firefly-iii: Connect to external PostgreSQL

Since the new database server outside the Kubernetes cluster, created
for Authelia, was seeded from a backup of the in-cluster server, it
already contained the data from Firefly-III as well.  Thus, we can
switch Firefly-III to using it, too.

The documentation for Firefly-III does not mention anything about how
to configure it to use certificate-based authentication for PostgreSQL,
as is required by the new server.  Fortunately, it ultimately uses
_libpq_, so the standard `PG...` environment variables work fine.  We
just need a certificate issued by the _postgresql-ca_ ClusterIssuer and
the _DCH Root CA_ certificate mounted in the Firefly-III container.

firefly-iii/firefly-iii.env

@@ -7,10 +7,13 @@ TZ=America/Chicago
 TRUSTED_PROXIES=172.30.0.160/28
 
 DB_CONNECTION=pgsql
-DB_HOST=default.postgresql
+DB_HOST=postgresql.pyrocufflink.blue
 DB_PORT=5432
-DB_USERNAME=firefly-iii.firefly
+DB_USERNAME=firefly
 DB_DATABASE=firefly
+PGSSLROOTCERT=/run/dch-ca/dch-root-ca.crt
+PGSSLCERT=/run/secrets/firefly/postgresql/tls.crt
+PGSSLKEY=/run/secrets/firefly/postgresql/tls.key
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis

firefly-iii/firefly-iii.yaml

@@ -73,8 +73,6 @@ spec:
         env:
         - name: APP_KEY_FILE
           value: /run/secrets/firefly-iii/app.key
-        - name: DB_PASSWORD_FILE
-          value: /run/secrets/firefly-iii/db.password
         - name: STATIC_CRON_TOKEN_FILE
           value: /run/secrets/firefly-iii/cron.token
         ports:

firefly-iii/kustomization.yaml

@@ -9,11 +9,13 @@ namespace: firefly-iii
 
 resources:
 - secrets.yaml
+- postgres-cert.yaml
 - redis.yaml
 - firefly-iii.yaml
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
+-  ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -26,9 +28,6 @@ configMapGenerator:
   - firefly-iii-importer.env
 
 patches:
-# This patch changes the source secret for the PostgreSQL database
-# password from the default (`db.password` inside `firefly-iii`) to
-# a secret managed by the postgres operator.
 - patch: |-
     apiVersion: apps/v1
     kind: Deployment
@@ -39,15 +38,18 @@ patches:
         spec:
           containers:
           - name: firefly-iii
-            env:
-            - name: DB_PASSWORD_FILE
-              value: /run/secrets/postgresql/password
             volumeMounts:
-            - name: db-secret
-              mountPath: /run/secrets/postgresql
+            - mountPath: /run/dch-ca
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/firefly/postgresql
+              name: postgresql-cert
               readOnly: true
           volumes:
-          - name: db-secret
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: postgresql-cert
             secret:
-              secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do
-              defaultMode: 0440
+              secretName: postgres-client-cert
+              defaultMode: 0640

firefly-iii/postgres-cert.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: firefly
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
+