refactor(gitops): split postgresql stunnel server

databases/postgresql/kustomization.yaml

@@ -6,6 +6,9 @@ resources:
   - helmrelease.yaml
   - externalsecret.yaml
   - stunnel-externalsecret.yaml
+  - stunnel-server-configmap.yaml
+  - stunnel-server-deployment.yaml
+  - stunnel-server-service.yaml
 configMapGenerator:
   - name: postgresql-values
     files:

databases/postgresql/stunnel-server-configmap.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+data:
+  stunnel.conf: |
+    foreground = yes
+    debug = 5
+    [postgres-tls-server]
+    client = no
+    accept = 0.0.0.0:5433
+    connect = postgresql.database.svc.cluster.local:5432
+    cert = /etc/stunnel/certs/server-cert.pem
+    key = /etc/stunnel/certs/server-key.pem
+    sslVersionMin = TLSv1.2
+    options = NO_SSLv2
+    options = NO_SSLv3
+    socket = l:TCP_NODELAY=1
+    socket = r:TCP_NODELAY=1
+    socket = l:SO_KEEPALIVE=1
+    socket = r:TCP_KEEPALIVE=1
+    TIMEOUTclose = 0
+    TIMEOUTidle = 43200

databases/postgresql/stunnel-server-deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql-stunnel-server
+  template:
+    metadata:
+      labels:
+        app: postgresql-stunnel-server
+    spec:
+      containers:
+        - name: stunnel-server
+          image: ghcr.io/x-evor/stunnel-server:2330d36
+          imagePullPolicy: IfNotPresent
+          command: ["stunnel", "/etc/stunnel/stunnel.conf"]
+          ports:
+            - containerPort: 5433
+          volumeMounts:
+            - name: stunnel-conf
+              mountPath: /etc/stunnel/stunnel.conf
+              subPath: stunnel.conf
+            - name: stunnel-cert
+              mountPath: /etc/stunnel/certs/server-cert.pem
+              subPath: server-cert.pem
+            - name: stunnel-key
+              mountPath: /etc/stunnel/certs/server-key.pem
+              subPath: server-key.pem
+      volumes:
+        - name: stunnel-conf
+          configMap:
+            name: postgresql-stunnel-server
+        - name: stunnel-cert
+          secret:
+            secretName: postgresql-stunnel-server
+            items:
+              - key: server-cert.pem
+                path: server-cert.pem
+        - name: stunnel-key
+          secret:
+            secretName: postgresql-stunnel-server
+            items:
+              - key: server-key.pem
+                path: server-key.pem

databases/postgresql/stunnel-server-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+spec:
+  selector:
+    app: postgresql-stunnel-server
+  ports:
+    - name: tls
+      port: 5433
+      targetPort: 5433

databases/postgresql/values.yaml

@@ -46,13 +46,7 @@ metrics:
   enabled: false
 
 stunnel:
-  enabled: true
+  enabled: false
-  image:
-    repository: ghcr.io/x-evor/stunnel-server
-    tag: "2330d36"
-    pullPolicy: IfNotPresent
-  port: 5433
-  certificatesSecret: postgresql-stunnel-server
 
 stunnelClient:
   enabled: true
@@ -66,7 +60,7 @@ stunnelClient:
     [postgres-client]
     client = yes
     accept = 0.0.0.0:15432
-    connect = postgresql.database.svc.cluster.local:5433
+    connect = postgresql-stunnel-server.database.svc.cluster.local:5433
     verifyChain = no
     sslVersion = TLSv1.2
     options = NO_SSLv2