external secret support for postgres, redis, clickhouse, plus fixes

nicktrn · nicktrn · commit beb9a9dff746 · 2025-07-08T13:32:12.000+01:00
diff --git a/hosting/k8s/helm/templates/_helpers.tpl b/hosting/k8s/helm/templates/_helpers.tpl
@@ -96,27 +96,34 @@ Get the full image name for supervisor
 {{- end }}
 
 {{/*
-PostgreSQL hostname
+PostgreSQL hostname (deprecated - used only for legacy DATABASE_HOST env var)
 */}}
 {{- define "trigger-v4.postgres.hostname" -}}
-{{- if .Values.postgres.external.host }}
-{{- .Values.postgres.external.host }}
-{{- else if .Values.postgres.deploy }}
+{{- if .Values.postgres.deploy }}
 {{- printf "%s-postgres" .Release.Name }}
+{{- else }}
+{{- "external-postgres" }}
 {{- end }}
 {{- end }}
 
 {{/*
-PostgreSQL connection string
+PostgreSQL connection string (fallback when not using secrets)
 */}}
 {{- define "trigger-v4.postgres.connectionString" -}}
-{{- if .Values.postgres.external.host -}}
-postgresql://{{ .Values.postgres.external.username }}:{{ .Values.postgres.external.password }}@{{ .Values.postgres.external.host }}:{{ .Values.postgres.external.port | default 5432 }}/{{ .Values.postgres.external.database }}?schema={{ .Values.postgres.connection.schema | default "public" }}&sslmode={{ .Values.postgres.connection.sslMode | default "prefer" }}
+{{- if .Values.postgres.external.databaseUrl -}}
+{{ .Values.postgres.external.databaseUrl }}
 {{- else if .Values.postgres.deploy -}}
 postgresql://{{ .Values.postgres.auth.username }}:{{ .Values.postgres.auth.password }}@{{ include "trigger-v4.postgres.hostname" . }}:5432/{{ .Values.postgres.auth.database }}?schema={{ .Values.postgres.connection.schema | default "public" }}&sslmode={{ .Values.postgres.connection.sslMode | default "prefer" }}
 {{- end -}}
 {{- end }}
 
+{{/*
+Check if we should use DATABASE_URL from secret
+*/}}
+{{- define "trigger-v4.postgres.useSecretUrl" -}}
+{{- or (and .Values.postgres.external.databaseUrl .Values.postgres.external.existingSecret) (and .Values.postgres.external.existingSecret) -}}
+{{- end }}
+
 {{/*
 Redis hostname
 */}}
@@ -165,6 +172,94 @@ Redis TLS disabled setting
 {{- end -}}
 {{- end }}
 
+{{/*
+PostgreSQL external secret name
+*/}}
+{{- define "trigger-v4.postgres.external.secretName" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL external secret database URL key
+*/}}
+{{- define "trigger-v4.postgres.external.databaseUrlKey" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.secretKeys.databaseUrlKey }}
+{{- else -}}
+postgres-database-url
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL external secret direct URL key
+*/}}
+{{- define "trigger-v4.postgres.external.directUrlKey" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.secretKeys.directUrlKey | default .Values.postgres.external.secretKeys.databaseUrlKey }}
+{{- else -}}
+postgres-direct-url
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL direct URL (fallback to database URL if not set)
+*/}}
+{{- define "trigger-v4.postgres.directUrl" -}}
+{{- if .Values.postgres.external.directUrl -}}
+{{ .Values.postgres.external.directUrl }}
+{{- else -}}
+{{ include "trigger-v4.postgres.connectionString" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Redis external secret name
+*/}}
+{{- define "trigger-v4.redis.external.secretName" -}}
+{{- if .Values.redis.external.existingSecret -}}
+{{ .Values.redis.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Redis external secret password key
+*/}}
+{{- define "trigger-v4.redis.external.passwordKey" -}}
+{{- if .Values.redis.external.existingSecret -}}
+{{ .Values.redis.external.existingSecretPasswordKey }}
+{{- else -}}
+redis-password
+{{- end -}}
+{{- end }}
+
+{{/*
+ClickHouse external secret name
+*/}}
+{{- define "trigger-v4.clickhouse.external.secretName" -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ .Values.clickhouse.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+ClickHouse external secret password key
+*/}}
+{{- define "trigger-v4.clickhouse.external.passwordKey" -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ .Values.clickhouse.external.existingSecretKey }}
+{{- else -}}
+clickhouse-password
+{{- end -}}
+{{- end }}
+
 {{/*
 Electric service URL
 */}}
@@ -198,8 +293,12 @@ ClickHouse URL for application (with secure parameter)
 {{- else if .Values.clickhouse.external.host -}}
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
 {{- $secure := ternary "true" "false" .Values.clickhouse.external.secure -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
+{{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
 {{- end -}}
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -211,8 +310,12 @@ ClickHouse URL for replication (without secure parameter)
 {{ $protocol }}://{{ .Values.clickhouse.auth.username }}:{{ .Values.clickhouse.auth.password }}@{{ include "trigger-v4.clickhouse.hostname" . }}:8123
 {{- else if .Values.clickhouse.external.host -}}
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
+{{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
 {{- end -}}
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -266,14 +369,27 @@ Registry connection details
 {{- end -}}
 {{- end }}
 
+{{/*
+Webapp connectivity check enabled
+*/}}
+{{- define "trigger-v4.webapp.connectivityCheckEnabled" -}}
+{{- $connectivityCheckEnabled := true -}}
+{{- if hasKey .Values.webapp "connectivityCheck" -}}
+{{- if hasKey .Values.webapp.connectivityCheck "postgres" -}}
+{{- $connectivityCheckEnabled = .Values.webapp.connectivityCheck.postgres -}}
+{{- end -}}
+{{- end -}}
+{{- $connectivityCheckEnabled -}}
+{{- end }}
+
 {{/*
 PostgreSQL host (for wait-for-it script)
 */}}
 {{- define "trigger-v4.postgres.host" -}}
-{{- if .Values.postgres.external.host -}}
-{{ .Values.postgres.external.host }}:{{ .Values.postgres.external.port | default 5432 }}
-{{- else if .Values.postgres.deploy -}}
+{{- if .Values.postgres.deploy -}}
 {{ include "trigger-v4.postgres.hostname" . }}:5432
+{{- else if .Values.postgres.external.connectivityCheck.host -}}
+{{ .Values.postgres.external.connectivityCheck.host }}
 {{- end -}}
 {{- end }}
 
diff --git a/hosting/k8s/helm/templates/secrets.yaml b/hosting/k8s/helm/templates/secrets.yaml
@@ -13,6 +13,20 @@ data:
   MANAGED_WORKER_SECRET: {{ .Values.secrets.managedWorkerSecret | b64enc | quote }}
   OBJECT_STORE_ACCESS_KEY_ID: {{ .Values.secrets.objectStore.accessKeyId | b64enc | quote }}
   OBJECT_STORE_SECRET_ACCESS_KEY: {{ .Values.secrets.objectStore.secretAccessKey | b64enc | quote }}
+  {{- if and .Values.postgres.external.databaseUrl (not .Values.postgres.external.existingSecret) }}
+  postgres-database-url: {{ .Values.postgres.external.databaseUrl | b64enc | quote }}
+  {{- if .Values.postgres.external.directUrl }}
+  postgres-direct-url: {{ .Values.postgres.external.directUrl | b64enc | quote }}
+  {{- else }}
+  postgres-direct-url: {{ .Values.postgres.external.databaseUrl | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+  {{- if and .Values.redis.external.host (not .Values.redis.external.existingSecret) .Values.redis.external.password }}
+  redis-password: {{ .Values.redis.external.password | b64enc | quote }}
+  {{- end }}
+  {{- if and .Values.clickhouse.external.host (not .Values.clickhouse.external.existingSecret) .Values.clickhouse.external.password }}
+  clickhouse-password: {{ .Values.clickhouse.external.password | b64enc | quote }}
+  {{- end }}
 {{- end }}
 ---
 {{- if and .Values.registry.deploy .Values.registry.auth.enabled }}
diff --git a/hosting/k8s/helm/templates/validate-external-config.yaml b/hosting/k8s/helm/templates/validate-external-config.yaml
@@ -3,8 +3,8 @@ Validation template to ensure external service configurations are provided when
 This template will fail the Helm deployment if external config is missing for required services
 */}}
 {{- if not .Values.postgres.deploy }}
-{{- if or (not .Values.postgres.external.host) (not .Values.postgres.external.database) (not .Values.postgres.external.username) }}
-{{- fail "PostgreSQL external configuration is required when postgres.deploy=false. Please provide postgres.external.host, postgres.external.database, and postgres.external.username" }}
+{{- if and (not .Values.postgres.external.databaseUrl) (not .Values.postgres.external.existingSecret) }}
+{{- fail "PostgreSQL external configuration is required when postgres.deploy=false. Please provide either postgres.external.databaseUrl or postgres.external.existingSecret" }}
 {{- end }}
 {{- end }}
 
diff --git a/hosting/k8s/helm/templates/webapp.yaml b/hosting/k8s/helm/templates/webapp.yaml
@@ -180,17 +180,38 @@ spec:
               value: {{ .Values.webapp.apiOrigin | quote }}
             - name: ELECTRIC_ORIGIN
               value: {{ include "trigger-v4.electric.url" . | quote }}
+            {{- if include "trigger-v4.postgres.useSecretUrl" . }}
             - name: DATABASE_URL
-              value: {{ include "trigger-v4.postgres.connectionString" . | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.postgres.external.secretName" . }}
+                  key: {{ include "trigger-v4.postgres.external.databaseUrlKey" . }}
             - name: DIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.postgres.external.secretName" . }}
+                  key: {{ include "trigger-v4.postgres.external.directUrlKey" . }}
+            {{- else }}
+            - name: DATABASE_URL
               value: {{ include "trigger-v4.postgres.connectionString" . | quote }}
+            - name: DIRECT_URL
+              value: {{ include "trigger-v4.postgres.directUrl" . | quote }}
+            {{- end }}
+            {{- if and (include "trigger-v4.webapp.connectivityCheckEnabled" .) (include "trigger-v4.postgres.host" .) }}
             - name: DATABASE_HOST
               value: {{ include "trigger-v4.postgres.host" . | quote }}
+            {{- end }}
             - name: REDIS_HOST
               value: {{ include "trigger-v4.redis.host" . | quote }}
             - name: REDIS_PORT
               value: {{ include "trigger-v4.redis.port" . | quote }}
-            {{- if include "trigger-v4.redis.password" . }}
+            {{- if and .Values.redis.external.host .Values.redis.external.existingSecret }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.redis.external.secretName" . }}
+                  key: {{ include "trigger-v4.redis.external.passwordKey" . }}
+            {{- else if include "trigger-v4.redis.password" . }}
             - name: REDIS_PASSWORD
               value: {{ include "trigger-v4.redis.password" . | quote }}
             {{- end }}
@@ -308,6 +329,13 @@ spec:
             - name: INTERNAL_OTEL_METRIC_EXPORTER_INTERVAL_MS
               value: {{ .Values.webapp.observability.metrics.exporterIntervalMs | quote }}
             {{- end }}
+            {{- if and .Values.clickhouse.external.host .Values.clickhouse.external.existingSecret }}
+            - name: CLICKHOUSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.clickhouse.external.secretName" . }}
+                  key: {{ include "trigger-v4.clickhouse.external.passwordKey" . }}
+            {{- end }}
             - name: CLICKHOUSE_URL
               value: {{ include "trigger-v4.clickhouse.url" . | quote }}
             - name: CLICKHOUSE_LOG_LEVEL
diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml
@@ -104,6 +104,10 @@ webapp:
     #   cpu: 500m
     #   memory: 1Gi
 
+  # Connectivity check configuration
+  connectivityCheck:
+    postgres: true # Set to false to disable DATABASE_HOST env var (overrides postgres.external.connectivityCheck)
+
   # Extra environment variables for webapp
   extraEnvVars:
     []
@@ -114,6 +118,10 @@ webapp:
     #     secretKeyRef:
     #       name: my-secret
     #       key: secret-key
+    #
+    # Example: PostgreSQL SSL with custom CA certificate
+    # - name: NODE_EXTRA_CA_CERTS
+    #   value: "/etc/ssl/certs/postgres-ca.crt"
 
   # Extra volumes for the webapp pod
   extraVolumes:
@@ -124,6 +132,14 @@ webapp:
     # - name: secret-volume
     #   secret:
     #     secretName: my-secret
+    #
+    # Example: PostgreSQL SSL CA certificate volume
+    # - name: postgres-ca-cert
+    #   secret:
+    #     secretName: postgres-ca-secret
+    #     items:
+    #       - key: ca.crt
+    #         path: postgres-ca.crt
 
   # Extra volume mounts for the webapp container
   extraVolumeMounts:
@@ -134,6 +150,11 @@ webapp:
     # - name: secret-volume
     #   mountPath: /etc/secrets
     #   readOnly: true
+    #
+    # Example: PostgreSQL SSL CA certificate mount
+    # - name: postgres-ca-cert
+    #   mountPath: /etc/ssl/certs
+    #   readOnly: true
 
   # ServiceMonitor for Prometheus monitoring
   serviceMonitor:
@@ -363,15 +384,29 @@ postgres:
   # Custom connection settings
   connection:
     schema: "public"
-    sslMode: "disable" # Use "require" or "verify-full" for production
+    sslMode: "disable" # Use "require" or "verify-full" for production with custom CA
 
     # External PostgreSQL connection (when deploy: false)
   external:
-    host: ""
-    port: 5432
-    database: ""
-    username: ""
-    password: ""
+    # Database URL configuration - simplified approach using URLs instead of individual parameters
+    databaseUrl: "" # Full PostgreSQL connection URL (e.g., postgresql://user:pass@host:port/db?schema=public&sslmode=prefer)
+    directUrl: "" # Optional: Direct URL for migrations (if not set, databaseUrl will be used)
+    #
+    # Optional: Connectivity check configuration during webapp startup
+    connectivityCheck:
+      host: "" # Optional: hostname:port for wait-for-it script (e.g., "postgres.example.com:5432")
+    #
+    # Secure credential management
+    existingSecret: "" # Name of existing secret containing DATABASE_URL
+    secretKeys:
+      databaseUrlKey: "postgres-database-url" # Key in existing secret containing complete DATABASE_URL
+      directUrlKey: "postgres-direct-url" # Key in existing secret containing direct URL (optional)
+    #
+    # Example: For SSL connections with custom CA (e.g., AWS RDS):
+    # 1. Set connection.sslMode to "require" or "verify-full"
+    # 2. Create a secret with your CA certificate:
+    #    kubectl create secret generic postgres-ca-secret --from-file=ca.crt=/path/to/rds-ca-cert.pem
+    # 3. Configure extraVolumes, extraVolumeMounts, and extraEnvVars (see webapp section above)
 
 # Redis configuration
 redis:
@@ -394,9 +429,13 @@ redis:
   external:
     host: ""
     port: 6379
-    password: ""
+    password: "" # Optional - ignored if existingSecret is set
     tls:
-      enabled: false  # Set to true for Redis instances requiring TLS (e.g., AWS ElastiCache)
+      enabled: false # Set to true for Redis instances requiring TLS (e.g., AWS ElastiCache)
+    #
+    # Secure credential management
+    existingSecret: "" # Name of existing secret containing password
+    existingSecretPasswordKey: "redis-password" # Key in existing secret containing password
 
 # Electric configuration
 electric:
@@ -488,8 +527,12 @@ clickhouse:
     httpPort: 8123
     nativePort: 9000
     username: ""
-    password: ""
+    password: "" # Optional - ignored if existingSecret is set
     secure: false # Set to true for external secure connections
+    #
+    # Secure credential management
+    existingSecret: "" # Name of existing secret containing password
+    existingSecretKey: "clickhouse-password" # Key in existing secret containing password
 
   # ClickHouse configuration override
   # These defaults are based on official recommendations for systems with <16GB RAM:
