fix: Skip mounting Postgres TLS certificats from secret when sslSourc…

…e is 'manual' (#189) * do not mount postgres TLS certs when sslSource is not 'secret' * re-implement configmap, skip copying files and setting ownership when sslSource is not 'secret' * Always set filesystem permissions to 0400 * deploy init containers
observIQ · Dec 12, 2024 · 73278e7 · 73278e7
1 parent 8650a93
commit 73278e7
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 8 deletions.
diff --git a/charts/bindplane/Chart.yaml b/charts/bindplane/Chart.yaml
@@ -3,7 +3,7 @@ name: bindplane
 description: BindPlane OP is an observability pipeline.
 type: application
 # The chart's version
-version: 1.23.0
+version: 1.23.1
 # The BindPlane OP tagged release. If the user does not
 # set the `image.tag` values option, this version is used.
 appVersion: 1.84.0

diff --git a/charts/bindplane/README.md b/charts/bindplane/README.md
@@ -1,6 +1,6 @@
 # bindplane
 
-![Version: 1.23.0](https://img.shields.io/badge/Version-1.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.84.0](https://img.shields.io/badge/AppVersion-1.84.0-informational?style=flat-square)
+![Version: 1.23.1](https://img.shields.io/badge/Version-1.23.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.84.0](https://img.shields.io/badge/AppVersion-1.84.0-informational?style=flat-square)
 
 BindPlane OP is an observability pipeline.
 

diff --git a/charts/bindplane/templates/bindplane-jobs.yaml b/charts/bindplane/templates/bindplane-jobs.yaml
@@ -60,7 +60,6 @@ spec:
       {{- toYaml .Values.topologySpreadConstraints.jobs | nindent 8 }}
       {{- end }}
       {{- if .Values.backend.postgres.sslsecret.name }}
-      {{- if eq .Values.backend.postgres.sslSource "secret" }}
       initContainers:
         - name: postgres-tls
           image: {{ .Values.busybox_image }}
@@ -74,6 +73,7 @@ spec:
               subPath: init.sh
             - mountPath: /postgres-tls
               name: postgres-tls-dir
+            {{- if eq .Values.backend.postgres.sslSource "secret" }}
             {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
             - mountPath: /ca.crt
               name: {{ .Values.backend.postgres.sslsecret.name }}
@@ -87,7 +87,7 @@ spec:
               name: {{ .Values.backend.postgres.sslsecret.name }}
               subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
             {{- end }}
-      {{- end }}
+            {{- end }}
       {{- end }}
       containers:
         - name: server
@@ -613,10 +613,12 @@ spec:
         {{- if .Values.backend.postgres.sslsecret.name }}
         - name: postgres-tls-dir
           emptyDir: {}
+        {{- if eq .Values.backend.postgres.sslSource "secret" }}
         - name: {{ .Values.backend.postgres.sslsecret.name }}
           secret:
             defaultMode: 0400
             secretName: {{ .Values.backend.postgres.sslsecret.name }}
+        {{- end }}
         - name: postgres-tls-init
           configMap:
             name: postgres-tls-init

diff --git a/charts/bindplane/templates/bindplane.yaml b/charts/bindplane/templates/bindplane.yaml
@@ -86,7 +86,6 @@ spec:
               mountPath: /data
       {{- end }}
       {{- if .Values.backend.postgres.sslsecret.name }}
-      {{- if eq .Values.backend.postgres.sslSource "secret" }}
         - name: postgres-tls
           image: {{ .Values.busybox_image }}
           command:
@@ -99,6 +98,7 @@ spec:
               subPath: init.sh
             - mountPath: /postgres-tls
               name: postgres-tls-dir
+            {{- if eq .Values.backend.postgres.sslSource "secret" }}
             {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
             - mountPath: /ca.crt
               name: {{ .Values.backend.postgres.sslsecret.name }}
@@ -112,7 +112,7 @@ spec:
               name: {{ .Values.backend.postgres.sslsecret.name }}
               subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
             {{- end }}
-      {{- end }}
+            {{- end }}
       {{- end }}
       containers:
         - name: server
@@ -671,10 +671,12 @@ spec:
         {{- if .Values.backend.postgres.sslsecret.name }}
         - name: postgres-tls-dir
           emptyDir: {}
+        {{- if eq .Values.backend.postgres.sslSource "secret" }}
         - name: {{ .Values.backend.postgres.sslsecret.name }}
           secret:
             defaultMode: 0400
             secretName: {{ .Values.backend.postgres.sslsecret.name }}
+        {{- end }}
         - name: postgres-tls-init
           configMap:
             name: postgres-tls-init

diff --git a/charts/bindplane/templates/configmap.yaml b/charts/bindplane/templates/configmap.yaml
@@ -10,16 +10,16 @@ data:
     chmod 0750 /data
 {{ end }}
 {{- if .Values.backend.postgres.sslsecret.name }}
-{{- if eq .Values.backend.postgres.sslSource "secret" }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: postgres-tls-init
 data:
   init.sh: |
     #!/bin/sh
+{{- if eq .Values.backend.postgres.sslSource "secret" }}
     cp /ca.crt /client.crt /client.key /postgres-tls
+{{- end }}
     chmod 0400 /postgres-tls/*
     chown -R 65534:65534 /postgres-tls
 {{ end }}
-{{ end }}