Revert "add config for enabling tekton results dbssl"

This reverts commit bb03c53.
enarha · Mar 18, 2024 · 3addce9 · 3addce9
1 parent 762cef0
commit 3addce9
Show file tree

Hide file tree

Showing 8 changed files with 5 additions and 94 deletions.
diff --git a/developer/openshift/apps/pipeline-service.sh b/developer/openshift/apps/pipeline-service.sh
@@ -30,7 +30,6 @@ configure_argocd_apps(){
 setup_tekton_results() {
   echo -n "- Tekton Results: "
   get_tekton_results_credentials
-  generate_tekton_results_db_ssl_cert
   patch_tekton_results_manifests
   echo "OK"
 }
@@ -57,38 +56,6 @@ EOF
   TEKTON_RESULTS_S3_PASSWORD="$(yq ".s3_password" "$tekton_results_credentials")"
 }
 
-generate_tekton_results_db_ssl_cert(){
-  TEKTON_RESULTS_DB_SSL="$WORK_DIR/certificates/tekton-results"
-  mkdir -p "$TEKTON_RESULTS_DB_SSL"
-  openssl req -newkey rsa:4096 -nodes -text \
-    -keyout "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
-    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
-    > /dev/null 2>&1
-  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/root.key"
-  openssl x509 -req -days 7 -text \
-    -signkey "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -extfile "/etc/ssl/openssl.cnf" \
-    -extensions v3_ca \
-    -out "$TEKTON_RESULTS_DB_SSL/ca.crt" \
-    > /dev/null 2>&1
-  openssl req -new -nodes -text \
-    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -keyout "$TEKTON_RESULTS_DB_SSL/tls.key" \
-    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
-    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
-    > /dev/null 2>&1
-  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/tls.key"
-  openssl x509 -req -text -days 7 -CAcreateserial \
-    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -CA "$TEKTON_RESULTS_DB_SSL/ca.crt" \
-    -CAkey "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -out "$TEKTON_RESULTS_DB_SSL/tls.crt" \
-    > /dev/null 2>&1
-}
-
 patch_tekton_results_manifests(){
   yq --inplace "
     .data.[\"db.password\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_PASSWORD" | base64)\",
@@ -108,18 +75,8 @@ EOF
   yq --inplace "
     .data.[\"config.env\"]=\"$string_data\"
   " "$WORK_DIR/environment/compute/tekton-results/tekton-results-minio-config.yaml"
-  yq --inplace "
-    .data.[\"ca.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/ca.crt")\" |
-    .data.[\"tls.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.crt")\" |
-    .data.[\"tls.key\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.key")\"
-  " "$WORK_DIR/environment/compute/tekton-results/tekton-results-postgresql-tls-secret.yaml"
-  yq --inplace "
-  .data.[\"tekton-results-db-ca.pem\"]=\"$(cat "$TEKTON_RESULTS_DB_SSL/tls.crt" "$TEKTON_RESULTS_DB_SSL/ca.crt")\"
-  " "$WORK_DIR/environment/compute/tekton-results/rds-db-cert-configmap.yaml"
 }
 
-
-
 deploy_application() {
   echo "- Deploy application:"
 

diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml
@@ -22,18 +22,8 @@ spec:
           value: 13.14.0
         - name: tls.enabled
           value: "true"
-        - name: tls.certificatesSecret
-          value: "postgresql-tls"
-        - name: tls.certFilename
-          value: "tls.crt"
-        - name: tls.certKeyFilename
-          value: "tls.key"
-        # There is an unresolved issue with CA cert that stops pods from
-        # starting due to readiness probe failure. The workaround is
-        # discussed here along with the linked issues:
-        # https://github.com/bitnami/charts/issues/8026
-        # - name: tls.certCAFilename
-        #   value: "ca.crt"
+        - name: tls.autoGenerated
+          value: "true"
         - name: auth.database
           value: "tekton_results"
         - name: auth.username
@@ -64,10 +54,6 @@ spec:
           value: "false"
         - name: shmVolume.enabled
           value: "false"
-      # provide CA cert as extraEnv until the issue is resolved. See above ^
-      extraEnv:
-        - name: PGSSLROOTCERT
-          value: /opt/bitnami/postgresql/certs/ca.crt
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
     # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on

diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml
@@ -13,4 +13,4 @@ spec:
         - name: api
           env:
             - name: DB_SSLMODE
-              value: "verify-ca"
+              value: "disable"
diff --git a/developer/openshift/gitops/local/tekton-results/kustomization.yaml b/developer/openshift/gitops/local/tekton-results/kustomization.yaml
@@ -6,5 +6,3 @@ resources:
   - tekton-results-db-secret.yaml
   - tekton-results-s3-secret.yaml
   - tekton-results-minio-config.yaml
-  - rds-db-cert-configmap.yaml
-  - tekton-results-postgresql-tls-secret.yaml
diff --git a/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml b/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml
diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml
@@ -33,11 +33,3 @@ spec:
                 secretKeyRef:
                   name: tekton-results-database
                   key: db.name
-          volumeMounts:
-            - name: db-tls-ca
-              mountPath: /etc/tls/db
-              readOnly: true
-      volumes:
-        - name: db-tls-ca
-          configMap:
-            name: rds-root-crt
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/config.env b/operator/gitops/argocd/pipeline-service/tekton-results/config.env
@@ -3,8 +3,8 @@ DB_PASSWORD=
 DB_HOST=
 DB_PORT=5432
 DB_NAME=
-DB_SSLMODE=verify-full
-DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem
+DB_SSLMODE=disable
+DB_SSLROOTCERT=
 DB_ENABLE_AUTO_MIGRATION=true
 SERVER_PORT=8080
 PROMETHEUS_PORT=9090