zammad-helm
zammad-helm copied to clipboard
zammad
Feature Request - Add ssl option to postgres
When using custom postgres services (standalone or clusters, but outside of the build-in zammad postgres) - I don't see how to enable ssl to connect to the server. We have a postgres cluster, using bouncers, which requires ssl. We worked around it by connecting directly to the primary instance, but this is far from ideal.
It would be nice to be able to provide either a full url ourselves, or add the ssl options/other options to append to the generated postgres url from the information given in the chart.
Hi @RegisHubelia, this should already be possible by providing your own DATABASE_URL via extraEnv. Can you try if this works for you, please?
@RegisHubelia the solution shoulb be so easy (i'm not sure) for example,use section
initContainers: []
for downloading your CA cert for DB and put into pod
- name: download-psql-ca
image: "curlimages/curl:7.70.0"
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: psql-ca
mountPath: /psql-ca
workingDir: /psql-ca
command:
- "/bin/sh"
- "-ec"
- |
curl -Lso /psql/root.pem \
https://xxxxxxxxxxxxxxx/CA.pem
DATABASE_URL via extraEnv set into postgres_dsn option with path for postgresCA
Sorry to drop back here and reopen this issue... But setting DATABASE_URL somehow works, but the issue is in the template:
- name: DATABASE_URL value: "postgres://{{ .Values.zammadConfig.postgresql.user }}:$(POSTGRESQL_PASS)@{{ if .Values.zammadConfig.postgresql.enabled }}{{ .Release.Name }}-postgresql{{ else }}{{ .Values.zammadConfig.postgresql.host }}{{ end }}:{{ .Values.zammadConfig.postgresql.port }}/{{ .Values.zammadConfig.postgresql.db }}"**
The DATABASE_URL is set even if we set our own in the extraEnv. so it ends up with something like this in the stateful set for all containers that uses the DATABASE_URL:
- name: DATABASE_URL
value: ```generatedvalue```
valueFrom:
secretKeyRef:
key: KEY_IN_SECRET
name: SECRET_NAME
This gives an error as there is both, the value and the valueFrom keys. The only way I fould around it is to remove the value in the statefulset once it's created/updated. Should be a quick fix tough, simply adding a check if the extraEnv DATABASE_URL exists - if yes use this one, else use the generated one. Happy to open a PR.
Hello @RegisHubelia. You are correct that both values are generated in the template. I tried it and found that the last definition from extraEnv overwrites the first one with a warning, not an error. And the value was the correct one and worked correctly in the deployed application.
Strange, this is not my experience... I ended up with both, the "value" key and the "valueFrom". Did you try to set a value, or the valueFrom? If the value key is set, then yes it should overwrite the generated one, but if using a secret, then it's the valueFrom key, which is likely In most scenario, as there is sensitive information in the url therefore using a secret is a better way to go.
Ah, thanks for the explanation. Maybe you can try setting value: ~ as well in your extraEnv? Then you should have only valueFrom to use.
The issue is that value cannot be set if valueFrom is. So even with your suggestion, it gives this "create Pod zammad-sd-1 in StatefulSet zammad-sd failed error: Pod "zammad-sd-1" is invalid: [spec.containers[1].env[6].valueFrom: Invalid value: "": may not be specified when value is not empty, "
Overriding with valueFrom like you mentioned does not work. Reopening. Maybe we can solve it together with #251.
This has been added recently with 11.0.0. You can now specify/modify zammadConfig.postgresql.options.