feat(helm): fix postgres client cert setup

app/kumactl/cmd/install/install_control_plane_test.go

@@ -250,7 +250,7 @@ var _ = Describe("kumactl install control-plane", func() {
 				"--set",
 				"postgres.tls.mode=verifyFull",
 				"--set",
-				"postgres.tls.secretName=postgres-tls-secret-name",
+				"postgres.tls.caSecretName=postgres-ca",
 			},
 			goldenFile: "install-control-plane.global-universal-on-k8s.golden.yaml",
 		}),

app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml

@@ -681,7 +681,9 @@ postgres:
     mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
     # -- Whether to disable SNI the postgres `sslsni` option.
     disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
-    # -- Secret name that contains the CA tls.crt, tls.key and CA bundle
+    # -- Secret name that contains the ca.crt
+    caSecretName:
+    # -- Secret name that contains the client tls.crt, tls.key
     secretName:
 
 # @ignored for helm-docs

app/kumactl/cmd/install/testdata/install-control-plane.global-universal-on-k8s.golden.yaml

@@ -160,11 +160,7 @@ spec:
             - name: KUMA_STORE_POSTGRES_PORT
               value: "5432"
             - name: KUMA_STORE_POSTGRES_TLS_CA_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/postgres-tls-secret-name"
-            - name: KUMA_STORE_POSTGRES_TLS_CERT_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/tls.crt"
-            - name: KUMA_STORE_POSTGRES_TLS_KEY_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/tls.key"
+              value: "/var/run/secrets/kuma.io/postgres-tls-cert/ca.crt"
             - name: KUMA_STORE_POSTGRES_TLS_MODE
               value: "verifyFull"
             - name: KUMA_STORE_TYPE
@@ -181,8 +177,9 @@ spec:
               cpu: 500m
               memory: 256Mi
           volumeMounts:
-            - name: postgres-client-certs
-              mountPath: /var/run/secrets/kuma.io/postgres-client-certs
+            - name: postgres-tls-cert-ca
+              subPath: ca.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
               readOnly: true
             - name: kuma-control-plane-config
               mountPath: /etc/kuma.io/kuma-control-plane
@@ -205,11 +202,7 @@ spec:
             - name: KUMA_STORE_POSTGRES_PORT
               value: "5432"
             - name: KUMA_STORE_POSTGRES_TLS_CA_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/postgres-tls-secret-name"
-            - name: KUMA_STORE_POSTGRES_TLS_CERT_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/tls.crt"
-            - name: KUMA_STORE_POSTGRES_TLS_KEY_PATH
-              value: "/var/run/secrets/kuma.io/postgres-client-certs/tls.key"
+              value: "/var/run/secrets/kuma.io/postgres-tls-cert/ca.crt"
             - name: KUMA_STORE_POSTGRES_TLS_MODE
               value: "verifyFull"
             - name: KUMA_STORE_TYPE
@@ -250,15 +243,16 @@ spec:
             - name: kuma-control-plane-config
               mountPath: /etc/kuma.io/kuma-control-plane
               readOnly: true
-            - name: postgres-client-certs
-              mountPath: /var/run/secrets/kuma.io/postgres-client-certs
+            - name: postgres-tls-cert-ca
+              subPath: ca.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
               readOnly: true
             - name: tmp
               mountPath: /tmp
       volumes:
-        - name: postgres-client-certs
+        - name: postgres-tls-cert-ca
           secret:
-            secretName: postgres-tls-secret-name
+            secretName: postgres-ca
         - name: kuma-control-plane-config
           configMap:
             name: kuma-control-plane-config

deployments/charts/kuma/README.md

@@ -191,7 +191,8 @@ A Helm chart for the Kuma Control Plane
 | postgres.port | string | `"5432"` | Postgres port, password should be provided as a secret reference in "controlPlane.secrets" with the Env value "KUMA_STORE_POSTGRES_PASSWORD". Example: controlPlane:   secrets:     - Secret: postgres-postgresql       Key: postgresql-password       Env: KUMA_STORE_POSTGRES_PASSWORD |
 | postgres.tls.mode | string | `"disable"` | Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" |
 | postgres.tls.disableSSLSNI | bool | `false` | Whether to disable SNI the postgres `sslsni` option. |
-| postgres.tls.secretName | string | `nil` | Secret name that contains the CA tls.crt, tls.key and CA bundle |
+| postgres.tls.caSecretName | string | `nil` | Secret name that contains the ca.crt |
+| postgres.tls.secretName | string | `nil` | Secret name that contains the client tls.crt, tls.key |
 
 ## Custom Resource Definitions
 

deployments/charts/kuma/templates/_helpers.tpl

@@ -327,16 +327,19 @@ env:
 - name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
   value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.key
 {{- end }}
-{{- if ne .Values.postgres.tls.mode "disable" }}
-{{- if empty .Values.postgres.tls.secretName }}
-{{ fail "if mode is not 'disable' then you must provide .Values.postgres.tls.secretName" }}
+{{- if or (eq .Values.postgres.tls.mode "verifyCa") (eq .Values.postgres.tls.mode "verifyFull") }}
+{{- if empty .Values.postgres.tls.caSecretName }}
+{{ fail "if mode is 'verifyCa' or 'verifyFull' then you must provide .Values.postgres.tls.caSecretName" }}
 {{- end }}
+{{- if .Values.postgres.tls.secretName }}
 - name: KUMA_STORE_POSTGRES_TLS_CERT_PATH
-  value: /var/run/secrets/kuma.io/postgres-client-certs/tls.crt
+  value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
 - name: KUMA_STORE_POSTGRES_TLS_KEY_PATH
-  value: /var/run/secrets/kuma.io/postgres-client-certs/tls.key
+  value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
+{{- end }}
+{{- if .Values.postgres.tls.caSecretName }}
 - name: KUMA_STORE_POSTGRES_TLS_CA_PATH
-  value: /var/run/secrets/kuma.io/postgres-client-certs/{{ .Values.postgres.tls.secretName }}
+  value: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
 {{- end }}
 - name: KUMA_STORE_POSTGRES_TLS_MODE
   value: {{ .Values.postgres.tls.mode }}
@@ -345,6 +348,7 @@ env:
   value: {{ .Values.postgres.tls.disableSSLSNI }}
 {{- end }}
 {{- end }}
+{{- end }}
 
 {{/*
 params: { image: { registry?, repository, tag? }, root: $ }

deployments/charts/kuma/templates/cp-deployment.yaml

@@ -103,9 +103,20 @@ spec:
             {{- .Values.controlPlane.resources | toYaml | nindent 12 }}
             {{- end }}
           volumeMounts:
-          {{- if and .Values.postgres.tls.secretName (ne .Values.postgres.tls.mode "disable") }}
-            - name: postgres-client-certs
-              mountPath: /var/run/secrets/kuma.io/postgres-client-certs
+          {{- if .Values.postgres.tls.caSecretName }}
+            - name: postgres-tls-cert-ca
+              subPath: ca.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
+              readOnly: true
+          {{- end }}
+          {{- if .Values.postgres.tls.secretName }}
+            - name: postgres-tls-cert
+              subPath: tls.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
+              readOnly: true
+            - name: postgres-tls-cert
+              subPath: tls.key
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
               readOnly: true
           {{- end }}
             - name: {{ include "kuma.name" . }}-control-plane-config
@@ -193,9 +204,20 @@ spec:
               mountPath: /var/run/secrets/kuma.io/api-server-tls-cert
               readOnly: true
           {{- end }}
-          {{- if and .Values.postgres.tls.secretName (ne .Values.postgres.tls.mode "disable") }}
-            - name: postgres-client-certs
-              mountPath: /var/run/secrets/kuma.io/postgres-client-certs
+          {{- if .Values.postgres.tls.caSecretName }}
+            - name: postgres-tls-cert-ca
+              subPath: ca.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
+              readOnly: true
+          {{- end }}
+          {{- if .Values.postgres.tls.secretName }}
+            - name: postgres-tls-cert
+              subPath: tls.crt
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
+              readOnly: true
+            - name: postgres-tls-cert
+              subPath: tls.key
+              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
               readOnly: true
           {{- end }}
           {{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
@@ -267,8 +289,13 @@ spec:
           secret:
             secretName: {{ .Values.controlPlane.tls.apiServer.secretName }}
         {{- end }}
-        {{- if and .Values.postgres.tls.secretName (ne .Values.postgres.tls.mode "disable") }}
-        - name: postgres-client-certs
+        {{- if .Values.postgres.tls.caSecretName }}
+        - name: postgres-tls-cert-ca
+          secret:
+            secretName: {{ .Values.postgres.tls.caSecretName }}
+        {{- end }}
+        {{- if .Values.postgres.tls.secretName }}
+        - name: postgres-tls-cert
           secret:
             secretName: {{ .Values.postgres.tls.secretName }}
         {{- end }}

deployments/charts/kuma/values.yaml

@@ -681,7 +681,9 @@ postgres:
     mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
     # -- Whether to disable SNI the postgres `sslsni` option.
     disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
-    # -- Secret name that contains the CA tls.crt, tls.key and CA bundle
+    # -- Secret name that contains the ca.crt
+    caSecretName:
+    # -- Secret name that contains the client tls.crt, tls.key
     secretName:
 
 # @ignored for helm-docs

pkg/config/app/kuma-cp/kuma-cp.defaults.yaml

@@ -39,9 +39,9 @@ store:
     tls:
       # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
       mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
-      # Path to TLS Certificate of the client. Used in verifyCa and verifyFull modes
+      # Path to TLS Certificate of the client. Required when server has METHOD=cert
       certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
-      # Path to TLS Key of the client. Used in verifyCa and verifyFull modes
+      # Path to TLS Key of the client. Required when server has METHOD=cert
       keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
       # Path to the root certificate. Used in verifyCa and verifyFull modes.
       caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH

pkg/config/plugins/resources/postgres/config.go

@@ -117,9 +117,9 @@ func (mode TLSMode) postgresMode() (string, error) {
 type TLSPostgresStoreConfig struct {
 	// Mode of TLS connection. Available values (disable, verifyNone, verifyCa, verifyFull)
 	Mode TLSMode `json:"mode" envconfig:"kuma_store_postgres_tls_mode"`
-	// Path to TLS Certificate of the client. Used in require, verifyCa and verifyFull modes
+	// Path to TLS Certificate of the client. Required when server has METHOD=cert
 	CertPath string `json:"certPath" envconfig:"kuma_store_postgres_tls_cert_path"`
-	// Path to TLS Key of the client. Used in verifyNone, verifyCa and verifyFull modes
+	// Path to TLS Key of the client. Required when server has METHOD=cert
 	KeyPath string `json:"keyPath" envconfig:"kuma_store_postgres_tls_key_path"`
 	// Path to the root certificate. Used in verifyCa and verifyFull modes.
 	CAPath string `json:"caPath" envconfig:"kuma_store_postgres_tls_ca_path"`