temporalio · robholland · Jun 14, 2024 · Jul 20, 2023 · Feb 12, 2024 · Jun 14, 2024
diff --git a/charts/temporal/templates/server-job.yaml b/charts/temporal/templates/server-job.yaml
@@ -88,6 +88,10 @@ spec:
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
           command: ['temporal-sql-tool', '--database', '{{ include "temporal.persistence.sql.database" (list $ $store) }}', 'create-database']
+          {{- if $.Values.server.additionalVolumeMounts }}
+          volumeMounts:
+            {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }}
+          {{- end }}
           env:
             - name: SQL_PLUGIN
               value: {{ include "temporal.persistence.sql.driver" (list $ $store) }}
@@ -110,6 +114,28 @@ spec:
               value: {{ $storeConfig.sql.password }}
               {{- end }}
             {{- end }}
+            {{- with $storeConfig.sql.tls }}
+            - name: SQL_TLS
+              value: {{ .enabled | quote }}
+            {{- if .caFile }}
+            - name: SQL_TLS_CA_FILE
+              value: {{ .caFile }}
+            {{- end }}
+            {{- if and .certFile .keyFile }}
+            - name: SQL_TLS_CERT_FILE
+              value: {{ .certFile }}
+            - name: SQL_TLS_KEY_FILE
+              value: {{ .keyFile }}
+            {{- end }}
+            {{- if .serverName }}
+            - name: SQL_TLS_SERVER_NAME
+              value: {{ .serverName }}
+            {{- end }}
+            {{- if hasKey . "enableHostVerification" }}
+            - name: SQL_TLS_DISABLE_HOST_VERIFICATION
+              value: {{ not .enableHostVerification | quote }}
+            {{- end }}
+            {{- end }}
         {{- end }}
         {{- end }}
         {{- else }}
@@ -122,6 +148,10 @@ spec:
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
           command: ['temporal-{{ include "temporal.persistence.driver" (list $ $store) }}-tool', 'setup-schema', '-v', '0.0']
+          {{- if $.Values.server.additionalVolumeMounts }}
+          volumeMounts:
+            {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }}
+          {{- end }}
           env:
             {{- if eq (include "temporal.persistence.driver" (list $ $store)) "cassandra" }}
             - name: CASSANDRA_HOST
@@ -169,6 +199,28 @@ spec:
               value: {{ $storeConfig.sql.password }}
               {{- end }}
             {{- end }}
+            {{- with $storeConfig.sql.tls }}
+            - name: SQL_TLS
+              value: {{ .enabled | quote }}
+            {{- if .caFile }}
+            - name: SQL_TLS_CA_FILE
+              value: {{ .caFile }}
+            {{- end }}
+            {{- if and .certFile .keyFile }}
+            - name: SQL_TLS_CERT_FILE
+              value: {{ .certFile }}
+            - name: SQL_TLS_KEY_FILE
+              value: {{ .keyFile }}
+            {{- end }}
+            {{- if .serverName }}
+            - name: SQL_TLS_SERVER_NAME
+              value: {{ .serverName }}
+            {{- end }}
+            {{- if hasKey . "enableHostVerification" }}
+            - name: SQL_TLS_DISABLE_HOST_VERIFICATION
+              value: {{ not .enableHostVerification | quote }}
+            {{- end }}
+            {{- end }}
             {{- end }}
         {{- end }}
           {{- with .Values.schema.resources }}
@@ -199,6 +251,10 @@ spec:
       tolerations:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if $.Values.server.additionalVolumes }}
+      volumes:
+        {{- toYaml $.Values.server.additionalVolumes | nindent 8 }}
+      {{- end }}
 ---
 {{- end }}
 {{- if .Values.schema.update.enabled }}
@@ -266,6 +322,10 @@ spec:
           {{- else if eq (include "temporal.persistence.sql.driver" (list $ $store)) "postgres12" }}
           command: ['temporal-{{ include "temporal.persistence.driver" (list $ $store) }}-tool', 'update-schema', '--schema-dir', '/etc/temporal/schema/postgresql/v12/{{ include "temporal.persistence.schema" $store }}/versioned']
           {{- end }}
+          {{- if $.Values.server.additionalVolumeMounts }}
+          volumeMounts:
+            {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12 }}
+          {{- end }}
           env:
             {{- if eq (include "temporal.persistence.driver" (list $ $store)) "cassandra" }}
             - name: CASSANDRA_HOST
@@ -313,6 +373,28 @@ spec:
               value: {{ $storeConfig.sql.password }}
               {{- end }}
             {{- end }}
+            {{- with $storeConfig.sql.tls }}
+            - name: SQL_TLS
+              value: {{ .enabled | quote }}
+            {{- if .caFile }}
+            - name: SQL_TLS_CA_FILE
+              value: {{ .caFile }}
+            {{- end }}
+            {{- if and .certFile .keyFile }}
+            - name: SQL_TLS_CERT_FILE
+              value: {{ .certFile }}
+            - name: SQL_TLS_KEY_FILE
+              value: {{ .keyFile }}
+            {{- end }}
+            {{- if .serverName }}
+            - name: SQL_TLS_SERVER_NAME
+              value: {{ .serverName }}
+            {{- end }}
+            {{- if hasKey . "enableHostVerification" }}
+            - name: SQL_TLS_DISABLE_HOST_VERIFICATION
+              value: {{ not .enableHostVerification | quote }}
+            {{- end }}
+            {{- end }}
             {{- end }}
         {{- end }}
         {{- end }}
@@ -340,6 +422,10 @@ spec:
       tolerations:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if $.Values.server.additionalVolumes }}
+      volumes:
+        {{- toYaml $.Values.server.additionalVolumes | nindent 8 }}
+      {{- end }}
 ---
 {{- end }}
 {{- if and (or $.Values.elasticsearch.enabled $.Values.elasticsearch.external) .Values.schema.setup.enabled }}

diff --git a/charts/temporal/values/values.postgresql.yaml b/charts/temporal/values/values.postgresql.yaml
@@ -20,6 +20,9 @@ server:
           #  enabled: true
           #  enableHostVerification: true
           #  serverName: _HOST_ # this is strictly required when using serverless CRDB offerings
+          #  caFile: /path/to/certs/<CA-file> # Here we assumed that caFile, certFile, keyFile are stored in one secret mounted as 'secret-with-certs' (see: server.additionalVolumes and server.additionalVolumeMounts sections).
+          #  certFile: /path/to/certs/<client-cert-file>
+          #  keyFile: /path/to/certs/<client-key-file>
 
       visibility:
         driver: "sql"
@@ -40,6 +43,17 @@ server:
           #  enabled: true
           #  enableHostVerification: true
           #  serverName: _HOST_ # this is strictly required when using serverless CRDB offerings
+          #  caFile: /path/to/certs/<CA-file> # Here we assumed that caFile, certFile, keyFile are stored in one secret mounted as 'secret-with-certs' (see: server.additionalVolumes and server.additionalVolumeMounts sections).
+          #  certFile: /path/to/certs/<client-cert-file>
+          #  keyFile: /path/to/certs/<client-key-file>
+
+  # additionalVolumes:
+  #   - name: secret-with-certs
+  #     secret:
+  #       secretName: secret-with-certs
+  # additionalVolumeMounts:
+  #   - name: secret-with-certs
+  #     mountPath: /path/to/certs/
 
 cassandra:
   enabled: false