From b64ba359269039e3d500ce6979c77184ef5543bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Grzegorz=20Ko=C5=82akowski?= Date: Thu, 20 Jul 2023 13:12:38 +0200 Subject: [PATCH 1/3] Configure SQL_TLS environment variables in server-job --- charts/temporal/templates/server-job.yaml | 86 +++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/charts/temporal/templates/server-job.yaml b/charts/temporal/templates/server-job.yaml index 16b9ace6..615dfb56 100644 --- a/charts/temporal/templates/server-job.yaml +++ b/charts/temporal/templates/server-job.yaml @@ -88,6 +88,10 @@ spec: image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}" imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }} command: ['temporal-sql-tool', '--database', '{{ include "temporal.persistence.sql.database" (list $ $store) }}', 'create-database'] + {{- if $.Values.server.additionalVolumeMounts }} + volumeMounts: + {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }} + {{- end }} env: - name: SQL_PLUGIN value: {{ include "temporal.persistence.sql.driver" (list $ $store) }} @@ -110,6 +114,28 @@ spec: value: {{ $storeConfig.sql.password }} {{- end }} {{- end }} + {{- with $storeConfig.sql.tls }} + - name: SQL_TLS + value: {{ .enabled | quote }} + {{- if .caFile }} + - name: SQL_TLS_CA_FILE + value: {{ .caFile }} + {{- end }} + {{- if and .certFile .keyFile }} + - name: SQL_TLS_CERT_FILE + value: {{ .certFile }} + - name: SQL_TLS_KEY_FILE + value: {{ .keyFile }} + {{- end }} + {{- if .serverName }} + - name: SQL_TLS_SERVER_NAME + value: {{ .serverName }} + {{- end }} + {{- if hasKey . "enableHostVerification" }} + - name: SQL_TLS_DISABLE_HOST_VERIFICATION + value: {{ not .enableHostVerification | quote }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- else }} @@ -122,6 +148,10 @@ spec: image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}" imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }} command: ['temporal-{{ include "temporal.persistence.driver" (list $ $store) }}-tool', 'setup-schema', '-v', '0.0'] + {{- if $.Values.server.additionalVolumeMounts }} + volumeMounts: + {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }} + {{- end }} env: {{- if eq (include "temporal.persistence.driver" (list $ $store)) "cassandra" }} - name: CASSANDRA_HOST @@ -169,6 +199,28 @@ spec: value: {{ $storeConfig.sql.password }} {{- end }} {{- end }} + {{- with $storeConfig.sql.tls }} + - name: SQL_TLS + value: {{ .enabled | quote }} + {{- if .caFile }} + - name: SQL_TLS_CA_FILE + value: {{ .caFile }} + {{- end }} + {{- if and .certFile .keyFile }} + - name: SQL_TLS_CERT_FILE + value: {{ .certFile }} + - name: SQL_TLS_KEY_FILE + value: {{ .keyFile }} + {{- end }} + {{- if .serverName }} + - name: SQL_TLS_SERVER_NAME + value: {{ .serverName }} + {{- end }} + {{- if hasKey . "enableHostVerification" }} + - name: SQL_TLS_DISABLE_HOST_VERIFICATION + value: {{ not .enableHostVerification | quote }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- with .Values.schema.resources }} @@ -199,6 +251,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if $.Values.server.additionalVolumes }} + volumes: + {{- toYaml $.Values.server.additionalVolumes | nindent 8 }} + {{- end }} --- {{- end }} {{- if .Values.schema.update.enabled }} @@ -266,6 +322,10 @@ spec: {{- else if eq (include "temporal.persistence.sql.driver" (list $ $store)) "postgres12" }} command: ['temporal-{{ include "temporal.persistence.driver" (list $ $store) }}-tool', 'update-schema', '--schema-dir', '/etc/temporal/schema/postgresql/v12/{{ include "temporal.persistence.schema" $store }}/versioned'] {{- end }} + {{- if $.Values.server.additionalVolumeMounts }} + volumeMounts: + {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }} + {{- end }} env: {{- if eq (include "temporal.persistence.driver" (list $ $store)) "cassandra" }} - name: CASSANDRA_HOST @@ -313,6 +373,28 @@ spec: value: {{ $storeConfig.sql.password }} {{- end }} {{- end }} + {{- with $storeConfig.sql.tls }} + - name: SQL_TLS + value: {{ .enabled | quote }} + {{- if .caFile }} + - name: SQL_TLS_CA_FILE + value: {{ .caFile }} + {{- end }} + {{- if and .certFile .keyFile }} + - name: SQL_TLS_CERT_FILE + value: {{ .certFile }} + - name: SQL_TLS_KEY_FILE + value: {{ .keyFile }} + {{- end }} + {{- if .serverName }} + - name: SQL_TLS_SERVER_NAME + value: {{ .serverName }} + {{- end }} + {{- if hasKey . "enableHostVerification" }} + - name: SQL_TLS_DISABLE_HOST_VERIFICATION + value: {{ not .enableHostVerification | quote }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} @@ -340,6 +422,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if $.Values.server.additionalVolumes }} + volumes: + {{- toYaml $.Values.server.additionalVolumes | nindent 8 }} + {{- end }} --- {{- end }} {{- if and (or $.Values.elasticsearch.enabled $.Values.elasticsearch.external) .Values.schema.setup.enabled }} From 3b536c6fa4ef950bfc18a457c9c69d38117109fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Grzegorz=20Ko=C5=82akowski?= Date: Mon, 12 Feb 2024 12:12:04 +0100 Subject: [PATCH 2/3] Update example --- charts/temporal/values/values.postgresql.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/temporal/values/values.postgresql.yaml b/charts/temporal/values/values.postgresql.yaml index 744c42e7..56a5e296 100644 --- a/charts/temporal/values/values.postgresql.yaml +++ b/charts/temporal/values/values.postgresql.yaml @@ -20,6 +20,9 @@ server: # enabled: true # enableHostVerification: true # serverName: _HOST_ # this is strictly required when using serverless CRDB offerings + # caFile: /path/to/certs/ # Here we assumed that caFile, certFile, keyFile are stored in one secret mounted as 'secret-with-certs' (see: server.additionalVolumes and server.additionalVolumeMounts sections). + # certFile: /path/to/certs/ + # keyFile: /path/to/certs/ visibility: driver: "sql" @@ -40,6 +43,17 @@ server: # enabled: true # enableHostVerification: true # serverName: _HOST_ # this is strictly required when using serverless CRDB offerings + # caFile: /path/to/certs/ # Here we assumed that caFile, certFile, keyFile are stored in one secret mounted as 'secret-with-certs' (see: server.additionalVolumes and server.additionalVolumeMounts sections). + # certFile: /path/to/certs/ + # keyFile: /path/to/certs/ + +# additionalVolumes: +# - name: secret-with-certs +# secret: +# secretName: secret-with-certs +# additionalVolumeMounts: +# - name: secret-with-certs +# mountPath: /path/to/certs/ cassandra: enabled: false From 3751f8530fa82a718f956e0a1c248310578ce67c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Grzegorz=20Ko=C5=82akowski?= Date: Fri, 14 Jun 2024 13:02:04 +0200 Subject: [PATCH 3/3] Fix indentation --- charts/temporal/values/values.postgresql.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/temporal/values/values.postgresql.yaml b/charts/temporal/values/values.postgresql.yaml index 56a5e296..7c22818f 100644 --- a/charts/temporal/values/values.postgresql.yaml +++ b/charts/temporal/values/values.postgresql.yaml @@ -47,13 +47,13 @@ server: # certFile: /path/to/certs/ # keyFile: /path/to/certs/ -# additionalVolumes: -# - name: secret-with-certs -# secret: -# secretName: secret-with-certs -# additionalVolumeMounts: -# - name: secret-with-certs -# mountPath: /path/to/certs/ + # additionalVolumes: + # - name: secret-with-certs + # secret: + # secretName: secret-with-certs + # additionalVolumeMounts: + # - name: secret-with-certs + # mountPath: /path/to/certs/ cassandra: enabled: false