From 3addce9425f518dd52c46c311d74c0e56dd7dcc5 Mon Sep 17 00:00:00 2001
From: Emil Natan <37400297+enarha@users.noreply.github.com>
Date: Mon, 18 Mar 2024 15:05:51 +0200
Subject: [PATCH] Revert "add config for enabling tekton results dbssl"

This reverts commit bb03c53765c886370402fc0e5d1903f58391ced1.
---
 developer/openshift/apps/pipeline-service.sh  | 43 -------------------
 .../pipeline-service-storage/postgres.yaml    | 18 +-------
 .../tekton-results/postgres.yaml              |  2 +-
 .../local/tekton-results/kustomization.yaml   |  2 -
 .../tekton-results/rds-db-cert-configmap.yaml | 10 -----
 .../tekton-results-postgresql-tls-secret.yaml | 12 ------
 .../tekton-results/api-db-config.yaml         |  8 ----
 .../tekton-results/config.env                 |  4 +-
 8 files changed, 5 insertions(+), 94 deletions(-)
 delete mode 100644 developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml
 delete mode 100644 developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml

diff --git a/developer/openshift/apps/pipeline-service.sh b/developer/openshift/apps/pipeline-service.sh
index 374ab0093..c800c13e5 100755
--- a/developer/openshift/apps/pipeline-service.sh
+++ b/developer/openshift/apps/pipeline-service.sh
@@ -30,7 +30,6 @@ configure_argocd_apps(){
 setup_tekton_results() {
   echo -n "- Tekton Results: "
   get_tekton_results_credentials
-  generate_tekton_results_db_ssl_cert
   patch_tekton_results_manifests
   echo "OK"
 }
@@ -57,38 +56,6 @@ EOF
   TEKTON_RESULTS_S3_PASSWORD="$(yq ".s3_password" "$tekton_results_credentials")"
 }
 
-generate_tekton_results_db_ssl_cert(){
-  TEKTON_RESULTS_DB_SSL="$WORK_DIR/certificates/tekton-results"
-  mkdir -p "$TEKTON_RESULTS_DB_SSL"
-  openssl req -newkey rsa:4096 -nodes -text \
-    -keyout "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
-    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
-    > /dev/null 2>&1
-  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/root.key"
-  openssl x509 -req -days 7 -text \
-    -signkey "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -extfile "/etc/ssl/openssl.cnf" \
-    -extensions v3_ca \
-    -out "$TEKTON_RESULTS_DB_SSL/ca.crt" \
-    > /dev/null 2>&1
-  openssl req -new -nodes -text \
-    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -keyout "$TEKTON_RESULTS_DB_SSL/tls.key" \
-    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
-    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
-    > /dev/null 2>&1
-  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/tls.key"
-  openssl x509 -req -text -days 7 -CAcreateserial \
-    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
-    -CA "$TEKTON_RESULTS_DB_SSL/ca.crt" \
-    -CAkey "$TEKTON_RESULTS_DB_SSL/root.key" \
-    -out "$TEKTON_RESULTS_DB_SSL/tls.crt" \
-    > /dev/null 2>&1
-}
-
 patch_tekton_results_manifests(){
   yq --inplace "
     .data.[\"db.password\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_PASSWORD" | base64)\",
@@ -108,18 +75,8 @@ EOF
   yq --inplace "
     .data.[\"config.env\"]=\"$string_data\"
   " "$WORK_DIR/environment/compute/tekton-results/tekton-results-minio-config.yaml"
-  yq --inplace "
-    .data.[\"ca.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/ca.crt")\" |
-    .data.[\"tls.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.crt")\" |
-    .data.[\"tls.key\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.key")\"
-  " "$WORK_DIR/environment/compute/tekton-results/tekton-results-postgresql-tls-secret.yaml"
-  yq --inplace "
-  .data.[\"tekton-results-db-ca.pem\"]=\"$(cat "$TEKTON_RESULTS_DB_SSL/tls.crt" "$TEKTON_RESULTS_DB_SSL/ca.crt")\"
-  " "$WORK_DIR/environment/compute/tekton-results/rds-db-cert-configmap.yaml"
 }
 
-
-
 deploy_application() {
   echo "- Deploy application:"
 
diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml
index ad904df27..452cfb76b 100644
--- a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml
+++ b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml
@@ -22,18 +22,8 @@ spec:
           value: 13.14.0
         - name: tls.enabled
           value: "true"
-        - name: tls.certificatesSecret
-          value: "postgresql-tls"
-        - name: tls.certFilename
-          value: "tls.crt"
-        - name: tls.certKeyFilename
-          value: "tls.key"
-        # There is an unresolved issue with CA cert that stops pods from
-        # starting due to readiness probe failure. The workaround is
-        # discussed here along with the linked issues:
-        # https://github.com/bitnami/charts/issues/8026
-        # - name: tls.certCAFilename
-        #   value: "ca.crt"
+        - name: tls.autoGenerated
+          value: "true"
         - name: auth.database
           value: "tekton_results"
         - name: auth.username
@@ -64,10 +54,6 @@ spec:
           value: "false"
         - name: shmVolume.enabled
           value: "false"
-      # provide CA cert as extraEnv until the issue is resolved. See above ^
-      extraEnv:
-        - name: PGSSLROOTCERT
-          value: /opt/bitnami/postgresql/certs/ca.crt
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
     # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on
diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml
index 44a0c45eb..13c8ac8aa 100644
--- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml
+++ b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml
@@ -13,4 +13,4 @@ spec:
         - name: api
           env:
             - name: DB_SSLMODE
-              value: "verify-ca"
+              value: "disable"
diff --git a/developer/openshift/gitops/local/tekton-results/kustomization.yaml b/developer/openshift/gitops/local/tekton-results/kustomization.yaml
index 100db9391..635a4badb 100644
--- a/developer/openshift/gitops/local/tekton-results/kustomization.yaml
+++ b/developer/openshift/gitops/local/tekton-results/kustomization.yaml
@@ -6,5 +6,3 @@ resources:
   - tekton-results-db-secret.yaml
   - tekton-results-s3-secret.yaml
   - tekton-results-minio-config.yaml
-  - rds-db-cert-configmap.yaml
-  - tekton-results-postgresql-tls-secret.yaml
diff --git a/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml b/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml
deleted file mode 100644
index 46070dd58..000000000
--- a/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: rds-root-crt
-  namespace: tekton-results
-data:
-  # contents of the public certificate should be inserted here
-  # the name of the key must be same as provided in the tekton results .env config
-  tekton-results-db-ca.pem:
diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml
deleted file mode 100644
index 460c5a6db..000000000
--- a/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: postgresql-tls
-  namespace: tekton-results
-data:
-  # Provide CA, TLS cert and key. CA cert is not being used until readiness
-  # probe issue is resolved with the binami/postgresql chart
-  ca.crt:
-  tls.crt:
-  tls.key:
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml
index 0d4f1d49f..3c22ffbba 100644
--- a/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml
+++ b/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml
@@ -33,11 +33,3 @@ spec:
                 secretKeyRef:
                   name: tekton-results-database
                   key: db.name
-          volumeMounts:
-            - name: db-tls-ca
-              mountPath: /etc/tls/db
-              readOnly: true
-      volumes:
-        - name: db-tls-ca
-          configMap:
-            name: rds-root-crt
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/config.env b/operator/gitops/argocd/pipeline-service/tekton-results/config.env
index ae43d6d04..ccf32e35a 100644
--- a/operator/gitops/argocd/pipeline-service/tekton-results/config.env
+++ b/operator/gitops/argocd/pipeline-service/tekton-results/config.env
@@ -3,8 +3,8 @@ DB_PASSWORD=
 DB_HOST=
 DB_PORT=5432
 DB_NAME=
-DB_SSLMODE=verify-full
-DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem
+DB_SSLMODE=disable
+DB_SSLROOTCERT=
 DB_ENABLE_AUTO_MIGRATION=true
 SERVER_PORT=8080
 PROMETHEUS_PORT=9090