From 6493e7c8652ec75b5d3feebb31167ad8710655c5 Mon Sep 17 00:00:00 2001 From: Pavel Nakonechnyi Date: Tue, 18 Oct 2022 17:12:46 +0200 Subject: [PATCH] helm: celery-beat: support mounting Postgres mTLS client certs and fixing client key permissions --- .../templates/celery-beat-deployment.yaml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 605e41b5b9..14509a0569 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -64,6 +64,13 @@ spec: path: {{ .hostPath }} {{- end }} {{- end }} + {{- if .Values.postgresql.tls.enabled }} + - name: postgresql-tls-volume + secret: + secretName: {{ .Values.postgresql.tls.secretName }} + # we need it permissive to access as low-privileged user + defaultMode: 0644 + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -87,7 +94,14 @@ spec: {{- end }} {{- end }} - command: - - /entrypoint-celery-beat.sh + - /bin/sh + - -cx + - | + {{- if .Values.postgresql.tls.enabled }} + cp -a /run/defectdojo/{{ .Values.postgresql.tls.secretName }}/..data/* /run/defectdojo/ + chmod 600 /run/defectdojo/{{ .Values.postgresql.tls.clientKey }} + {{- end }} + /entrypoint-celery-beat.sh name: celery image: "{{ template "celery.repository" . }}:{{ .Values.tag }}" imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -108,6 +122,10 @@ spec: mountPath: {{ .path }} subPath: {{ .subPath }} {{- end }} + {{- if .Values.postgresql.tls.enabled }} + - name: postgresql-tls-volume + mountPath: /run/defectdojo/{{ .Values.postgresql.tls.secretName }} + {{- end }} envFrom: - configMapRef: name: {{ $fullName }}