From e339af53e5d0819cca11e09c90bd751ae5682871 Mon Sep 17 00:00:00 2001
From: Christopher Kolstad <chriswk@getunleash.io>
Date: Mon, 6 May 2024 16:17:44 +0200
Subject: [PATCH] feat: added configurable DATABASE_SSL_* possibilities (#139)

* feat: added configurable DATABASE_SSL_* possibilities

* Update sslFiles.yaml

* Bump app version to 5.12 with added support for specific database ssl
---
 charts/unleash/Chart.yaml                  |  4 ++--
 charts/unleash/examples/sslConfigFile.yaml |  4 ++++
 charts/unleash/examples/sslFiles.yaml      |  7 +++++++
 charts/unleash/templates/deployment.yaml   | 24 +++++++++++++++++++++-
 charts/unleash/values.yaml                 | 10 +++++++++
 5 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 charts/unleash/examples/sslConfigFile.yaml
 create mode 100644 charts/unleash/examples/sslFiles.yaml

diff --git a/charts/unleash/Chart.yaml b/charts/unleash/Chart.yaml
index bd98663..9f159a1 100644
--- a/charts/unleash/Chart.yaml
+++ b/charts/unleash/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "5.9.6"
+appVersion: "5.12.0"
 dependencies:
   - name: postgresql
     repository: https://charts.bitnami.com/bitnami
@@ -15,4 +15,4 @@ sources:
   - https://github.com/Unleash/unleash
   - https://github.com/Unleash/helm-charts
 type: application
-version: 4.0.2
+version: 4.1.0
diff --git a/charts/unleash/examples/sslConfigFile.yaml b/charts/unleash/examples/sslConfigFile.yaml
new file mode 100644
index 0000000..b2aaa37
--- /dev/null
+++ b/charts/unleash/examples/sslConfigFile.yaml
@@ -0,0 +1,4 @@
+postgresql:
+  enabled: false
+dbConfig:
+  sslConfigFile: /var/run/secrets/unleash/ssl-config.json
\ No newline at end of file
diff --git a/charts/unleash/examples/sslFiles.yaml b/charts/unleash/examples/sslFiles.yaml
new file mode 100644
index 0000000..ff283b6
--- /dev/null
+++ b/charts/unleash/examples/sslFiles.yaml
@@ -0,0 +1,7 @@
+dbConfig:
+  sslCaFile: /var/run/secrets/kubernetes/amazon-rds-ca-bundle.pem
+  sslCertFile: /var/run/secrets/kubernetes/my-client-cert.crt
+  sslKeyFile: /var/run/secrets/kubernetes/my-client-key.key
+  sslRejectUnauthorized: false
+postgresql:
+  enabled: false
diff --git a/charts/unleash/templates/deployment.yaml b/charts/unleash/templates/deployment.yaml
index 64f600c..72584f3 100644
--- a/charts/unleash/templates/deployment.yaml
+++ b/charts/unleash/templates/deployment.yaml
@@ -48,12 +48,34 @@ spec:
               value: "{{ .Values.dbConfig.port }}"
             - name: DATABASE_USERNAME
               value: "{{ .Values.dbConfig.user }}"
+            {{- if .Values.dbConfig.ssl }}
             - name: DATABASE_SSL
-              value: {{ if .Values.dbConfig.ssl }}{{ .Values.dbConfig.ssl | toJson | quote }}{{ else }}"{{ "false" }}"{{ end }}
+              value: {{ .Values.dbConfig.ssl | toJson | quote }}
+            {{- end }}
             {{- if .Values.dbConfig.schema }}
             - name: DATABASE_SCHEMA
               value: "{{ .Values.dbConfig.schema }}"
             {{- end }}
+            {{- if .Values.dbConfig.sslConfigFile }}
+            - name: DATABASE_SSL_CA_CONFIG
+              value: "{{ .Values.dbConfig.sslConfigFile }}"
+            {{- end }}
+            {{- if .Values.dbConfig.sslCaFile }}
+            - name: DATABASE_SSL_CA_FILE
+              value: "{{ .Values.dbConfig.sslCaFile }}"
+            {{- end }}
+            {{- if .Values.dbConfig.sslKeyFile }}
+            - name: DATABASE_SSL_KEY_FILE
+              value: "{{ .Values.dbConfig.sslKeyFile }}"
+            {{- end }}
+            {{- if .Values.dbConfig.sslCertFile }}
+            - name: DATABASE_SSL_CERT_FILE
+              value: "{{ .Values.dbConfig.sslCertFile }}"
+            {{- end }}
+            {{- if .Values.dbConfig.sslRejectUnauthorized }}
+            - name: DATABASE_SSL_REJECT_UNAUTHORIZED
+              value: "{{ .Values.dbConfig.sslRejectUnauthorizaed }}"
+            {{- end }}
             {{- if .Values.env }}
             {{- toYaml .Values.env | nindent 12 }}
             {{- end }}
diff --git a/charts/unleash/values.yaml b/charts/unleash/values.yaml
index 090774f..0a47db6 100644
--- a/charts/unleash/values.yaml
+++ b/charts/unleash/values.yaml
@@ -126,6 +126,16 @@ dbConfig:
   user: unleash
   # ssl value must be a stringified JSON object https://docs.getunleash.io/reference/deploy/configuring-unleash#dbssl-vs-database_ssl-options
   # ssl: { rejectUnauthorized: false }
+  # sslConfigFile can be a path to a json file containing the keys listed in https://docs.getunleash.io/reference/deploy/configuring-unleash#dbssl-vs-database_ssl-options
+  # sslConfigFile:
+  # sslCaFile should be a path to a CA file in pem format
+  # sslCaFile:
+  # sslCertFile should be a path to the cert file in pem format to use to connect to postgres
+  # sslCertFile:
+  # sslKeyFile should be a path to the key file in pem format to use to connect to postgres
+  # sslKeyFile:
+  # sslRejectUnauthorized can be set to true|false. Don't set this to false in production, it will void any security you get from using SSL to connect
+  # sslRejectUnauthorized
 
 env: []
 #  - name: GOOGLE_CLIENT_ID