Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-01 15:07:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql-ha] Add support for autogenerated certs (#6611)

Browse Source 
* [bitnami/postgresql-ha] Add support for autogenerated certs

* Modify properly the postgresql-ha version
This commit is contained in:
alvneiayu
2021-06-16 13:45:20 +02:00
committed by GitHub
parent 13fdff2489
commit 68f0acfddf
6 changed files with 67 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/postgresql-ha/Chart.yaml
View File

@@ -27,4 +27,4 @@ name: postgresql-ha
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
- https://www.postgresql.org/
version: 7.6.3
version: 7.7.0

1
bitnami/postgresql-ha/README.md
View File

@@ -238,6 +238,7 @@ The following table lists the configurable parameters of the PostgreSQL HA chart
| `pgpool.configuration` | Content of pgpool.conf | `nil` |
| `pgpool.configurationCM` | ConfigMap with the Pgpool configuration file (Note: Overrides `pgpol.configuration`). The file used must be named `pgpool.conf`. | `nil` (The value is evaluated as a template) |
| `pgpool.tls.enabled` | Enable TLS traffic support for end-client connections | `false` |
| `pgpool.tls.autoGenerated` | Generate automatically self-signed TLS certificates | `nil` |
| `pgpool.tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `pgpool.tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
| `pgpool.tls.certFilename` | Certificate filename | `""` |

38
bitnami/postgresql-ha/templates/_helpers.tpl
View File

@@ -658,21 +658,55 @@ pool_passwd file.
Return the path to the cert file.
*/}}
{{- define "postgresql-ha.pgpool.tlsCert" -}}
{{- if and .Values.pgpool.tls.enabled .Values.pgpool.tls.autoGenerated }}
{{- printf "/opt/bitnami/pgpool/certs/tls.crt" -}}
{{- else -}}
{{- required "Certificate filename is required when TLS in enabled" .Values.pgpool.tls.certFilename | printf "/opt/bitnami/pgpool/certs/%s" -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert key file.
*/}}
{{- define "postgresql-ha.pgpool.tlsCertKey" -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.pgpool.tls.certKeyFilename | printf "/opt/bitnami/pgpool/certs/%s" -}}
{{- if and .Values.pgpool.tls.enabled .Values.pgpool.tls.autoGenerated }}
{{- printf "/opt/bitnami/pgpool/certs/tls.key" -}}
{{- else -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.pgpool.tls.certKeyFilename | printf "/opt/bitnami/pgpool/certs/%s" -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql-ha.pgpool.tlsCACert" -}}
{{- printf "/opt/bitnami/pgpool/certs/%s" .Values.pgpool.tls.certCAFilename -}}
{{- if and .Values.pgpool.tls.enabled .Values.pgpool.tls.autoGenerated }}
{{- printf "/opt/bitnami/pgpool/certs/ca.crt" -}}
{{- else -}}
{{- printf "/opt/bitnami/pgpool/certs/%s" .Values.pgpool.tls.certCAFilename -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS credentials secret object should be created
*/}}
{{- define "postgresql-ha.createTlsSecret" -}}
{{- if and .Values.pgpool.tls.enabled .Values.pgpool.tls.autoGenerated (not .Values.pgpool.tls.certificatesSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql-ha.tlsSecretName" -}}
{{- if .Values.pgpool.tls.enabled }}
{{- if .Values.pgpool.tls.autoGenerated }}
{{- printf "%s-crt" (include "postgresql-ha.pgpool" .) -}}
{{- else -}}
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.pgpool.tls.certificatesSecret }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*

2
bitnami/postgresql-ha/templates/pgpool/deployment.yaml
View File

@@ -384,7 +384,7 @@ spec:
{{- if .Values.pgpool.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.pgpool.tls.certificatesSecret }}
secretName: {{ include "postgresql-ha.tlsSecretName" . }}
- name: pgpool-certificates
emptyDir: {}
{{- end }}

25
bitnami/postgresql-ha/templates/tls-secrets.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if (include "postgresql-ha.createTlsSecret" . )}}
{{- $ca := genCA "postgresql-ha-internal-ca" 365 }}
{{- $fullname := include "postgresql-ha.pgpool" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $serviceName := include "postgresql-ha.pgpool" . }}
{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname }}
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "postgresql-ha.pgpool" . }}-crt
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $crt.Cert | b64enc | quote }}
tls.key: {{ $crt.Key | b64enc | quote }}
{{- end }}

3
bitnami/postgresql-ha/values.yaml
View File

@@ -907,6 +907,9 @@ pgpool:
## Enable TLS traffic
##
enabled: false
## Create self-signed TLS certificates. Currently only supports PEM certificates.
##
autoGenerated: false
##
## Whether to use the server's TLS cipher preferences rather than the client's.
##