Reapply "add config for enabling tekton results dbssl"

This reverts commit 9177668 plus some
tweaks to use `verify-full` TLS verification.

Author: enarha

developer/openshift/apps/pipeline-service.sh

@@ -30,6 +30,7 @@ configure_argocd_apps(){
 setup_tekton_results() {
   echo -n "- Tekton Results: "
   get_tekton_results_credentials
+  generate_tekton_results_db_ssl_cert
   patch_tekton_results_manifests
   echo "OK"
 }
@@ -56,6 +57,37 @@ EOF
   TEKTON_RESULTS_S3_PASSWORD="$(yq ".s3_password" "$tekton_results_credentials")"
 }
 
+generate_tekton_results_db_ssl_cert(){
+  TEKTON_RESULTS_DB_SSL="$WORK_DIR/certificates/tekton-results"
+  mkdir -p "$TEKTON_RESULTS_DB_SSL"
+    openssl req -new -nodes -text \
+      -subj "/CN=cluster.local" \
+      -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
+      -keyout "$TEKTON_RESULTS_DB_SSL/root.key" \
+      > /dev/null
+    chmod og-rwx "$TEKTON_RESULTS_DB_SSL/root.key"
+    openssl x509 -req -text -days 7 -extensions v3_ca \
+      -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
+      -extfile /etc/ssl/openssl.cnf \
+      -signkey "$TEKTON_RESULTS_DB_SSL/root.key" \
+      -out "$TEKTON_RESULTS_DB_SSL/root.crt" \
+      > /dev/null
+    openssl req -new -nodes -text \
+      -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
+      -addext "subjectAltName = DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
+      -out "$TEKTON_RESULTS_DB_SSL/server.csr" \
+      -keyout "$TEKTON_RESULTS_DB_SSL/server.key" \
+      > /dev/null
+    chmod og-rwx "$TEKTON_RESULTS_DB_SSL/server.key"
+    openssl x509 -req -text -days 7 -CAcreateserial \
+      -extfile <(printf "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local") \
+      -in "$TEKTON_RESULTS_DB_SSL/server.csr" \
+      -CA "$TEKTON_RESULTS_DB_SSL/root.crt" \
+      -CAkey "$TEKTON_RESULTS_DB_SSL/root.key" \
+      -out "$TEKTON_RESULTS_DB_SSL/server.crt" \
+      > /dev/null
+}
+
 patch_tekton_results_manifests(){
   yq --inplace "
     .data.[\"db.password\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_PASSWORD" | base64)\",
@@ -75,8 +107,18 @@ EOF
   yq --inplace "
     .data.[\"config.env\"]=\"$string_data\"
   " "$WORK_DIR/environment/compute/tekton-results/tekton-results-minio-config.yaml"
+  yq --inplace "
+    .data.[\"ca.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/root.crt")\" |
+    .data.[\"tls.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/server.crt")\" |
+    .data.[\"tls.key\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/server.key")\"
+  " "$WORK_DIR/environment/compute/tekton-results/tekton-results-postgresql-tls-secret.yaml"
+  yq --inplace "
+  .data.[\"tekton-results-db-ca.pem\"]=\"$(cat "$TEKTON_RESULTS_DB_SSL/root.crt")\"
+  " "$WORK_DIR/environment/compute/tekton-results/rds-db-cert-configmap.yaml"
 }
 
+
+
 deploy_application() {
   echo "- Deploy application:"
 

developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml

@@ -22,8 +22,18 @@ spec:
           value: 13.14.0
         - name: tls.enabled
           value: "true"
-        - name: tls.autoGenerated
-          value: "true"
+        - name: tls.certificatesSecret
+          value: "postgresql-tls"
+        - name: tls.certFilename
+          value: "tls.crt"
+        - name: tls.certKeyFilename
+          value: "tls.key"
+        # There is an unresolved issue with CA cert that stops pods from
+        # starting due to readiness probe failure. The workaround is
+        # discussed here along with the linked issues:
+        # https://github.com/bitnami/charts/issues/8026
+        # - name: tls.certCAFilename
+        #   value: "ca.crt"
         - name: auth.database
           value: "tekton_results"
         - name: auth.username

developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml

@@ -8,7 +8,6 @@ resources:
 patches:
   - path: tekton-results/minio-create-bucket.yaml
   - path: tekton-results/minio-tls.yaml
-  - path: tekton-results/postgres.yaml
 
   # Skip applying the Tekton operands while the Tekton operator is being installed.
   # See more information about this option, here:

developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml

@@ -7,4 +7,3 @@ resources:
 patches:
   - path: minio-create-bucket.yaml
   - path: minio-tls.yaml
-  - path: postgres.yaml

developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml

@@ -6,3 +6,5 @@ resources:
   - tekton-results-db-secret.yaml
   - tekton-results-s3-secret.yaml
   - tekton-results-minio-config.yaml
+  - rds-db-cert-configmap.yaml
+  - tekton-results-postgresql-tls-secret.yaml

developer/openshift/gitops/local/tekton-results/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rds-root-crt
+  namespace: tekton-results
+data:
+  # contents of the public certificate should be inserted here
+  # the name of the key must be same as provided in the tekton results .env config
+  tekton-results-db-ca.pem:

developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-tls
+  namespace: tekton-results
+data:
+  # Provide CA, TLS cert and key. CA cert is not being used until readiness
+  # probe issue is resolved with the binami/postgresql chart
+  ca.crt:
+  tls.crt:
+  tls.key:

developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml

@@ -33,3 +33,11 @@ spec:
                 secretKeyRef:
                   name: tekton-results-database
                   key: db.name
+          volumeMounts:
+            - name: db-tls-ca
+              mountPath: /etc/tls/db
+              readOnly: true
+      volumes:
+        - name: db-tls-ca
+          configMap:
+            name: rds-root-crt

operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml

@@ -3,8 +3,8 @@ DB_PASSWORD=
 DB_HOST=
 DB_PORT=5432
 DB_NAME=
-DB_SSLMODE=disable
-DB_SSLROOTCERT=
+DB_SSLMODE=verify-full
+DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem
 DB_ENABLE_AUTO_MIGRATION=true
 SERVER_PORT=8080
 PROMETHEUS_PORT=9090