From 215b2c6975ed6debf2d16106f0dd5a6944a6eede Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 1 Jul 2024 12:44:33 -0500
Subject: [PATCH] home-assistant: Use external PostgreSQL server

Home Assistant uses PostgreSQL for recording the history of entity
states.  Since we had been using the in-cluster database server for
this, the data were migrated to the new external PostgreSQL server
automatically when the backup from the former was restored on the
latter.  It follows, then, that we can point Home Assistant to the
new server as well.

Home Assistant uses SQLAlchemy, which in turn uses _libpq_ via
_psycopg_, as a client for PostgreSQL.  It doesn't expose any
configuration parameters beyond the "database URL" directly, but we
can use the standard environment variables to specify the certificate
and private key for authentication.  In fact, the empty `postgresql://`
URL is sufficient, and indicates that _all_ of the connection parameters
should be taken from environment variables.  This makes specifying the
parameters for both the `wait-for-db` init container and the main
container take the exact same environment variables, so we can use
YAML anchors to share their definitions.
---
 home-assistant/configuration.yaml |  2 +-
 home-assistant/kustomization.yaml | 56 ++++++++++++++++++-------------
 home-assistant/postgres-cert.yaml | 13 +++++++
 3 files changed, 46 insertions(+), 25 deletions(-)
 create mode 100644 home-assistant/postgres-cert.yaml

diff --git a/home-assistant/configuration.yaml b/home-assistant/configuration.yaml
index 32901f8..de57cd4 100644
--- a/home-assistant/configuration.yaml
+++ b/home-assistant/configuration.yaml
@@ -33,7 +33,7 @@ http:
   use_x_forwarded_for: true
 
 recorder:
-  db_url: !env_var RECORDER_DB_URL
+  db_url: postgresql://
   db_max_retries: 100
   purge_keep_days: 366
   commit_interval: 0
diff --git a/home-assistant/kustomization.yaml b/home-assistant/kustomization.yaml
index 3c66d4e..32e81e5 100644
--- a/home-assistant/kustomization.yaml
+++ b/home-assistant/kustomization.yaml
@@ -10,6 +10,7 @@ labels:
 resources:
 - namespace.yaml
 - secrets.yaml
+- postgres-cert.yaml
 - home-assistant.yaml
 - mosquitto-cert.yaml
 - mosquitto.yaml
@@ -18,6 +19,7 @@ resources:
 - piper.yaml
 - whisper.yaml
 - ingress.yaml
+-  ../dch-root-ca
 
 configMapGenerator:
 - name: home-assistant
@@ -55,43 +57,42 @@ patches:
             - sh
             - -c
             - until pg_isready; do sleep 1; done
-            env:
+            env: &pgsqlenv
             - name: PGHOST
-              value: default.postgresql
+              value: postgresql.pyrocufflink.blue
             - name: PGGDATABASE
               value: homeassistant
             - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: password
+              value: homeassistant
+            - name: PGSSLMODE
+              value: verify-full
+            - name: PGSSLROOTCERT
+              value: /run/dch-ca/dch-root-ca.crt
+            - name: PGSSLCERT
+              value: /run/secrets/home-assistant/postgresql/tls.crt
+            - name: PGSSLKEY
+              value: /run/secrets/home-assistant/postgresql/tls.key
+            volumeMounts:
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
           containers:
           - name: home-assistant
-            env:
-            - name: RECORDER_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: password
-            - name: RECORDER_DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
-                  key: username
-            - name: RECORDER_DB_URL
-              value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant
+            env: *pgsqlenv
             volumeMounts:
             - mountPath: /run/config
               name: home-assistant-config
               readOnly: true
+            - mountPath: /run/dch-ca/
+              name: dch-root-ca
+              readOnly: true
             - mountPath: /run/secrets/home-assistant
               name: home-assistant-secrets
               readOnly: true
+            - mountPath: /run/secrets/home-assistant/postgresql
+              name: postgresql-cert
           volumes:
           - name: home-assistant-config
             configMap:
@@ -101,3 +102,10 @@ patches:
             secret:
               secretName: home-assistant
               defaultMode: 0640
+          - name: postgresql-cert
+            secret:
+              secretName: postgres-client-cert
+              defaultMode: 0640
+          - name: dch-root-ca
+            configMap:
+              name: dch-root-ca
diff --git a/home-assistant/postgres-cert.yaml b/home-assistant/postgres-cert.yaml
new file mode 100644
index 0000000..1713c5c
--- /dev/null
+++ b/home-assistant/postgres-cert.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: homeassistant
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer
+