allow disabling SSL connections

[beasteers]

What this PR does / why we need it

This gives users the option to disable SSL for their internal timescale connections. It is opt in, so it should not have any breaking changes.

Many times, people make their postgres instance an internal service and don't expose it outside the cluster except through other services/api layers. Forcing SSL connections for internal services can be a real pain and complication in making sure that all of your different services have access to up to date certificates (I've been banging my head with terraform), and I don't know if I buy into MITM threats on a private subnet.

And if I did want to allow external encypted connections to postgres, I would prefer to do SSL termination through a reverse proxy (e.g. traefik) so that all of our certificates are managed in one place.

Which issue this PR fixes

• fixes #284

The implementation is cherry-picked from here: https://github.com/agronholm/timescaledb-kubernetes

But is up to date with the latest changes in the upstream repo and only makes the minimal changes needed to do the fix so it should be easier to merge.

@agronholm would you be willing to give this a once over to see if it looks good to you? I want to make sure I'm not missing anything from your implementation.

Special notes for your reviewer

Thanks!

Checklist

• [ ] Chart Version bumped
• [x] CLA signed

[CLAassistant]

All committers have signed the CLA.

[beasteers]

K it should be all updated, let me know if there's anything else!

EDIT: Actually let me double check a couple things

[beasteers]

Ok so I opened this pull request because I was having trouble disabling SSL but it turns out that this is enough:

patroni:
  bootstrap:
    dcs:
      postgresql:
        parameters:
          ssl: 'off'

    pg_hba:
      - local     all             postgres                              peer
      - local     all             all                                   md5
      - hostnossl all,replication all                all                md5 # reject
      - hostssl   all             all                127.0.0.1/32       md5
      - hostssl   all             all                ::1/128            md5
      - hostssl   replication     standby            all                md5
      - hostssl   all             all                all                md5

So anyone who wants a private instance without SSL - using this values config with the current chart DOES disable client SSL verification.

I saw that other fork and thought that those changes were necessary to disable SSL but I was incorrect.

In case this matters, I also have this image set which fixed a patroni error message I was seeing. But those are all of the changes to the values file I have to get it working. Hopefully this helps someone!

image:
  tag: pg14.6-ts2.8.1-patroni-static-primary-latest

the helm chart will still create an unnecessary SSL certificate but it throws an error if it isn't there. Sorry for the confusion, I don't know why it was working before but not now but I'm going to close this.