From 17dc456b57a08502803f8a59e256fef03a884456 Mon Sep 17 00:00:00 2001
From: Elio Bischof <eliobischof@gmail.com>
Date: Wed, 15 Jun 2022 15:21:48 +0200
Subject: [PATCH] enable insecure cockroachdb

---
 charts/zitadel/Chart.yaml                     |  2 +-
 charts/zitadel/templates/deployment.yaml      | 24 +++++++++----------
 .../templates/secret_zitadel-secrets.yaml     |  4 ++--
 charts/zitadel/values.yaml                    |  6 ++---
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/charts/zitadel/Chart.yaml b/charts/zitadel/Chart.yaml
index 819ff83e..dd22590b 100644
--- a/charts/zitadel/Chart.yaml
+++ b/charts/zitadel/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: zitadel
 description: A Helm chart for ZITADEL v2
 type: application
-version: 2.0.1
+version: 2.1.0
 appVersion: "v2.0.0-v2-alpha.23-amd64"
 kubeVersion: '>= 1.16.15 < 1.25.0'
 icon: https://zitadel.zitadel.cloud/ui/login/resources/themes/zitadel/logo-dark.svg
diff --git a/charts/zitadel/templates/deployment.yaml b/charts/zitadel/templates/deployment.yaml
index 48132d5d..27eb5b8e 100644
--- a/charts/zitadel/templates/deployment.yaml
+++ b/charts/zitadel/templates/deployment.yaml
@@ -56,7 +56,7 @@ spec:
             - name: ZITADEL_ADMINUSER_SSL_ROOTCERT
               value: /.secrets/ca.crt
             {{- end}}
-            {{- if .Values.cockroachdb.enabled }}
+            {{- if .Values.zitadel.dbSslClientCrtSecret }}
             - name: ZITADEL_ADMINUSER_SSL_CERT
               value: /.secrets/tls.crt
             - name: ZITADEL_ADMINUSER_SSL_KEY
@@ -77,9 +77,9 @@ spec:
         - args:
           - "{{ include "zitadel.joincpcommands" (dict "commands" (list
             (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/*" ))
-            (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslRootCrt .Values.zitadel.dbSslRootCrtSecret) "path" "/db-ssl-root-crt/*" ))
             (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.masterkey "path" "/zitadel-masterkey/*" ))
-            (include "zitadel.makecpcommand" (dict "value" .Values.cockroachdb.enabled "path" "/root-certs/*" ))
+            (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslRootCrt .Values.zitadel.dbSslRootCrtSecret) "path" "/db-ssl-root-crt/*" ))
+            (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslClientCrtSecret "path" "/db-ssl-client-crt/*" ))
           )) }} chown -R 1000:1000 /chowned-secrets/* && chmod 400 /chowned-secrets/*"
           command:
           - sh
@@ -100,9 +100,9 @@ spec:
           - name: db-ssl-root-crt
             mountPath: /db-ssl-root-crt
           {{- end}}
-          {{- if .Values.cockroachdb.enabled }}
-          - name: root-certs
-            mountPath: /root-certs
+          {{- if (and .Values.cockroachdb.enabled .Values.cockroachdb.tls.enabled) }}
+          - name: db-ssl-client-crt
+            mountPath: /db-ssl-client-crt
           {{- end}}
           securityContext:
             runAsNonRoot: false
@@ -111,25 +111,25 @@ spec:
       - name: zitadel-config-yaml
         configMap:
           name: zitadel-config-yaml
-      {{- if .Values.zitadel.secretConfig }}
+      {{- if (not ( empty .Values.zitadel.secretConfig)) }}
       - name: zitadel-secrets-yaml
         secret:
           secretName: zitadel-secrets-yaml
       {{- end }}
-      {{- if .Values.zitadel.dbSslRootCrt }}
+      {{- if (not ( empty .Values.zitadel.dbSslRootCrt)) }}
       - name: db-ssl-root-crt
         secret:
           secretName: db-ssl-root-crt
       {{- end }}
-      {{- if .Values.zitadel.dbSslRootCrtSecret }}
+      {{- if (not ( empty .Values.zitadel.dbSslRootCrtSecret )) }}
       - name: db-ssl-root-crt
         secret:
           secretName: {{.Values.zitadel.dbSslRootCrtSecret}}
       {{- end }}
-      {{- if .Values.cockroachdb.enabled }}
-      - name: root-certs
+      {{- if (not ( empty .Values.zitadel.dbSslClientCrtSecret )) }}
+      - name: db-ssl-client-crt
         secret:
-          secretName: crdb-client-secret
+          secretName: {{.Values.zitadel.dbSslClientCrtSecret}}
       {{- end }}
       - name: zitadel-masterkey
         secret:
diff --git a/charts/zitadel/templates/secret_zitadel-secrets.yaml b/charts/zitadel/templates/secret_zitadel-secrets.yaml
index 36e52c53..ad139fc0 100644
--- a/charts/zitadel/templates/secret_zitadel-secrets.yaml
+++ b/charts/zitadel/templates/secret_zitadel-secrets.yaml
@@ -1,5 +1,5 @@
-{{- if (and .Values.cockroachdb.enabled .Values.cockroachdb.tls.enabled (not .Values.zitadel.secretConfig.Database.User.Password ))}}
-{{- fail ".Values.zitadel.secretConfig.Database.User.Password is mandatory for tls enabled cockroach"}}
+{{- if (and .Values.cockroachdb.enabled .Values.cockroachdb.tls.enabled (not (((.Values.zitadel.secretConfig).Database).User).Password)) }}
+{{- fail ".Values.zitadel.secretConfig.Database.User.Password is mandatory for tls enabled cockroach" }}
 {{- end }}
 apiVersion: v1
 kind: Secret
diff --git a/charts/zitadel/values.yaml b/charts/zitadel/values.yaml
index 4aa01c49..a735204f 100644
--- a/charts/zitadel/values.yaml
+++ b/charts/zitadel/values.yaml
@@ -30,9 +30,6 @@ zitadel:
   # See all defaults here:
   # https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
   secretConfig:
-    Database:
-      User:
-        Password: ""
 
   # ZITADEL uses the masterkey for symmetric encryption.
   # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
@@ -44,6 +41,9 @@ zitadel:
   # The Secret containing the root CA Certificate at key ca.crt needed for establishing secure database connections
   dbSslRootCrtSecret: 'crdb-ca-secret'
 
+  # The Secret containing the client CA Certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslClientCrtSecret: 'crdb-client-secret'
+
 replicaCount: 3
 
 image: