fix(hedgedoc): Add support for upstream TLS

This patch allows to deploy TLS support for the database backend.

apps/base/hedgedoc/release.yaml

@@ -46,25 +46,19 @@ spec:
             group: apps
             version: v1
             kind: Deployment
-            name: mastodon-streaming
+            name: hedgedoc
           patch:
             - op: add
               path: /spec/template/spec/containers/0/env/-
               value:
                 name: NODE_EXTRA_CA_CERTS
                 value: /ca/ca.crt
-            - op: add
-              path: /spec/template/spec/containers/0/volumeMounts
-              value: []
             - op: add
               path: /spec/template/spec/containers/0/volumeMounts/-
               value:
                 name: namespace-ca-cert
                 mountPath: "/ca/"
                 readOnly: true
-            - op: add
-              path: /spec/template/spec/volumes
-              value: []
             - op: add
               path: /spec/template/spec/volumes/-
               value:
@@ -85,6 +79,8 @@ data:
       postgresqlHostname: hedgedoc-postgres.hedgedoc.svc.cluster.local
       auth:
         database: hedgedoc
+      tls:
+        enabled: true
     resources:
       limits:
         cpu: "1"

charts/hedgedoc/Chart.yaml

@@ -11,7 +11,7 @@ keywords:
 sources:
     - https://github.com/hedgedoc/hedgedoc/tree/master
     - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/hedgedoc
-version: 0.1.5
+version: 0.2.0
 # renovate: image=quay.io/hedgedoc/hedgedoc
 appVersion: 1.9.7
 maintainers:

charts/hedgedoc/README.md

 # hedgedoc
 
-![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.7](https://img.shields.io/badge/AppVersion-1.9.7-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.7](https://img.shields.io/badge/AppVersion-1.9.7-informational?style=flat-square)
 
 A platform to write and share markdown.
 
@@ -76,13 +76,14 @@ A platform to write and share markdown.
 | postgresql.auth.password | string | `""` |  |
 | postgresql.auth.username | string | `"hedgedoc"` |  |
 | postgresql.enabled | bool | `true` |  |
+| postgresql.tls.enabled | bool | `false` |  |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
-| serviceAccount.annotations | object | `{}` |  |
-| serviceAccount.create | bool | `true` |  |
-| serviceAccount.name | string | `""` |  |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------

charts/hedgedoc/templates/configmap-config.yaml

+{{- if .Values.postgresql.tls.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "hedgedoc.fullname" . }}-config
+  labels:
+    {{- include "hedgedoc.labels" . | nindent 4 }}
+data:
+  config.json: |
+    {
+      "production": {
+        "db": {
+          "dialect": "postgres",
+          "protocol": "postgres",
+          "dialectOptions": {
+            "ssl": {
+              "require": true
+            }
+          }
+        }
+      }
+    }
+{{- end }}
\ No newline at end of file

charts/hedgedoc/templates/deployment.yaml

@@ -58,6 +58,11 @@ spec:
             httpGet:
               path: /_health
               port: http
+          {{- if .Values.postgresql.tls.enabled }}
+          volumeMounts:
+            - name: config
+              mountPath: /files/
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
@@ -72,3 +77,13 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.postgresql.tls.enabled }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "hedgedoc.fullname" . }}-config
+            items:
+              - key: config.json
+                path: config.json
+            defaultMode: 420
+      {{- end }}

charts/hedgedoc/values.yaml

@@ -11,11 +11,11 @@ nameOverride: ""
 fullnameOverride: ""
 
 serviceAccount:
-  # Specifies whether a service account should be created
+  # -- Specifies whether a service account should be created
   create: true
-  # Annotations to add to the service account
+  # -- Annotations to add to the service account
   annotations: {}
-  # The name of the service account to use.
+  # -- The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
@@ -60,6 +60,8 @@ postgresql:
     username: hedgedoc
     password: ""
     existingSecret: ""
+  tls:
+    enabled: false
 
 
 podAnnotations: {}