refactor(gitops): split postgresql stunnel server

2026-04-02 18:30:50 +08:00 · 2026-04-02 18:30:50 +08:00 · a5730d663b
commit a5730d663b
parent 962c7641bb
5 changed files with 89 additions and 8 deletions
--- a/databases/postgresql/kustomization.yaml
+++ b/databases/postgresql/kustomization.yaml
@ -6,6 +6,9 @@ resources:
  - helmrelease.yaml
  - externalsecret.yaml
  - stunnel-externalsecret.yaml
+  - stunnel-server-configmap.yaml
+  - stunnel-server-deployment.yaml
+  - stunnel-server-service.yaml
 configMapGenerator:
  - name: postgresql-values
    files:
--- a/databases/postgresql/stunnel-server-configmap.yaml
+++ b/databases/postgresql/stunnel-server-configmap.yaml
@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+data:
+  stunnel.conf: |
+    foreground = yes
+    debug = 5
+    [postgres-tls-server]
+    client = no
+    accept = 0.0.0.0:5433
+    connect = postgresql.database.svc.cluster.local:5432
+    cert = /etc/stunnel/certs/server-cert.pem
+    key = /etc/stunnel/certs/server-key.pem
+    sslVersionMin = TLSv1.2
+    options = NO_SSLv2
+    options = NO_SSLv3
+    socket = l:TCP_NODELAY=1
+    socket = r:TCP_NODELAY=1
+    socket = l:SO_KEEPALIVE=1
+    socket = r:TCP_KEEPALIVE=1
+    TIMEOUTclose = 0
+    TIMEOUTidle = 43200
--- a/databases/postgresql/stunnel-server-deployment.yaml
+++ b/databases/postgresql/stunnel-server-deployment.yaml
@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql-stunnel-server
+  template:
+    metadata:
+      labels:
+        app: postgresql-stunnel-server
+    spec:
+      containers:
+        - name: stunnel-server
+          image: ghcr.io/x-evor/stunnel-server:2330d36
+          imagePullPolicy: IfNotPresent
+          command: ["stunnel", "/etc/stunnel/stunnel.conf"]
+          ports:
+            - containerPort: 5433
+          volumeMounts:
+            - name: stunnel-conf
+              mountPath: /etc/stunnel/stunnel.conf
+              subPath: stunnel.conf
+            - name: stunnel-cert
+              mountPath: /etc/stunnel/certs/server-cert.pem
+              subPath: server-cert.pem
+            - name: stunnel-key
+              mountPath: /etc/stunnel/certs/server-key.pem
+              subPath: server-key.pem
+      volumes:
+        - name: stunnel-conf
+          configMap:
+            name: postgresql-stunnel-server
+        - name: stunnel-cert
+          secret:
+            secretName: postgresql-stunnel-server
+            items:
+              - key: server-cert.pem
+                path: server-cert.pem
+        - name: stunnel-key
+          secret:
+            secretName: postgresql-stunnel-server
+            items:
+              - key: server-key.pem
+                path: server-key.pem
--- a/databases/postgresql/stunnel-server-service.yaml
+++ b/databases/postgresql/stunnel-server-service.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+spec:
+  selector:
+    app: postgresql-stunnel-server
+  ports:
+    - name: tls
+      port: 5433
+      targetPort: 5433
--- a/databases/postgresql/values.yaml
+++ b/databases/postgresql/values.yaml
@ -46,13 +46,7 @@ metrics:
  enabled: false

 stunnel:
-  enabled: true
-  image:
-    repository: ghcr.io/x-evor/stunnel-server
-    tag: "2330d36"
-    pullPolicy: IfNotPresent
-  port: 5433
-  certificatesSecret: postgresql-stunnel-server
+  enabled: false

 stunnelClient:
  enabled: true
@ -66,7 +60,7 @@ stunnelClient:
    [postgres-client]
    client = yes
    accept = 0.0.0.0:15432
-    connect = postgresql.database.svc.cluster.local:5433
+    connect = postgresql-stunnel-server.database.svc.cluster.local:5433
    verifyChain = no
    sslVersion = TLSv1.2
    options = NO_SSLv2