fix: emailsender to DB TLS connection (#2037)

* fix emailsender tls config * fix file permission for rds CA
stackrox · Sep 19, 2024 · 3f6f69b · 3f6f69b
1 parent 2b4212e
commit 3f6f69b
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 0 deletions.
diff --git a/.github/workflows/emailsender-central-compatibility.yaml b/.github/workflows/emailsender-central-compatibility.yaml
@@ -7,11 +7,15 @@ on:
       - main
     paths:
       - 'emailsender/**'
+      - 'scripts/**'
+      - '.github/workflows/emailsender-central-compatibility.yaml'
 
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     paths:
       - 'emailsender/**'
+      - 'scripts/**'
+      - '.github/workflows/emailsender-central-compatibility.yaml'
 
 jobs:
   e2e-test-on-kind:

diff --git a/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml b/dp-terraform/helm/rhacs-terraform/templates/emailsender.yaml
@@ -41,6 +41,10 @@ spec:
               value: "/var/run/certs/tls.crt"
             - name: HTTPS_KEY_FILE
               value: "/var/run/certs/tls.key"
+            - name: DATABASE_SSL_MODE
+              value: {{ .Values.emailsender.db.sslMode }}
+            - name: DATABASE_CA_CERT_FILE
+              value: {{ .Values.emailsender.db.caCertFile }}
             {{- if .Values.emailsender.authConfigFromKubernetes }}
             - name: AUTH_CONFIG_FROM_KUBERNETES
               value: "true"

diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml
@@ -72,6 +72,9 @@ emailsender:
   enabled: false
   # Use this in case you apply this manifest against a cluster without service-ca operator
   # to turn of HTTPS and mounting the service-ca certs since they'll not be created
+  db:
+    sslMode: "verify-full"
+    caCertFile: /rds_ca/aws-rds-ca-global-bundle.pem
   enableHTTPS: true
   replicas: 3
   image:

diff --git a/emailsender/Dockerfile b/emailsender/Dockerfile
@@ -15,6 +15,8 @@ FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9 as standard
 RUN microdnf install shadow-utils
 
 RUN useradd -u 1001 unprivilegeduser
+ADD https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem /rds_ca/aws-rds-ca-global-bundle.pem
+RUN chmod a+rw /rds_ca/aws-rds-ca-global-bundle.pem
 # Switch to non-root user
 USER unprivilegeduser
 

diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml
@@ -9,6 +9,9 @@ fleetshardSync:
     enabled: false
     subnetGroup: "dummyGroup"
 emailsender:
+  db:
+    sslMode: "disable"
+    caCertFile: ""
   image:
     repo: "quay.io/rhacs-eng/emailsender"
   enabled: true