chore: Certs as secret

demeter-run · Feb 5, 2025 · 60faf87 · 60faf87
1 parent 97744dc
commit 60faf87
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 18 deletions.
diff --git a/bootstrap/cell/main.tf b/bootstrap/cell/main.tf
@@ -60,7 +60,7 @@ module "dbsync_pgbouncer" {
 
   namespace                     = var.namespace
   pg_bouncer_replicas           = var.pgbouncer_replicas
-  certs_configmap_name          = var.certs_configmap_name
+  certs_secret_name             = var.certs_secret_name
   pg_bouncer_auth_user_password = var.pgbouncer_auth_user_password
   instance_role                 = "pgbouncer"
   postgres_secret_name          = var.postgres_secret_name

diff --git a/bootstrap/cell/variables.tf b/bootstrap/cell/variables.tf
@@ -7,7 +7,7 @@ variable "salt" {
   description = "Salt used to identify all components as part of the cell. Should be unique between cells."
 }
 
-variable "certs_configmap_name" {
+variable "certs_secret_name" {
   type    = string
   default = "pgbouncer-certs"
 }

diff --git a/bootstrap/feature/configs.tf b/bootstrap/feature/configs.tf
diff --git a/bootstrap/feature/secret.tf b/bootstrap/feature/secret.tf
@@ -8,3 +8,15 @@ resource "kubernetes_secret" "postgres" {
   }
   type = "Opaque"
 }
+
+resource "kubernetes_secret" "pgbouncer_certs" {
+  metadata {
+    namespace = var.namespace
+    name      = "pgbouncer-certs"
+  }
+
+  data = {
+    "tls.crt" = var.pgbouncer_server_crt
+    "tls.key" = var.pgbouncer_server_key
+  }
+}
diff --git a/bootstrap/pgbouncer/main.tf b/bootstrap/pgbouncer/main.tf
@@ -26,7 +26,7 @@ variable "load_balancer" {
   default = false
 }
 
-variable "certs_configmap_name" {
+variable "certs_secret_name" {
   type    = string
   default = "pgbouncer-certs"
 }

diff --git a/bootstrap/pgbouncer/pg-bouncer.tf b/bootstrap/pgbouncer/pg-bouncer.tf
@@ -269,8 +269,8 @@ resource "kubernetes_deployment_v1" "pgbouncer" {
 
         volume {
           name = "pgbouncer-certs"
-          config_map {
-            name = var.certs_configmap_name
+          secret {
+            secret_name = var.certs_secret_name
           }
         }
 

diff --git a/bootstrap/pgbouncer/pgbouncer.ini.tftpl b/bootstrap/pgbouncer/pgbouncer.ini.tftpl
@@ -17,8 +17,8 @@ pidfile=/opt/bitnami/pgbouncer/tmp/pgbouncer.pid
 logfile=/opt/bitnami/pgbouncer/logs/pgbouncer.log
 admin_users=postgres
 client_tls_sslmode=allow
-client_tls_key_file=/certs/server.key
-client_tls_cert_file=/certs/server.crt
+client_tls_key_file=/certs/tls.key
+client_tls_cert_file=/certs/tls.crt
 server_tls_sslmode=disable
 ignore_startup_parameters=extra_float_digits,statement_timeout
 stats_period=60