Skip to content

Commit

Permalink
fix(helm): mount postgres TLS secrets with proper permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
filipowm committed Mar 5, 2022
1 parent 35963aa commit 41c0de5
Showing 1 changed file with 24 additions and 13 deletions.
37 changes: 24 additions & 13 deletions infrastructure/charts/charts/indexer/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ spec:
imagePullSecrets: {{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "indexer.serviceAccountName" . }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
volumes:
- name: config
configMap:
Expand All @@ -42,10 +41,32 @@ spec:
path: application-source.yml
{{- end }}
{{- if .Values.global.postgresql.tlsSecret }}
- name: postgres-tls-volume
emptyDir:
sizeLimit: "20k"
- name: postgresql-tls
secret:
secretName: {{ .Values.global.postgresql.tlsSecret }}
defaultMode: 0400
{{- end }}
initContainers:
{{- if .Values.global.postgresql.tlsSecret }}
- name: postgres-tls-ownership
image: alpine:3.6
command: ["sh", "-c", "cp /root/.postgresql/* /home/cnb/.postgresql && chmod 0400 /home/cnb/.postgresql/* && chown -R 1000:1000 /home/cnb/.postgresql"]
volumeMounts:
- mountPath: /home/cnb/.postgresql
name: postgres-tls-volume
- mountPath: /root/.postgresql/postgresql.pk8
subPath: privateKey
name: postgresql-tls
- mountPath: /root/.postgresql/postgresql.crt
subPath: cert
name: postgresql-tls
- mountPath: /root/.postgresql/root.crt
subPath: serverCACert
name: postgresql-tls
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
Expand All @@ -71,18 +92,8 @@ spec:
readOnly: true
{{- end }}
{{- if .Values.global.postgresql.tlsSecret }}
- mountPath: /home/cnb/.postgresql/postgresql.pk8
subPath: privateKey
name: postgresql-tls
mode: 600
- mountPath: /home/cnb/.postgresql/postgresql.crt
subPath: cert
name: postgresql-tls
mode: 600
- mountPath: /home/cnb/.postgresql/root.crt
subPath: serverCACert
name: postgresql-tls
mode: 600
- mountPath: /home/cnb/.postgresql
name: postgres-tls-volume
{{- end }}
ports:
- name: http
Expand Down

0 comments on commit 41c0de5

Please sign in to comment.