home-assistant: Use external PostgreSQL server

Home Assistant uses PostgreSQL for recording the history of entity
states.  Since we had been using the in-cluster database server for
this, the data were migrated to the new external PostgreSQL server
automatically when the backup from the former was restored on the
latter.  It follows, then, that we can point Home Assistant to the
new server as well.

Home Assistant uses SQLAlchemy, which in turn uses _libpq_ via
_psycopg_, as a client for PostgreSQL.  It doesn't expose any
configuration parameters beyond the "database URL" directly, but we
can use the standard environment variables to specify the certificate
and private key for authentication.  In fact, the empty `postgresql://`
URL is sufficient, and indicates that _all_ of the connection parameters
should be taken from environment variables.  This makes specifying the
parameters for both the `wait-for-db` init container and the main
container take the exact same environment variables, so we can use
YAML anchors to share their definitions.

home-assistant/configuration.yaml

@@ -33,7 +33,7 @@ http:
   use_x_forwarded_for: true
 
 recorder:
-  db_url: !env_var RECORDER_DB_URL
+  db_url: postgresql://
   db_max_retries: 100
   purge_keep_days: 366
   commit_interval: 0

home-assistant/kustomization.yaml

@@ -10,6 +10,7 @@ labels:
 resources:
 - namespace.yaml
 - secrets.yaml
+- postgres-cert.yaml
 - home-assistant.yaml
 - mosquitto-cert.yaml
 - mosquitto.yaml
@@ -18,6 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
+-  ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -55,43 +57,42 @@ patches:
             - sh
             - -c
             - until pg_isready; do sleep 1; done
-            env:
+            env: &pgsqlenv
             - name: PGHOST
-              value: default.postgresql
+              value: postgresql.pyrocufflink.blue
             - name: PGGDATABASE
               value: homeassistant
             - name: PGUSER
-              valueFrom:
+              value: homeassistant
-                secretKeyRef:
+            - name: PGSSLMODE
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
+              value: verify-full
-                  key: username
+            - name: PGSSLROOTCERT
-            - name: PGPASSWORD
+              value: /run/dch-ca/dch-root-ca.crt
-              valueFrom:
+            - name: PGSSLCERT
-                secretKeyRef:
+              value: /run/secrets/home-assistant/postgresql/tls.crt
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
+            - name: PGSSLKEY
-                  key: password
+              value: /run/secrets/home-assistant/postgresql/tls.key
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
           containers:
           - name: home-assistant
-            env:
+            env: *pgsqlenv
-            - name: RECORDER_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: password
-            - name: RECORDER_DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: username
-            - name: RECORDER_DB_URL
-              value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant
             volumeMounts:
             - mountPath: /run/config
               name: home-assistant-config
               readOnly: true
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
             - mountPath: /run/secrets/home-assistant
               name: home-assistant-secrets
               readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
           volumes:
           - name: home-assistant-config
             configMap:
@@ -101,3 +102,10 @@ patches:
             secret:
               secretName: home-assistant
               defaultMode: 0640
+          - name: postgresql-cert
+            secret:
+              secretName: postgres-client-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca

home-assistant/postgres-cert.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: homeassistant
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
+