diff --git a/databases/postgresql/kustomization.yaml b/databases/postgresql/kustomization.yaml index cefc50c..eed9383 100644 --- a/databases/postgresql/kustomization.yaml +++ b/databases/postgresql/kustomization.yaml @@ -6,6 +6,9 @@ resources: - helmrelease.yaml - externalsecret.yaml - stunnel-externalsecret.yaml + - stunnel-server-configmap.yaml + - stunnel-server-deployment.yaml + - stunnel-server-service.yaml configMapGenerator: - name: postgresql-values files: diff --git a/databases/postgresql/stunnel-server-configmap.yaml b/databases/postgresql/stunnel-server-configmap.yaml new file mode 100644 index 0000000..1433606 --- /dev/null +++ b/databases/postgresql/stunnel-server-configmap.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-stunnel-server + namespace: database +data: + stunnel.conf: | + foreground = yes + debug = 5 + [postgres-tls-server] + client = no + accept = 0.0.0.0:5433 + connect = postgresql.database.svc.cluster.local:5432 + cert = /etc/stunnel/certs/server-cert.pem + key = /etc/stunnel/certs/server-key.pem + sslVersionMin = TLSv1.2 + options = NO_SSLv2 + options = NO_SSLv3 + socket = l:TCP_NODELAY=1 + socket = r:TCP_NODELAY=1 + socket = l:SO_KEEPALIVE=1 + socket = r:TCP_KEEPALIVE=1 + TIMEOUTclose = 0 + TIMEOUTidle = 43200 diff --git a/databases/postgresql/stunnel-server-deployment.yaml b/databases/postgresql/stunnel-server-deployment.yaml new file mode 100644 index 0000000..b0bb288 --- /dev/null +++ b/databases/postgresql/stunnel-server-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgresql-stunnel-server + namespace: database +spec: + replicas: 1 + selector: + matchLabels: + app: postgresql-stunnel-server + template: + metadata: + labels: + app: postgresql-stunnel-server + spec: + containers: + - name: stunnel-server + image: ghcr.io/x-evor/stunnel-server:2330d36 + imagePullPolicy: IfNotPresent + command: ["stunnel", "/etc/stunnel/stunnel.conf"] + ports: + - containerPort: 5433 + volumeMounts: + - name: stunnel-conf + mountPath: /etc/stunnel/stunnel.conf + subPath: stunnel.conf + - name: stunnel-cert + mountPath: /etc/stunnel/certs/server-cert.pem + subPath: server-cert.pem + - name: stunnel-key + mountPath: /etc/stunnel/certs/server-key.pem + subPath: server-key.pem + volumes: + - name: stunnel-conf + configMap: + name: postgresql-stunnel-server + - name: stunnel-cert + secret: + secretName: postgresql-stunnel-server + items: + - key: server-cert.pem + path: server-cert.pem + - name: stunnel-key + secret: + secretName: postgresql-stunnel-server + items: + - key: server-key.pem + path: server-key.pem diff --git a/databases/postgresql/stunnel-server-service.yaml b/databases/postgresql/stunnel-server-service.yaml new file mode 100644 index 0000000..68604b6 --- /dev/null +++ b/databases/postgresql/stunnel-server-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgresql-stunnel-server + namespace: database +spec: + selector: + app: postgresql-stunnel-server + ports: + - name: tls + port: 5433 + targetPort: 5433 diff --git a/databases/postgresql/values.yaml b/databases/postgresql/values.yaml index 6ac682d..5ed4f94 100644 --- a/databases/postgresql/values.yaml +++ b/databases/postgresql/values.yaml @@ -46,13 +46,7 @@ metrics: enabled: false stunnel: - enabled: true - image: - repository: ghcr.io/x-evor/stunnel-server - tag: "2330d36" - pullPolicy: IfNotPresent - port: 5433 - certificatesSecret: postgresql-stunnel-server + enabled: false stunnelClient: enabled: true @@ -66,7 +60,7 @@ stunnelClient: [postgres-client] client = yes accept = 0.0.0.0:15432 - connect = postgresql.database.svc.cluster.local:5433 + connect = postgresql-stunnel-server.database.svc.cluster.local:5433 verifyChain = no sslVersion = TLSv1.2 options = NO_SSLv2