From a269f8a1aef26e798c3af7c57f15cce98891fbf7 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 1 Jul 2024 08:45:56 -0500 Subject: [PATCH] firefly-iii: Connect to external PostgreSQL Since the new database server outside the Kubernetes cluster, created for Authelia, was seeded from a backup of the in-cluster server, it already contained the data from Firefly-III as well. Thus, we can switch Firefly-III to using it, too. The documentation for Firefly-III does not mention anything about how to configure it to use certificate-based authentication for PostgreSQL, as is required by the new server. Fortunately, it ultimately uses _libpq_, so the standard `PG...` environment variables work fine. We just need a certificate issued by the _postgresql-ca_ ClusterIssuer and the _DCH Root CA_ certificate mounted in the Firefly-III container. --- firefly-iii/firefly-iii.env | 7 +++++-- firefly-iii/firefly-iii.yaml | 2 -- firefly-iii/kustomization.yaml | 24 +++++++++++++----------- firefly-iii/postgres-cert.yaml | 13 +++++++++++++ 4 files changed, 31 insertions(+), 15 deletions(-) create mode 100644 firefly-iii/postgres-cert.yaml diff --git a/firefly-iii/firefly-iii.env b/firefly-iii/firefly-iii.env index e8773b0..99aebb3 100644 --- a/firefly-iii/firefly-iii.env +++ b/firefly-iii/firefly-iii.env @@ -7,10 +7,13 @@ TZ=America/Chicago TRUSTED_PROXIES=172.30.0.160/28 DB_CONNECTION=pgsql -DB_HOST=default.postgresql +DB_HOST=postgresql.pyrocufflink.blue DB_PORT=5432 -DB_USERNAME=firefly-iii.firefly +DB_USERNAME=firefly DB_DATABASE=firefly +PGSSLROOTCERT=/run/dch-ca/dch-root-ca.crt +PGSSLCERT=/run/secrets/firefly/postgresql/tls.crt +PGSSLKEY=/run/secrets/firefly/postgresql/tls.key CACHE_DRIVER=redis SESSION_DRIVER=redis diff --git a/firefly-iii/firefly-iii.yaml b/firefly-iii/firefly-iii.yaml index 26923c1..9b47f1f 100644 --- a/firefly-iii/firefly-iii.yaml +++ b/firefly-iii/firefly-iii.yaml @@ -73,8 +73,6 @@ spec: env: - name: APP_KEY_FILE value: /run/secrets/firefly-iii/app.key - - name: DB_PASSWORD_FILE - value: /run/secrets/firefly-iii/db.password - name: STATIC_CRON_TOKEN_FILE value: /run/secrets/firefly-iii/cron.token ports: diff --git a/firefly-iii/kustomization.yaml b/firefly-iii/kustomization.yaml index f009dbe..6e0bf4a 100644 --- a/firefly-iii/kustomization.yaml +++ b/firefly-iii/kustomization.yaml @@ -9,11 +9,13 @@ namespace: firefly-iii resources: - secrets.yaml +- postgres-cert.yaml - redis.yaml - firefly-iii.yaml - ingress.yaml - importer.yaml - importer-ingress.yaml +- ../dch-root-ca configMapGenerator: - name: firefly-iii @@ -26,9 +28,6 @@ configMapGenerator: - firefly-iii-importer.env patches: -# This patch changes the source secret for the PostgreSQL database -# password from the default (`db.password` inside `firefly-iii`) to -# a secret managed by the postgres operator. - patch: |- apiVersion: apps/v1 kind: Deployment @@ -39,15 +38,18 @@ patches: spec: containers: - name: firefly-iii - env: - - name: DB_PASSWORD_FILE - value: /run/secrets/postgresql/password volumeMounts: - - name: db-secret - mountPath: /run/secrets/postgresql + - mountPath: /run/dch-ca + name: dch-root-ca + readOnly: true + - mountPath: /run/secrets/firefly/postgresql + name: postgresql-cert readOnly: true volumes: - - name: db-secret + - name: dch-root-ca + configMap: + name: dch-root-ca + - name: postgresql-cert secret: - secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do - defaultMode: 0440 + secretName: postgres-client-cert + defaultMode: 0640 diff --git a/firefly-iii/postgres-cert.yaml b/firefly-iii/postgres-cert.yaml new file mode 100644 index 0000000..fe1f167 --- /dev/null +++ b/firefly-iii/postgres-cert.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-client-cert +spec: + commonName: firefly + privateKey: + algorithm: ECDSA + secretName: postgres-client-cert + issuerRef: + name: postgresql-ca + kind: ClusterIssuer +