10000 feat: make postgres SSL certificate paths configurable · coder/observability@6db14cf · GitHub
[go: up one dir, main page]
Skip to content

Commit 6db14cf

Browse files
blink-so[bot]blink-so[bot]
committed
feat: make postgres SSL certificate paths configurable
- Remove hardcoded /home/coder/.postgresql paths - Make sslrootcert, volumes, and volumeMounts configurable with no defaults - Add conditional rendering to avoid empty volume mounts - Update postgres connector string to handle optional sslrootcert - Update README documentation Fixes hardcoded certificate paths introduced in PR #40
1 parent 847beb3 commit 6db14cf

File tree

4 files changed

+30
-15
lines changed

4 files changed

+30
-15
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -258,7 +258,7 @@ values which are defined [here](https://github.com/grafana/helm-charts/tree/main
258258
| global.dashboards.timerange | string | `"12h"` | how far back dashboards should look |
259259
| global.externalScheme | string | `"http"` | |
260260
| global.externalZone | string | `"svc.cluster.local"` | |
261-
| global.postgres | object | `{"alerts":{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}},"database":"coder","exporter":{"image":"quay.io/prometheuscommunity/postgres-exporter"},"hostname":"localhost","mountSecret":"secret-postgres","password":null,"port":5432,"sslmode":"disable","sslrootcert":"/home/coder/.postgresql/rootcert.pem","username":"coder","volumeMounts":[{"mountPath":"/home/coder/.postgresql","name":"pg-certs-mount","readOnly":true}],"volumes":[{"configMap":{"name":"pg-certs-mount-config-map"},"name":"pg-certs-mount"}]}` | postgres connection information NOTE: these settings are global so we can parameterise some values which get rendered by subcharts |
261+
| global.postgres | object | `{"alerts":{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}},"database":"coder","exporter":{"image":"quay.io/prometheuscommunity/postgres-exporter"},"hostname":"localhost","mountSecret":"secret-postgres","password":null,"port":5432,"sslmode":"disable","sslrootcert":null,"username":"coder","volumeMounts":[],"volumes":[]}` | postgres connection information NOTE: these settings are global so we can parameterise some values which get rendered by subcharts |
262262
| global.postgres.alerts | object | `{"groups":{"Basic":{"delay":"1m","enabled":true},"Connections":{"delay":"5m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}},"Notifications":{"delay":"15m","enabled":true,"thresholds":{"critical":0.9,"notify":0.5,"warning":0.8}}}}` | alerts for postgres |
263263
| global.telemetry | object | `{"metrics":{"scrape_interval":"15s","scrape_timeout":"12s"}}` | control telemetry collection |
264264
| global.telemetry.metrics | object | `{"scrape_interval":"15s","scrape_timeout":"12s"}` | control metric collection |

coder-observability/templates/_helpers.tpl

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,12 +66,20 @@ Create the name of the service account to use
6666
{{- if and .Values.global.postgres.password (eq .Values.global.postgres.sslmode "disable") -}}
6767
postgresql://{{ .Values.global.postgres.username }}:{{ urlquery .Values.global.postgres.password }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
6868
{{- else if and .Values.global.postgres.password (ne .Values.global.postgres.sslmode "disable") -}}
69+
{{- if .Values.global.postgres.sslrootcert -}}
6970
postgresql://{{ .Values.global.postgres.username }}:{{ urlquery .Values.global.postgres.password }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}&sslrootcert={{ .Values.global.postgres.sslrootcert }}
71+
{{- else -}}
72+
postgresql://{{ .Values.global.postgres.username }}:{{ urlquery .Values.global.postgres.password }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
73+
{{- end -}}
7074
{{- else if and .Values.global.postgres.mountSecret (eq .Values.global.postgres.sslmode "disable") -}}
7175
postgresql://{{ .Values.global.postgres.username }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
7276
{{- else if and .Values.global.postgres.mountSecret (ne .Values.global.postgres.sslmode "disable") -}}
77+
{{- if .Values.global.postgres.sslrootcert -}}
7378
postgresql://{{ .Values.global.postgres.username }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}&sslrootcert={{ .Values.global.postgres.sslrootcert }}
7479
{{- else -}}
80+
postgresql://{{ .Values.global.postgres.username }}@{{ .Values.global.postgres.hostname }}:{{ .Values.global.postgres.port }}/{{ .Values.global.postgres.database }}?sslmode={{ .Values.global.postgres.sslmode }}
81+
{{- end -}}
82+
{{- else -}}
7583
{{ fail "either postgres.password or postgres.mountSecret must be defined" }}
7684
{{- end -}}
7785
{{- end }}

coder-observability/templates/statefulset-postgres-exporter.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,11 @@ spec:
3030
- name: DATA_SOURCE_NAME
3131
value: '{{ include "postgres-connector-string" . }}'
3232
{{ include "postgres-secret-mount" . | nindent 10 }}
33-
33+
{{- if .Values.global.postgres.volumeMounts }}
3434
volumeMounts:
3535
{{ toYaml .Values.global.postgres.volumeMounts | nindent 12 }}
36-
36+
{{- end }}
37+
{{- if .Values.global.postgres.volumes }}
3738
volumes:
38-
{{ toYaml .Values.global.postgres.volumes | nindent 8 }}
39+
{{ toYaml .Values.global.postgres.volumes | nindent 8 }}
40+
{{- end }}

coder-observability/values.yaml

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -123,23 +123,28 @@ global:
123123
password:
124124
database: coder
125125
sslmode: disable
126-
# add root cert path if using SSL
127-
sslrootcert: /home/coder/.postgresql/rootcert.pem
126+
# SSL root certificate path - only required when sslmode != "disable"
127+
# Example: /path/to/certs/rootcert.pem
128+
sslrootcert:
128129

129130
# ensure that your secret has a field named `PGPASSWORD`
130131
mountSecret: "secret-postgres"
131132
exporter:
132133
image: "quay.io/prometheuscommunity/postgres-exporter"
133134

134-
volumes:
135-
- name: "pg-certs-mount"
136-
configMap:
137-
name: "pg-certs-mount-config-map"
138-
139-
volumeMounts:
140-
- name: "pg-certs-mount"
141-
mountPath: "/home/coder/.postgresql"
142-
readOnly: true
135+
# volumes and volumeMounts for SSL certificates
136+
# Only required when using SSL connections (sslmode != "disable")
137+
# Example configuration:
138+
# volumes:
139+
# - name: "pg-certs-mount"
140+
# configMap:
141+
# name: "pg-certs-mount-config-map"
142+
# volumeMounts:
143+
# - name: "pg-certs-mount"
144+
# mountPath: "/path/to/certs"
145+
# readOnly: true
146+
volumes: []
147+
volumeMounts: []
143148

144149
# global.postgres.alerts -- alerts for postgres
145150
alerts:

0 commit comments

Comments
 (0)
0