diff --git a/apps/base/immich/ca.yaml b/apps/base/immich/ca.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b6ffa2aaad42c582badb35d100b9afd1b781eeb3
--- /dev/null
+++ b/apps/base/immich/ca.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: namespace-ca
+ namespace: immich
+spec:
+ isCA: true
+ commonName: namespace-ca
+ secretName: namespace-ca
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned-cluster-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: namespace-ca-issuer
+ namespace: immich
+spec:
+ ca:
+ secretName: namespace-ca
diff --git a/apps/base/immich/database.yaml b/apps/base/immich/database.yaml
index 25555d39c972045ec5a98d894d4db74201160c15..9003798fa3aaa747f30566ec75d58fffe047c5aa 100644
--- a/apps/base/immich/database.yaml
+++ b/apps/base/immich/database.yaml
@@ -16,3 +16,25 @@ spec:
immich: immich
postgresql:
version: "15"
+ spiloFSGroup: 103
+ tls:
+ secretName: "immich-postgres-tls"
+ caSecretName: "namespace-ca"
+ caFile: "ca.crt"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: immich-postgres
+ namespace: immich
+spec:
+ secretName: immich-postgres-tls
+ dnsNames:
+ - immich-postgres.immich.svc.cluster.local
+ - immich-postgres.immich.svc
+ issuerRef:
+ name: namespace-ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+ usages:
+ - server auth
\ No newline at end of file
diff --git a/apps/base/immich/kustomization.yaml b/apps/base/immich/kustomization.yaml
index 42d469d9ea85987394630c75f17f308fa864e236..8e1ff29c55e44ff80814092f34f6053e503b7c32 100644
--- a/apps/base/immich/kustomization.yaml
+++ b/apps/base/immich/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
namespace: immich
resources:
- namespace.yaml
+ - ca.yaml
- database.yaml
- repository.yaml
- release.yaml
diff --git a/apps/base/immich/release.yaml b/apps/base/immich/release.yaml
index 921eaf23075fb3040bf760e6f4f88b566893bb7a..eddeb9ca1d4727d12bc985bab37d48029cb29624 100644
--- a/apps/base/immich/release.yaml
+++ b/apps/base/immich/release.yaml
@@ -48,12 +48,19 @@ data:
env:
DB_HOSTNAME: immich-postgres.immich.svc.cluster.local
DB_DATABASE_NAME: immich
+ PGSSLMODE: require
+ PGSSLROOTCERT: /ca/ca.pem
image:
tag: v1.65.0
immich:
persistence:
library:
existingClaim: immich-data
+ postgres-ca:
+ enabled: true
+ mountPath: /ca/
+ type: secret
+ name: namespace-ca
redis:
enabled: true
typesense:
diff --git a/apps/k8s01/immich/immich-values.yaml b/apps/k8s01/immich/immich-values.yaml
index 76c5431151c70c9ccac018bb15b95460529532d4..49f106938505b5eeedb23bdc0d00bd8b9c928ed4 100644
--- a/apps/k8s01/immich/immich-values.yaml
+++ b/apps/k8s01/immich/immich-values.yaml
@@ -5,15 +5,15 @@ metadata:
namespace: immich
type: Opaque
stringData:
- values-overrides.yaml: ENC[AES256_GCM,data:3WU4nfzToaFcQK48sIM58ReXGUWpxfByAG+SO96ws/jdUmvG5mZkakgLTNaywbnExp4UrC+HE8F3Hr/IGHaGy9GvkKsrI7VFdN/XyZc2RXduy5N5Q8hLH9lb8dl0HGim+IBvsEOoF6Zm69tTNLuIWP9lubr2DAh3rrfGYrVmNMnjlRZ590nqGVnUjd4PK0umqGwRXLOcr0Ns+njJfeZ7ZC6taxvlgYbwDDRc2DPXU+iA9JYso7Jejx56x9igYVHI7o19P2OxyI3uragX7D/pp1ZG3lnqIEpzwunD6PF20GinlrcY9tmSrGR89jxbdL6TPNtgnBrBXSNA9tZCiQWSDXDrozznK/crhUEogDSNeh0QKa3V6NTs550wVdHiueBc3rliNeudVcEMBoRv+bfwFnodfrvvSns5wijzMjrp4cJV8MMrn5MrESX5edPR51gBwbAAestxK4PBPmXOpwlkThNHxnTJTlXmjGKjVfHdzvFtVFgplqkFNffq8b4unJUrZXgWZIg0KQVVto7uHOA7YF195xddT/ggtD6biDEVBFoIy2xSwDtmmIlGHTdbQvXdTEnbKp+sDLoSzTIu1Drnf7d4ddxupKkaoPXYhiEwQo1P8+Heo6bIE/60xzaAFnGLFlpON8NuII1YbbvVqOe6yx7oSuwoQE3xXbP9ToNtqjwdEReHPUoNrjYPSMGYS/Ih5kdjyIAsQ+xy2U2vQDnGikrcKCDP7RidLnt6p1GCVDY240sXylJcaKZGjAxn0L345wsrkZUwru8dp46FKLDXPYzA1t8F0ZdSaMG8RLd9R032qUq/37RxqLgg8+nhloA8xbTFNGmVZ2DZ1wP7LJDioOwUo9pOW3m7HPnN3JgmhMEEAg==,iv:vea+mMlykJAh5dNHwoUzTjn5BwmMAuq+uuQa04P9WfI=,tag:nxVzkx25jMupF8aq6rU4NA==,type:str]
+ values-overrides.yaml: ENC[AES256_GCM,data:TCXwz7dWmA6k9/mLpIoTEko/06BlInUNUb+A+zGUr0pGrwxXbO6klrmmW/j/934XZXUg+19pslAbHBDcP1UybZS2sDZ3i27osio+6PmHEW6YCV0DDRD77Cp3BAHVRTZFpHaQX4zZmv0oIjz5+HzpWJHuNo+w7WiznT+2J/UvaRZy3N7UJjjRHbxKKpfwIKwR/HGn2gEXheySECr+jPlc3EMdhttZ8ngjBeMxMpfFRXqXZ5dCXPw+xy7W116/eHQIdU2HrtrW98+zAhLXrLD8ZF+Z4xc8zMn7QDggWySNnHxY7E1ck7Q2j2LdoE8aVLR3AXR4av7eel8ZJdTF6iJGgeHABt/XPZZNvN3XiwzV+4WGvp+9ByFKGvpNd5gGfU68y0DO5z7sie7diq4lVjVDx8F0LMGy5e4bVrAieREzLhRY7qOTPbvnApZFZXlnc1smn9S3ziBQFxLHWnjC3juTYBteijkuAckHkM84wJLSzw/V59fodP9IUz0O3Sk6uwBeRG+yEiEfSHVoPmMACpGMPuJxiFl/Q3/GkpKJ0BbwK8pnMEkW+QeuIfyLavj9cTojwsgOVi7vshjkc3R95g/nZAFodAD7s3zzunote87DTHAETgKL078kjTXsx4eh+W8MEcJhL7QBOmktObCwNwSG598CzAReLbx4Dr4iRdRZ0KxMeRF7R/uSGhtbe9egGc/0tZalC7/f++eiOw9dP3N4IkaMkW1BL7xFX3v2WAkxTEcJ7gyTiBPwu9yyMmIR2fh3Fc9oCSrPB/OjJKoVX0WC5sewDFj0reUYTROe,iv:W9PmV4uV/TQBoIQ5cSLN29wPykFqZ2vVEqF5bWu51aY=,tag:mq+jZW8Zy/8FmCOKcPwrCQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-07-02T00:08:02Z"
- mac: ENC[AES256_GCM,data:Vbxdn6HP0PtIumjGIqJLcdRrIYT5juo2CTmMyesYPuFdyDpjCkN+SX4hukWEQQQyALmE7qryXLVJQQ1GNyPDfX6Ca7qICvQuUHqCoN5fkf8xNgzLl1LURhcVB8U1BwfaOb1wC6+Dj+IpYbSy9ZHV6xtnwEts5l3mYemg0n4OjvM=,iv:PT/3IZZMntcVf31QQ93R0S+krvs7FW5qsTLSS1/Dc9o=,tag:HS/rym74M/OJprae6LzjAg==,type:str]
+ lastmodified: "2023-07-02T01:06:05Z"
+ mac: ENC[AES256_GCM,data:lc4tYw5/pCzpxo6uo944TG5f0b3zsobb4zOhVShnLLAkiwxaSbJQdrhARroJGhmxsV4rQyiAqEo4gZFix6kl/ektlvzeGvOnSn6NJqRLGrY6Vxp5Zyn9gcdHDVd73SP+gNSQwj3RQSungybddidTP/MCgSBlYSFKjsFDG7j6DwU=,iv:5iLsG0bnMhKlp4z9aLK0JZA0VqJ3wS/s1XnrLkQLByE=,tag:ypakLaqPoW6fSvbZXZnL7A==,type:str]
pgp:
- created_at: "2022-03-22T22:26:35Z"
enc: |-