feat: add ssl config to postgres

.github/workflows/migration-tests.yaml

@@ -82,7 +82,8 @@ jobs:
         run: |
           set -e
           kubectl create ns reports-server
-          kubectl apply -f ./config/install.yaml
+          export HELM=${{ steps.helm.outputs.helm-path }}
+          make kind-apply
       - name: Wait for report server ready
         run: |
           set -e

Makefile

@@ -225,6 +225,15 @@ kind-install-inmemory: $(HELM) kind-load ## Build image, load it in kind cluster
 		--set postgresql.enabled=false \
 		--set image.repository=$(PACKAGE) \
 		--set image.tag=$(GIT_SHA)
+
+.PHONY: kind-apply
+kind-apply: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart
+	@echo Install chart... >&2
+	@$(HELM) template reports-server --namespace reports-server ./charts/reports-server \
+		--set image.registry=$(KO_REGISTRY) \
+		--set image.repository=$(PACKAGE) \
+		--set image.tag=$(GIT_SHA) \
+			| kubectl apply -f -
 
 ########
 # HELP #

charts/reports-server/README.md

@@ -66,6 +66,10 @@ helm install reports-server --namespace reports-server --create-namespace report
 | config.db.userSecretKeyName | string | `"username"` | The database username will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.password | string | `"reports"` | Database password |
 | config.db.passwordSecretKeyName | string | `"password"` | The database password will be read from this `key` in the specified Secret, when `db.secretName` is set. |
+| config.db.sslmode | string | `"disable"` | Database SSL |
+| config.db.sslrootcert | string | `""` | Database SSL root cert |
+| config.db.sslkey | string | `""` | Database SSL key |
+| config.db.sslcert | string | `""` | Database SSL cert |
 
 ## Source Code
 

charts/reports-server/templates/deployment.yaml

@@ -44,6 +44,10 @@ spec:
             - --dbname={{ include "reports-server.dbName" . }}
             - --dbuser={{ include "reports-server.dbUser" . }}
             - --dbpassword={{ include "reports-server.dbPassword" . }}
+            - --dbsslmode={{ .Values.config.db.sslmode }}
+            - --dbsslrootcert={{ .Values.config.db.sslrootcert }}
+            - --dbsslkey={{ .Values.config.db.sslkey }}
+            - --dbsslcert={{ .Values.config.db.sslcert }}
             {{- end }}
             - --cert-dir=/tmp
             - --secure-port=4443

charts/reports-server/values.yaml

@@ -165,10 +165,24 @@ config:
 
     # -- Database user
     user: postgres
+
     # -- The database username will be read from this `key` in the specified Secret, when `db.secretName` is set.
     userSecretKeyName: "username"
 
     # -- Database password
     password: reports
+
     # -- The database password will be read from this `key` in the specified Secret, when `db.secretName` is set.
     passwordSecretKeyName: "password"
+
+    # -- Database SSL
+    sslmode: disable
+
+    # -- Database SSL root cert
+    sslrootcert: ""
+
+    # -- Database SSL key
+    sslkey: ""
+
+    # -- Database SSL cert
+    sslcert: ""

config/install.yaml

@@ -261,6 +261,10 @@ spec:
             - --dbname=reportsdb
             - --dbuser=postgres
             - --dbpassword=reports
+            - --dbsslmode=disable
+            - --dbsslrootcert=
+            - --dbsslkey=
+            - --dbsslcert=
             - --cert-dir=/tmp
             - --secure-port=4443
           securityContext:

pkg/app/opts/options.go

@@ -33,11 +33,17 @@ type Options struct {
 	ShowVersion bool
 	Debug       bool
 	Kubeconfig  string
-	DBHost      string
-	DBPort      int
-	DBUser      string
-	DBPassword  string
-	DBName      string
+
+	// dbopts
+	DBHost        string
+	DBPort        int
+	DBUser        string
+	DBPassword    string
+	DBName        string
+	DBSSLMode     string
+	DBSSLRootCert string
+	DBSSLKey      string
+	DBSSLCert     string
 
 	// Only to be used to for testing
 	DisableAuthForTesting bool
@@ -67,6 +73,10 @@ func (o *Options) Flags() (fs flag.NamedFlagSets) {
 	msfs.StringVar(&o.DBUser, "dbuser", "postgres", "Username to login into postgres")
 	msfs.StringVar(&o.DBPassword, "dbpassword", "password", "Password to login into postgres")
 	msfs.StringVar(&o.DBName, "dbname", "reportsdb", "Name of the database to store policy reports in")
+	msfs.StringVar(&o.DBSSLMode, "dbsslmode", "disable", "SSL mode of the postgres database.")
+	msfs.StringVar(&o.DBSSLRootCert, "dbsslrootcert", "", "Path to database root cert.")
+	msfs.StringVar(&o.DBSSLKey, "dbsslkey", "", "Path to database ssl key.")
+	msfs.StringVar(&o.DBSSLCert, "dbsslcert", "", "Path to database ssl cert.")
 
 	o.SecureServing.AddFlags(fs.FlagSet("apiserver secure serving"))
 	o.Authentication.AddFlags(fs.FlagSet("apiserver authentication"))
@@ -101,11 +111,15 @@ func (o Options) ServerConfig() (*server.Config, error) {
 	}
 
 	dbconfig := &db.PostgresConfig{
-		Host:     o.DBHost,
-		Port:     o.DBPort,
-		User:     o.DBUser,
-		Password: o.DBPassword,
-		DBname:   o.DBName,
+		Host:        o.DBHost,
+		Port:        o.DBPort,
+		User:        o.DBUser,
+		Password:    o.DBPassword,
+		DBname:      o.DBName,
+		SSLMode:     o.DBSSLMode,
+		SSLRootCert: o.DBSSLRootCert,
+		SSLKey:      o.DBSSLKey,
+		SSLCert:     o.DBSSLCert,
 	}
 
 	return &server.Config{

pkg/storage/db/new.go

@@ -110,15 +110,19 @@ func (p *postgresstore) Ready() bool {
 }
 
 type PostgresConfig struct {
-	Host     string
-	Port     int
-	User     string
-	Password string
-	DBname   string
+	Host        string
+	Port        int
+	User        string
+	Password    string
+	DBname      string
+	SSLMode     string
+	SSLRootCert string
+	SSLKey      string
+	SSLCert     string
 }
 
 func (p PostgresConfig) String() string {
 	return fmt.Sprintf("host=%s port=%d user=%s "+
-		"password=%s dbname=%s sslmode=disable",
-		p.Host, p.Port, p.User, p.Password, p.DBname)
+		"password=%s dbname=%s sslmode=%s sslrootcert=%s sslkey=%s sslcert=%s",
+		p.Host, p.Port, p.User, p.Password, p.DBname, p.SSLMode, p.SSLRootCert, p.SSLKey, p.SSLCert)
 }