From 3f6f69b34c385e4391ea15c3fc4af6c701db0d76 Mon Sep 17 00:00:00 2001 From: Johannes Malsam <60240743+johannes94@users.noreply.github.com> Date: Thu, 19 Sep 2024 15:06:22 +0200 Subject: [PATCH] fix: emailsender to DB TLS connection (#2037) * fix emailsender tls config * fix file permission for rds CA --- .github/workflows/emailsender-central-compatibility.yaml | 4 ++++ dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml | 4 ++++ dp-terraform/helm/rhacs-terraform/values.yaml | 3 +++ emailsender/Dockerfile | 2 ++ scripts/ci/central_compatibility/emailsender-values.yaml | 3 +++ 5 files changed, 16 insertions(+) diff --git a/.github/workflows/emailsender-central-compatibility.yaml b/.github/workflows/emailsender-central-compatibility.yaml index 634827c70d..826c5b1daf 100644 --- a/.github/workflows/emailsender-central-compatibility.yaml +++ b/.github/workflows/emailsender-central-compatibility.yaml @@ -7,11 +7,15 @@ on: - main paths: - 'emailsender/**' + - 'scripts/**' + - '.github/workflows/emailsender-central-compatibility.yaml' pull_request: types: [opened, synchronize, reopened, ready_for_review] paths: - 'emailsender/**' + - 'scripts/**' + - '.github/workflows/emailsender-central-compatibility.yaml' jobs: e2e-test-on-kind: diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml b/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml index c8def1f966..1d4f231fa8 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml @@ -41,6 +41,10 @@ spec: value: "/var/run/certs/tls.crt" - name: HTTPS_KEY_FILE value: "/var/run/certs/tls.key" + - name: DATABASE_SSL_MODE + value: {{ .Values.emailsender.db.sslMode }} + - name: DATABASE_CA_CERT_FILE + value: {{ .Values.emailsender.db.caCertFile }} {{- if .Values.emailsender.authConfigFromKubernetes }} - name: AUTH_CONFIG_FROM_KUBERNETES value: "true" diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 51fc04d9e0..6cab0d3a9e 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -72,6 +72,9 @@ emailsender: enabled: false # Use this in case you apply this manifest against a cluster without service-ca operator # to turn of HTTPS and mounting the service-ca certs since they'll not be created + db: + sslMode: "verify-full" + caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem enableHTTPS: true replicas: 3 image: diff --git a/emailsender/Dockerfile b/emailsender/Dockerfile index a62d670688..52c3beb781 100644 --- a/emailsender/Dockerfile +++ b/emailsender/Dockerfile @@ -15,6 +15,8 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9 as standard RUN microdnf install shadow-utils RUN useradd -u 1001 unprivilegeduser +ADD https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /rds_ca/aws-rds-ca-global-bundle.pem +RUN chmod a+rw /rds_ca/aws-rds-ca-global-bundle.pem # Switch to non-root user USER unprivilegeduser diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml index 44ca137dcc..41fec5ca4d 100644 --- a/scripts/ci/central_compatibility/emailsender-values.yaml +++ b/scripts/ci/central_compatibility/emailsender-values.yaml @@ -9,6 +9,9 @@ fleetshardSync: enabled: false subnetGroup: "dummyGroup" emailsender: + db: + sslMode: "disable" + caCertFile: "" image: repo: "quay.io/rhacs-eng/emailsender" enabled: true