diff --git a/home-assistant/configuration.yaml b/home-assistant/configuration.yaml index 32901f8..de57cd4 100644 --- a/home-assistant/configuration.yaml +++ b/home-assistant/configuration.yaml @@ -33,7 +33,7 @@ http: use_x_forwarded_for: true recorder: - db_url: !env_var RECORDER_DB_URL + db_url: postgresql:// db_max_retries: 100 purge_keep_days: 366 commit_interval: 0 diff --git a/home-assistant/kustomization.yaml b/home-assistant/kustomization.yaml index 3c66d4e..32e81e5 100644 --- a/home-assistant/kustomization.yaml +++ b/home-assistant/kustomization.yaml @@ -10,6 +10,7 @@ labels: resources: - namespace.yaml - secrets.yaml +- postgres-cert.yaml - home-assistant.yaml - mosquitto-cert.yaml - mosquitto.yaml @@ -18,6 +19,7 @@ resources: - piper.yaml - whisper.yaml - ingress.yaml +- ../dch-root-ca configMapGenerator: - name: home-assistant @@ -55,43 +57,42 @@ patches: - sh - -c - until pg_isready; do sleep 1; done - env: + env: &pgsqlenv - name: PGHOST - value: default.postgresql + value: postgresql.pyrocufflink.blue - name: PGGDATABASE value: homeassistant - name: PGUSER - valueFrom: - secretKeyRef: - name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do - key: username - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do - key: password + value: homeassistant + - name: PGSSLMODE + value: verify-full + - name: PGSSLROOTCERT + value: /run/dch-ca/dch-root-ca.crt + - name: PGSSLCERT + value: /run/secrets/home-assistant/postgresql/tls.crt + - name: PGSSLKEY + value: /run/secrets/home-assistant/postgresql/tls.key + volumeMounts: + - mountPath: /run/dch-ca/ + name: dch-root-ca + readOnly: true + - mountPath: /run/secrets/home-assistant/postgresql + name: postgresql-cert containers: - name: home-assistant - env: - - name: RECORDER_DB_PASSWORD - valueFrom: - secretKeyRef: - name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do - key: password - - name: RECORDER_DB_USERNAME - valueFrom: - secretKeyRef: - name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do - key: username - - name: RECORDER_DB_URL - value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant + env: *pgsqlenv volumeMounts: - mountPath: /run/config name: home-assistant-config readOnly: true + - mountPath: /run/dch-ca/ + name: dch-root-ca + readOnly: true - mountPath: /run/secrets/home-assistant name: home-assistant-secrets readOnly: true + - mountPath: /run/secrets/home-assistant/postgresql + name: postgresql-cert volumes: - name: home-assistant-config configMap: @@ -101,3 +102,10 @@ patches: secret: secretName: home-assistant defaultMode: 0640 + - name: postgresql-cert + secret: + secretName: postgres-client-cert + defaultMode: 0640 + - name: dch-root-ca + configMap: + name: dch-root-ca diff --git a/home-assistant/postgres-cert.yaml b/home-assistant/postgres-cert.yaml new file mode 100644 index 0000000..1713c5c --- /dev/null +++ b/home-assistant/postgres-cert.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-client-cert +spec: + commonName: homeassistant + privateKey: + algorithm: ECDSA + secretName: postgres-client-cert + issuerRef: + name: postgresql-ca + kind: ClusterIssuer +