fix: add references to sslmode for postgres dbs

Chickensoupwithrice · Chickensoupwithrice · commit 5f63fba481aa · 2025-01-17T09:26:58.000-08:00
[REL-638](https://linear.app/sourcegraph/issue/REL-638/configure-aws-rds-databases-for-tls-connections-in-helm-chart) raised issues that this flag did not get mentioned in the docs where a customer wanted to use TLS. It also outlined the recommended fixes that this commit implements.
diff --git a/charts/sourcegraph-migrator/templates/_helpers.tpl b/charts/sourcegraph-migrator/templates/_helpers.tpl
@@ -91,4 +91,9 @@ useGlobalTagAsDefault configuration
     secretKeyRef:
       key: user
       name: {{ $secretName }}
+- name: {{ printf "%sSSLMODE" $prefix }}
+  valueFrom:
+    secretKeyRef:
+      key: sslmode
+      name: {{ $secretName }}
 {{- end }}
diff --git a/charts/sourcegraph/examples/external-databases/README.md b/charts/sourcegraph/examples/external-databases/README.md
@@ -30,6 +30,7 @@ data:
   password: ""
   port: ""
   user: ""
+  pgsslmode: "require" # optional, enable if using SSL
 ```
 
 The Secret name should be set in your override file in the `auth.existingSecret` key for each database. See the [override.yaml] for an example.
diff --git a/charts/sourcegraph/templates/_helpers.tpl b/charts/sourcegraph/templates/_helpers.tpl
@@ -211,6 +211,11 @@ app.kubernetes.io/name: jaeger
     secretKeyRef:
       key: user
       name: {{ $secretName }}
+- name: {{ printf "%sSSLMODE" $prefix }}
+  valueFrom:
+    secretKeyRef:
+      key: sslmode
+      name: {{ $secretName }}
 {{- if eq $service "grafana" }}
 - name: {{ printf "%sSSLMODE" $prefix }}
   valueFrom:
diff --git a/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml b/charts/sourcegraph/templates/codeinsights-db/codeinsights-db.Secret.yaml
@@ -14,4 +14,5 @@ data:
   password: {{ .Values.codeInsightsDB.auth.password | toString | b64enc | quote }}
   port: {{ .Values.codeInsightsDB.auth.port | toString | b64enc | quote }}
   user: {{ .Values.codeInsightsDB.auth.user | toString | b64enc | quote }}
+  sslmode: {{ .Values.codeInsightsDB.auth.sslmode | toString | b64enc | quote }}
 {{- end -}}
diff --git a/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml b/charts/sourcegraph/templates/codeintel-db/codeintel-db.Secret.yaml
@@ -14,4 +14,5 @@ data:
   password: {{ .Values.codeIntelDB.auth.password | toString | b64enc | quote }}
   port: {{ .Values.codeIntelDB.auth.port | toString | b64enc | quote }}
   user: {{ .Values.codeIntelDB.auth.user | toString | b64enc | quote }}
+  sslmode: {{ .Values.codeIntelDB.auth.sslmode | toString | b64enc | quote }}
 {{- end -}}
diff --git a/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml b/charts/sourcegraph/templates/pgsql/pgsql.Secret.yaml
@@ -14,4 +14,5 @@ data:
   password: {{ .Values.pgsql.auth.password | toString | b64enc | quote }}
   port: {{ .Values.pgsql.auth.port | toString | b64enc | quote }}
   user: {{ .Values.pgsql.auth.user | toString | b64enc | quote }}
+  sslmode: {{ .Values.pgsql.auth.sslmode | toString | b64enc | quote }}
 {{- end -}}
diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml
@@ -164,6 +164,8 @@ codeInsightsDB:
     password: "password"
     # -- Sets codeinsights-db port
     port: "5432"
+    # -- Sets codeinsights-db SSL mode
+    sslmode: "disable"  # set to "require" to enable SSL
   # -- Environment variables for the `codeinsights-db` container
   env: {}
   # -- Name of existing ConfigMap for `codeinsights-db`. It must contain a `postgresql.conf` key.
@@ -237,6 +239,8 @@ codeIntelDB:
     password: "password"
     # -- Sets codeintel-db port
     port: "5432"
+    # -- Sets codeintel-db SSL mode
+    sslmode: "disable"  # set to "require" to enable SSL
   # -- Name of existing ConfigMap for `codeintel-db`. It must contain a `postgresql.conf` key
   existingConfig: ""
   # -- Additional PostgreSQL configuration. This will override or extend our default configuration.
@@ -721,8 +725,10 @@ pgsql:
     password: "password"
     # -- Sets postgres port
     port: "5432"
+    # -- Sets postgres SSL mode
+    sslmode: "disable"  # set to "require" to enable SSL
   # -- Name of existing ConfigMap for `pgsql`. It must contain a `postgresql.conf` key
-  existingConfig: "" # Name of an existing configmap
+  existingConfig: ""  # Name of an existing configmap
   # -- Additional PostgreSQL configuration. This will override or extend our default configuration.
   # Notes: This is expecting a multiline string.
   # Learn more from our [recommended PostgreSQL configuration](https://docs.sourcegraph.com/admin/config/postgres-conf) and [PostgreSQL documentation](https://www.postgresql.org/docs/12/config-setting.html)
