From bf57902cdcae17ae9a03780ff11062dbd3eb1a3d Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 7 Nov 2022 20:26:21 +0100
Subject: [PATCH] fix(mastodon): broken streaming postgres certificate

This patch fixes the mastodon-streaming Pod, which refused to talk to the
postgresql cluster, due to the use of TLS with a self-signed certificate.
Since the pg library in NodeJS does not accept any self-signed certificate
without explicitly disabling certificate checking in the source code, this patch
fixes the whole problem by boostrapping a namespace CA, creating a certificate
for the postgresql cluster, adjusting the required permissions for that,
deploying the ca certificate to the mastodon-streaming Pod and configuring the
streaming Pod to consider this namespace CA an additional CA certificate for its
existence.

Let me put it this way: It's not a nice, but a functional and actually
sustainable solution to the problem.

All this is stichted together as postRenderers since the upstream helm chart is
a bit limited in that perspective. Hopefully I can submit all these adjustments
upstream in the long term. It works for now.

References:
https://github.com/mastodon/mastodon/blob/3114c826a7a6b2b10bff722c59cca57abe7f819f/streaming/index.js#L143-L146
https://www.postgresql.org/docs/10/libpq-ssl.html
https://node-postgres.com/features/ssl
---
 apps/base/mastodon/ca.yaml            | 26 ++++++++++++++++++++++
 apps/base/mastodon/database.yaml      | 22 +++++++++++++++++++
 apps/base/mastodon/kustomization.yaml |  1 +
 apps/base/mastodon/release.yaml       | 31 +++++++++++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 apps/base/mastodon/ca.yaml

diff --git a/apps/base/mastodon/ca.yaml b/apps/base/mastodon/ca.yaml
new file mode 100644
index 000000000..1ed78ee37
--- /dev/null
+++ b/apps/base/mastodon/ca.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: namespace-ca
+  namespace: mastodon
+spec:
+  isCA: true
+  commonName: namespace-ca
+  secretName: namespace-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-cluster-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: namespace-ca-issuer
+  namespace: mastodon
+spec:
+  ca:
+    secretName: namespace-ca
diff --git a/apps/base/mastodon/database.yaml b/apps/base/mastodon/database.yaml
index 7e3c2eff0..bf30e0842 100644
--- a/apps/base/mastodon/database.yaml
+++ b/apps/base/mastodon/database.yaml
@@ -23,3 +23,25 @@ spec:
     limits:
       cpu: "1"
       memory: 3072Mi
+  spiloFSGroup: 103
+  tls:
+    secretName: "mastodon-postgres-tls"
+    caSecretName: "namespace-ca"
+    caFile: "ca.crt"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mastodon-postgres
+  namespace: mastodon
+spec:
+  secretName: mastodon-postgres-tls
+  dnsNames:
+    - mastodon-postgres.mastodon.svc.cluster.local
+    - mastodon-postgres.mastodon.svc
+  issuerRef:
+    name: namespace-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  usages:
+    - server auth
diff --git a/apps/base/mastodon/kustomization.yaml b/apps/base/mastodon/kustomization.yaml
index 417087c82..aa2cd27d2 100644
--- a/apps/base/mastodon/kustomization.yaml
+++ b/apps/base/mastodon/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 namespace: mastodon
 resources:
   - namespace.yaml
+  - ca.yaml
   - repository.yaml
   - release.yaml
   - database.yaml
diff --git a/apps/base/mastodon/release.yaml b/apps/base/mastodon/release.yaml
index 6b278a965..89c738c6a 100644
--- a/apps/base/mastodon/release.yaml
+++ b/apps/base/mastodon/release.yaml
@@ -35,6 +35,37 @@ spec:
       optional: false
   postRenderers:
     - kustomize:
+        patchesJson6902:
+          - target:
+              group: apps
+              version: v1
+              kind: Deployment
+              name: mastodon-streaming
+            patch:
+              - op: add
+                path: /spec/template/spec/containers/0/env/-
+                value:
+                  name: NODE_EXTRA_CA_CERTS
+                  value: /ca/ca.crt
+              - op: add
+                path: /spec/template/spec/containers/0/volumeMounts
+                value: []
+              - op: add
+                path: /spec/template/spec/containers/0/volumeMounts/-
+                value:
+                  name: namespace-ca-cert
+                  mountPath: "/ca/"
+                  readOnly: true
+              - op: add
+                path: /spec/template/spec/volumes
+                value: []
+              - op: add
+                path: /spec/template/spec/volumes/-
+                value:
+                  name: namespace-ca-cert
+                  secret:
+                    secretName: namespace-ca
+                    optional: false
         patchesStrategicMerge:
           - kind: Service
             apiVersion: v1
-- 
GitLab