SMQ-106 - SSL connection support for DB's (#168)

JeffMboya · web-flow · commit 05c95d95c29f · 2025-03-10T09:51:55.000+01:00
* AddSSL connection support for DB's

Signed-off-by: JeffMboya &lt;jangina.mboya@gmail.com&gt;

* Bump chart version

Signed-off-by: JeffMboya &lt;jangina.mboya@gmail.com&gt;

* Update docs

Signed-off-by: JeffMboya &lt;jangina.mboya@gmail.com&gt;

---------

Signed-off-by: JeffMboya &lt;jangina.mboya@gmail.com&gt;
diff --git a/charts/supermq/Chart.yaml b/charts/supermq/Chart.yaml
@@ -6,7 +6,7 @@ name: Supermq
 description: Event-driven Infrastructure for Modern Cloud
 icon: https://avatars1.githubusercontent.com/u/13207490
 type: application
-version: 0.16.1
+version: 0.16.2
 appVersion: "0.16.0"
 home: https://abstractmachines.fr/supermq.html
 sources:
diff --git a/charts/supermq/README.md b/charts/supermq/README.md
@@ -2,7 +2,7 @@
 
 Event-driven Infrastructure for Modern Cloud
 
-![Version: 0.16.1](https://img.shields.io/badge/Version-0.16.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.16.0](https://img.shields.io/badge/AppVersion-0.16.0-informational?style=flat-square)
+![Version: 0.16.2](https://img.shields.io/badge/Version-0.16.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.16.0](https://img.shields.io/badge/AppVersion-0.16.0-informational?style=flat-square)
 
 **Homepage:** <https://abstractmachines.fr/supermq.html>
 
@@ -70,6 +70,10 @@ Event-driven Infrastructure for Modern Cloud
 | auth.refreshTokenDuration | string | `"24h"` |  |
 | auth.replicaCount | int | `1` |  |
 | auth.secretKey | string | `"supersecret"` |  |
+| auth.sslCert | string | `""` |  |
+| auth.sslKey | string | `""` |  |
+| auth.sslMode | string | `"disable"` |  |
+| auth.sslRootCert | string | `""` |  |
 | auth.tolerations | object | `{}` |  |
 | cassandra.dbUser.password | string | `"cassandra"` |  |
 | cassandra.dbUser.user | string | `"cassandra"` |  |
@@ -95,6 +99,10 @@ Event-driven Infrastructure for Modern Cloud
 | certs.sdkTlsVerification | string | `"false"` |  |
 | certs.signCAKeyPath | string | `"/etc/ssl/certs/ca.key"` |  |
 | certs.signCAPath | string | `"/etc/ssl/certs/ca.crt"` |  |
+| certs.sslCert | string | `""` |  |
+| certs.sslKey | string | `""` |  |
+| certs.sslMode | string | `"disable"` |  |
+| certs.sslRootCert | string | `""` |  |
 | certs.vault.approleRoleid | string | `"supermq"` |  |
 | certs.vault.approleSecret | string | `"supermq"` |  |
 | certs.vault.namespace | string | `"supermq"` |  |
@@ -111,13 +119,21 @@ Event-driven Infrastructure for Modern Cloud
 | channels.httpPort | int | `9005` |  |
 | channels.image | object | `{}` |  |
 | channels.replicaCount | int | `1` |  |
+| channels.sslCert | string | `""` |  |
+| channels.sslKey | string | `""` |  |
+| channels.sslMode | string | `"disable"` |  |
+| channels.sslRootCert | string | `""` |  |
 | clients.authGrpcPort | int | `7006` |  |
 | clients.grpcClientCert | string | `"./ssl/certs/clients-grpc-client.crt"` |  |
 | clients.grpcClientKey | string | `"./ssl/certs/clients-grpc-client.key"` |  |
 | clients.grpcTimeout | string | `"1s"` |  |
 | clients.httpPort | int | `9006` |  |
 | clients.image | object | `{}` |  |
 | clients.replicaCount | int | `1` |  |
+| clients.sslCert | string | `""` |  |
+| clients.sslKey | string | `""` |  |
+| clients.sslMode | string | `"disable"` |  |
+| clients.sslRootCert | string | `""` |  |
 | defaults.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaults.image.rootRepository | string | `"supermq"` |  |
 | defaults.image.tag | string | `"latest"` |  |
@@ -131,6 +147,10 @@ Event-driven Infrastructure for Modern Cloud
 | domains.httpPort | int | `9003` |  |
 | domains.image | object | `{}` |  |
 | domains.replicaCount | int | `1` |  |
+| domains.sslCert | string | `""` |  |
+| domains.sslKey | string | `""` |  |
+| domains.sslMode | string | `"disable"` |  |
+| domains.sslRootCert | string | `""` |  |
 | envoy.image.pullPolicy | string | `"IfNotPresent"` |  |
 | envoy.image.repository | string | `"envoyproxy/envoy"` |  |
 | envoy.image.tag | string | `"v1.31-latest"` |  |
@@ -145,6 +165,10 @@ Event-driven Infrastructure for Modern Cloud
 | groups.httpPort | int | `9004` |  |
 | groups.image | object | `{}` |  |
 | groups.replicaCount | int | `1` |  |
+| groups.sslCert | string | `""` |  |
+| groups.sslKey | string | `""` |  |
+| groups.sslMode | string | `"disable"` |  |
+| groups.sslRootCert | string | `""` |  |
 | ingress.annotations."kubernetes.io/ingress.class" | string | `"nginx"` |  |
 | ingress.enabled | bool | `true` |  |
 | ingress.hostname | string | `"localhost"` |  |
@@ -190,6 +214,10 @@ Event-driven Infrastructure for Modern Cloud
 | journal.httpPort | int | `9021` |  |
 | journal.image | object | `{}` |  |
 | journal.replicaCount | int | `1` |  |
+| journal.sslCert | string | `""` |  |
+| journal.sslKey | string | `""` |  |
+| journal.sslMode | string | `"disable"` |  |
+| journal.sslRootCert | string | `""` |  |
 | mqtt.adapter.forwarderTimeout | string | `"30s"` |  |
 | mqtt.adapter.image.pullSecrets | object | `{}` |  |
 | mqtt.adapter.logLevel | string | `"error"` |  |
@@ -570,5 +598,9 @@ Event-driven Infrastructure for Modern Cloud
 | users.refreshTokenDuration | string | `"24h"` |  |
 | users.replicaCount | int | `1` |  |
 | users.secretKey | string | `"supersecret"` |  |
+| users.sslCert | string | `""` |  |
+| users.sslKey | string | `""` |  |
+| users.sslMode | string | `"disable"` |  |
+| users.sslRootCert | string | `""` |  |
 | users.tokenResetEndpoint | string | `"/reset-request"` |  |
 | vault.enabled | bool | `false` |  |
diff --git a/charts/supermq/templates/auth-deployment.yaml b/charts/supermq/templates/auth-deployment.yaml
@@ -84,6 +84,14 @@ spec:
               value: {{ .Release.Name }}-spicedb-envoy
             - name: SMQ_SPICEDB_PORT
               value: {{ .Values.spicedb.grpc.port | quote }}
+            - name: SMQ_AUTH_DB_SSL_MODE
+              value: {{ .Values.auth.sslMode | quote }}
+            - name: SMQ_AUTH_DB_SSL_CERT
+              value: {{ .Values.auth.sslCert | quote }}
+            - name: SMQ_AUTH_DB_SSL_KEY
+              value: {{ .Values.auth.sslKey | quote }}
+            - name: SMQ_AUTH_DB_SSL_ROOT_CERT
+              value: {{ .Values.auth.sslRootCert | quote }}
             - name: SMQ_SPICEDB_SCHEMA_FILE
               value: /schema.zed
             - name: SMQ_SPICEDB_PRE_SHARED_KEY
diff --git a/charts/supermq/templates/certs-deployment.yaml b/charts/supermq/templates/certs-deployment.yaml
@@ -71,6 +71,16 @@ spec:
               value: {{ .Values.postgresqlcerts.username | quote }}
             - name: SMQ_CERTS_DB_PASS
               value: {{ .Values.postgresqlcerts.password | quote }}
+            - name: AM_CERTS_DB_SSL_MODE
+              value: {{ .Values.certs.sslMode | quote }}
+            - name: SMQ_CERTS_DB_SSL_MODE
+              value: {{ .Values.certs.sslMode | quote }}
+            - name: SMQ_CERTS_DB_SSL_CERT
+              value: {{ .Values.certs.sslCert | quote }}
+            - name: SMQ_CERTS_DB_SSL_KEY
+              value: {{ .Values.certs.sslKey | quote }}
+            - name: SMQ_CERTS_DB_SSL_ROOT_CERT
+              value: {{ .Values.certs.sslRootCert | quote }}
             - name: SMQ_CERTS_SIGN_CA_PATH
               value: {{ .Values.certs.signCAPath }}
             - name: SMQ_CERTS_SIGN_CA_KEY_PATH
diff --git a/charts/supermq/templates/channels-deployment.yaml b/charts/supermq/templates/channels-deployment.yaml
@@ -50,6 +50,14 @@ spec:
               value: {{ .Values.postgresqlchannels.username | quote }}
             - name: SMQ_CHANNELS_DB_PASS
               value: {{ .Values.postgresqlchannels.password | quote }}
+            - name: SMQ_CHANNELS_DB_SSL_MODE
+              value: {{ .Values.channels.sslMode | quote }}
+            - name: SMQ_CHANNELS_DB_SSL_CERT
+              value: {{ .Values.channels.sslCert | quote }}
+            - name: SMQ_CHANNELS_DB_SSL_KEY
+              value: {{ .Values.channels.sslKey | quote }}
+            - name: SMQ_CHANNELS_DB_SSL_ROOT_CERT
+              value: {{ .Values.channels.sslRootCert | quote }}
             - name: SMQ_SPICEDB_SCHEMA_FILE
               value: /schema.zed
             - name : SMQ_AUTH_GRPC_URL
diff --git a/charts/supermq/templates/clients-deployment.yaml b/charts/supermq/templates/clients-deployment.yaml
@@ -72,6 +72,14 @@ spec:
               value: {{ .Values.postgresqlclients.password | quote }}
             - name: SMQ_CLIENTS_DB_NAME
               value: {{ .Values.postgresqlclients.database | quote }}
+            - name: SMQ_CLIENTS_DB_SSL_MODE
+              value: {{ .Values.clients.sslMode | quote }}
+            - name: SMQ_CLIENTS_DB_SSL_CERT
+              value: {{ .Values.clients.sslCert | quote }}
+            - name: SMQ_CLIENTS_DB_SSL_KEY
+              value: {{ .Values.clients.sslKey | quote }}
+            - name: SMQ_CLIENTS_DB_SSL_ROOT_CERT
+              value: {{ .Values.clients.sslRootCert | quote }}
             - name: SMQ_ES_URL
               value: {{ .Values.nats.enabled | ternary (printf "%s-nats:%d" .Release.Name (.Values.nats.config.nats.port | int )) .Values.nats.externalAddress }}
             - name: SMQ_CLIENTS_HTTP_HOST
diff --git a/charts/supermq/templates/domains-deployment.yaml b/charts/supermq/templates/domains-deployment.yaml
@@ -65,6 +65,14 @@ spec:
               value: {{ .Values.postgresqldomains.password | quote }}
             - name: SMQ_DOMAINS_DB_NAME
               value: {{ .Values.postgresqldomains.database | quote }}
+            - name: SMQ_DOMAINS_DB_SSL_MODE
+              value: {{ .Values.domains.sslMode | quote }}
+            - name: SMQ_DOMAINS_DB_SSL_CERT
+              value: {{ .Values.domains.sslCert | quote }}
+            - name: SMQ_DOMAINS_DB_SSL_KEY
+              value: {{ .Values.domains.sslKey | quote }}
+            - name: SMQ_DOMAINS_DB_SSL_ROOT_CERT
+              value: {{ .Values.domains.sslRootCert | quote }}
             - name: SMQ_DOMAINS_CACHE_URL
               {{- if .Values.redisdomains.enabled }}
               value: redis://{{ .Release.Name }}-redisdomains-master:{{ .Values.redisdomains.master.service.ports.redis	 }}/0
diff --git a/charts/supermq/templates/groups-deployment.yaml b/charts/supermq/templates/groups-deployment.yaml
@@ -56,6 +56,14 @@ spec:
               value: {{ .Values.postgresqlgroups.username | quote }}
             - name: SMQ_GROUPS_DB_PASS
               value: {{ .Values.postgresqlgroups.password | quote }}
+            - name: SMQ_GROUPS_DB_SSL_MODE
+              value: {{ .Values.groups.sslMode | quote }}
+            - name: SMQ_GROUPS_DB_SSL_CERT
+              value: {{ .Values.groups.sslCert | quote }}
+            - name: SMQ_GROUPS_DB_SSL_KEY
+              value: {{ .Values.groups.sslKey | quote }}
+            - name: SMQ_GROUPS_DB_SSL_ROOT_CERT
+              value: {{ .Values.groups.sslRootCert | quote }}
             - name: SMQ_CHANNELS_URL
               value: {{ .Release.Name }}-channels:{{ .Values.channels.httpPort }}
             - name: SMQ_CHANNELS_GRPC_URL
diff --git a/charts/supermq/templates/journal-deployment.yaml b/charts/supermq/templates/journal-deployment.yaml
@@ -78,6 +78,14 @@ spec:
               value: {{ .Values.postgresqljournal.username | quote }}
             - name: SMQ_JOURNAL_DB_PASS
               value: {{ .Values.postgresqljournal.password | quote }}
+            - name: SMQ_JOURNAL_DB_SSL_MODE
+              value: {{ .Values.journal.sslMode | quote }}
+            - name: SMQ_JOURNAL_DB_SSL_CERT
+              value: {{ .Values.journal.sslCert | quote }}
+            - name: SMQ_JOURNAL_DB_SSL_KEY
+              value: {{ .Values.journal.sslKey | quote }}
+            - name: SMQ_JOURNAL_DB_SSL_ROOT_CERT
+              value: {{ .Values.journal.sslRootCert | quote }}
           ports:
             - containerPort: {{ .Values.journal.httpPort }}
               protocol: TCP
diff --git a/charts/supermq/templates/users-deployment.yaml b/charts/supermq/templates/users-deployment.yaml
@@ -109,6 +109,14 @@ spec:
               value: {{ .Values.postgresqlusers.username | quote }}
             - name: SMQ_USERS_DB_PASS
               value: {{ .Values.postgresqlusers.password | quote }}
+            - name: SMQ_USERS_DB_SSL_MODE
+              value: {{ .Values.users.sslMode | quote }}
+            - name: SMQ_USERS_DB_SSL_CERT
+              value: {{ .Values.users.sslCert | quote }}
+            - name: SMQ_USERS_DB_SSL_KEY
+              value: {{ .Values.users.sslKey | quote }}
+            - name: SMQ_USERS_DB_SSL_ROOT_CERT
+              value: {{ .Values.users.sslRootCert | quote }}
             - name : SMQ_AUTH_GRPC_URL
               value: {{ .Release.Name }}-envoy:{{ .Values.auth.grpcPort }}
             - name: SMQ_SPICEDB_HOST
diff --git a/charts/supermq/values.yaml b/charts/supermq/values.yaml
@@ -142,6 +142,10 @@ auth:
   grpcClientCert: "./ssl/certs/auth-grpc-client.crt"
   grpcClientKey: "./ssl/certs/auth-grpc-client.key"
   grpcClientCACerts: "./ssl/certs/ca.crt"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   nodeSelector: {}
   affinity: {}
   tolerations: {}
@@ -218,6 +222,10 @@ certs:
   sdkHost: "http://supermq-am-certs"
   sdkCertsUrl: "${SMQ_CERTS_SDK_HOST}:9010"
   sdkTlsVerification: "false"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   vault:
     url: "http://supermq-vault:8200"
     approleRoleid: supermq
@@ -272,6 +280,10 @@ channels:
   httpPort: 9005
   grpcPort: 7005
   grpcTimeout: "1s"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   grpcClientCert: "./ssl/certs/channels-grpc-client.crt"
   grpcClientKey: "./ssl/certs/channels-grpc-client.key"
   grpcServerCert: "./ssl/certs/channels-grpc-server.crt"
@@ -323,6 +335,10 @@ clients:
   httpPort: 9006
   authGrpcPort: 7006
   grpcTimeout: "1s"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   grpcClientCert: "./ssl/certs/clients-grpc-client.crt"
   grpcClientKey: "./ssl/certs/clients-grpc-client.key"
   # logLevel: "error"
@@ -396,6 +412,10 @@ domains:
   httpPort: 9003
   grpcPort: 7003
   grpcTimeout: "300s"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   grpcClientCert: "./ssl/certs/domains-grpc-client.crt"
   grpcClientCaCerts: "./ssl/certs/ca.crt"
 
@@ -473,6 +493,10 @@ groups:
   httpPort: 9004
   grpcPort: 7004
   grpcTimeout: "300s"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   grpcClientCert: "./ssl/certs/groups-grpc-client.crt"
   grpcClientKey: "./ssl/certs/groups-grpc-client.key"
   grpcClientCaCerts: "./ssl/certs/ca.crt"
@@ -608,6 +632,10 @@ journal:
   # logLevel: "error"
   replicaCount: 1
   httpPort: 9021
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   # nodeSelector: {}
   # affinity: {}
   # tolerations: {}
@@ -918,6 +946,10 @@ users:
   allowSelfRegister: true
   deleteInterval: "24h"
   deleteAfter: "720h"
+  sslMode: "disable"
+  sslCert: ""
+  sslKey: ""
+  sslRootCert: ""
   # nodeSelector: {}
   # affinity: {}
   # tolerations: {}
