firefly-iii: Connect to external PostgreSQL

Since the new database server outside the Kubernetes cluster, created for Authelia, was seeded from a backup of the in-cluster server, it already contained the data from Firefly-III as well. Thus, we can switch Firefly-III to using it, too. The documentation for Firefly-III does not mention anything about how to configure it to use certificate-based authentication for PostgreSQL, as is required by the new server. Fortunately, it ultimately uses _libpq_, so the standard `PG...` environment variables work fine. We just need a certificate issued by the _postgresql-ca_ ClusterIssuer and the _DCH Root CA_ certificate mounted in the Firefly-III container.
2024-07-01 08:45:56 -05:00
parent 92497004be
commit a269f8a1ae
4 changed files with 31 additions and 15 deletions
--- a/firefly-iii/kustomization.yaml
+++ b/firefly-iii/kustomization.yaml
@@ -9,11 +9,13 @@ namespace: firefly-iii

 resources:
 - secrets.yaml
+- postgres-cert.yaml
 - redis.yaml
 - firefly-iii.yaml
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
+-  ../dch-root-ca

 configMapGenerator:
 - name: firefly-iii
@@ -26,9 +28,6 @@ configMapGenerator:
  - firefly-iii-importer.env

 patches:
-# This patch changes the source secret for the PostgreSQL database
-# password from the default (`db.password` inside `firefly-iii`) to
-# a secret managed by the postgres operator.
 - patch: |-
    apiVersion: apps/v1
    kind: Deployment
@@ -39,15 +38,18 @@ patches:
        spec:
          containers:
          - name: firefly-iii
-            env:
-            - name: DB_PASSWORD_FILE
-              value: /run/secrets/postgresql/password
            volumeMounts:
-            - name: db-secret
-              mountPath: /run/secrets/postgresql
+            - mountPath: /run/dch-ca
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/firefly/postgresql
+              name: postgresql-cert
              readOnly: true
          volumes:
-          - name: db-secret
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
+          - name: postgresql-cert
            secret:
-              secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do
-              defaultMode: 0440
+              secretName: postgres-client-cert
+              defaultMode: 0640