml .Values.global.postgres.volumeMounts | nindent 12 }}
+
+      volumes:
+      {{ toYaml .Values.global.postgres.volumes | nindent 8 }}

coder-observability/values.yaml

@@ -123,11 +123,24 @@ global:
     password:
     database: coder
     sslmode: disable
+    # add root cert path if using SSL
+    sslrootcert: /home/coder/.postgresql/rootcert.pem
+
     # ensure that your secret has a field named `PGPASSWORD`
     mountSecret: "secret-postgres"
     exporter:
       image: "quay.io/prometheuscommunity/postgres-exporter"
 
+    volumes:
+      - name: "pg-certs-mount"
+        configMap:
+          name: "pg-certs-mount-config-map"
+
+    volumeMounts:
+      - name: "pg-certs-mount"
+        mountPath: "/home/coder/.postgresql"
+        readOnly: true
+
     # global.postgres.alerts -- alerts for postgres
     alerts:
       groups:

compiled/resources.yaml

@@ -12219,6 +12219,14 @@ spec:
           envFrom:
             - secretRef:
                 name: secret-postgres
+          volumeMounts:
+            - mountPath: /home/coder/.postgresql
+              name: pg-certs-mount
+              readOnly: true
+      volumes:
+        - configMap:
+            name: pg-certs-mount-config-map
+          name: pg-certs-mount
 ---
 # Source: coder-observability/templates/statefulset-runbook-viewer.yaml
 apiVersion: apps/v1