From 674d9c4252751095a1ce00b26270ab5c567ddd81 Mon Sep 17 00:00:00 2001
From: Matthew Abbott <abbottmg@users.noreply.github.com>
Date: Thu, 18 Apr 2024 04:47:34 -0500
Subject: [PATCH] Add values to inject trusted certs into streaming (#92)

Co-authored-by: Tim Campbell <timetinytim@gmail.com>
---
 templates/deployment-streaming.yaml | 28 ++++++++++++++++++++++++++++
 values.yaml                         |  8 ++++++++
 2 files changed, 36 insertions(+)

diff --git a/templates/deployment-streaming.yaml b/templates/deployment-streaming.yaml
index e64d38f7..8d66361a 100644
--- a/templates/deployment-streaming.yaml
+++ b/templates/deployment-streaming.yaml
@@ -39,6 +39,16 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.mastodon.streaming.extraCerts }}
+      {{- $name := .name | default "extra-certs" }}
+      volumes:
+        - name: {{ $name }}
+          secret:
+            secretName: {{ .existingSecret }}
+            items:
+            - key: ca.crt
+              path: trusted-ca.crt
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}-streaming
           {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
@@ -50,6 +60,12 @@ spec:
           command:
             - node
             - ./streaming
+          {{- with .Values.mastodon.streaming.extraCerts }}
+          {{- $name := .name | default "extra-certs" }}
+          volumeMounts:
+          - name: {{ $name }}
+            mountPath: "/usr/local/share/ca-certificates"
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "mastodon.fullname" . }}-env
@@ -58,6 +74,18 @@ spec:
                 name: {{ .Values.mastodon.extraEnvFrom }}
             {{- end}}
           env:
+            {{- with .Values.mastodon.streaming.extraCerts }}
+            - name: "NODE_EXTRA_CA_CERTS"
+              value: "/usr/local/share/ca-certificates/trusted-ca.crt"
+            {{- with .sslMode }}
+            - name: "DB_SSLMODE"
+              value: {{ . }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.postgresql.postgresqlReplicaHostname }}
+            - name: "DB_HOST"
+              value: {{ . }}
+            {{- end }}
             - name: "DB_PASS"
               valueFrom:
                 secretKeyRef:
diff --git a/values.yaml b/values.yaml
index 3afcc10e..e2cefdae 100644
--- a/values.yaml
+++ b/values.yaml
@@ -230,6 +230,14 @@ mastodon:
     # requests:
     #   cpu: 250m
     #   memory: 128Mi
+    # -- Self-signed certificate(s) the (Node.js) needs to trust to connect to e.g. the database
+    extraCerts: {}
+    # -- Secret containing a key "ca.crt" holding one or more root certificates in PEM format
+    #  existingSecret:
+    # -- Optional volume name for mounting the .crt file, defaults to "extra-certs"
+    #  name:
+    # -- Optional sslMode setting. See nodejs's SSL_MODE. Consider "no-verify"
+    #  sslMode:
   web:
     port: 3000
     # -- Number of Web Pods running