From 0b26885af1f670d65506afdf1d47ae4fad501176 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Gonz=C3=A1lez?= <moises.gonzalez@edunext.co>
Date: Wed, 24 Sep 2025 10:06:46 -0400
Subject: [PATCH] feat: add support for TLS connections to clickhouse

---
 drydock/patches/kustomization                   | 10 ++++++++++
 drydock/plugin.py                               |  1 +
 .../drydock/k8s/patches/tls-volume-add.yml      | 17 +++++++++++++++++
 .../drydock/k8s/patches/tls-volume-append.yml   | 17 +++++++++++++++++
 4 files changed, 45 insertions(+)
 create mode 100644 drydock/templates/drydock/k8s/patches/tls-volume-add.yml
 create mode 100644 drydock/templates/drydock/k8s/patches/tls-volume-append.yml

diff --git a/drydock/patches/kustomization b/drydock/patches/kustomization
index bb25431..3998b5e 100644
--- a/drydock/patches/kustomization
+++ b/drydock/patches/kustomization
@@ -31,3 +31,13 @@ patches:
     kind: Deployment
     name: '{% for name in DRYDOCK_POST_INIT_DEPLOYMENTS %}{{ name }}{% if not loop.last %}|{% endif %}{% endfor %}'
   path: plugins/drydock/k8s/patches/post-init-deployments-sync-wave.yml
+
+- path: plugins/drydock/k8s/patches/tls-volume-append.yml
+  target: 
+    kind: "(Deployment|Job)"
+    name: aspects|superset-job.*|aspects-job.*|ralph
+
+- path: plugins/drydock/k8s/patches/tls-volume-add.yml
+  target:
+    kind: "(Deployment|Job)"
+    name: clickhouse-job.*
diff --git a/drydock/plugin.py b/drydock/plugin.py
index 8fae646..3909ce3 100644
--- a/drydock/plugin.py
+++ b/drydock/plugin.py
@@ -152,6 +152,7 @@ def get_sync_waves_for_resource(resource_name: str) -> SYNC_WAVES_ORDER_ATTRS_TY
         "PDB_MINAVAILABLE_PERCENTAGE_MFE": 0,
         "PDB_MINAVAILABLE_PERCENTAGE_FORUM": 0,
         "PDB_MINAVAILABLE_PERCENTAGE_CADDY": 0,
+        "CA_BUNDLE_NAME": "cluster-bundle",
         "POST_INIT_DEPLOYMENTS": [
             "lms",
             "cms",
diff --git a/drydock/templates/drydock/k8s/patches/tls-volume-add.yml b/drydock/templates/drydock/k8s/patches/tls-volume-add.yml
new file mode 100644
index 0000000..d8d0fe0
--- /dev/null
+++ b/drydock/templates/drydock/k8s/patches/tls-volume-add.yml
@@ -0,0 +1,17 @@
+- op: add
+  path: /spec/template/spec/volumes
+  value:
+    - name: ca-certificates
+      configMap:
+        name: cluster-bundle
+        defaultMode: 420 # Octal 0644
+        optional: false
+        items:
+          - key: ca-certificates.crt
+            path: ca-certificates.crt
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts
+  value:
+   -  name: ca-certificates
+      readOnly: true
+      mountPath: /etc/ssl/certs
diff --git a/drydock/templates/drydock/k8s/patches/tls-volume-append.yml b/drydock/templates/drydock/k8s/patches/tls-volume-append.yml
new file mode 100644
index 0000000..c38a345
--- /dev/null
+++ b/drydock/templates/drydock/k8s/patches/tls-volume-append.yml
@@ -0,0 +1,17 @@
+- op: add
+  path: /spec/template/spec/volumes/-
+  value:
+    name: ca-certificates
+    configMap:
+      name: cluster-bundle
+      defaultMode: 420 # Octal 0644
+      optional: false
+      items:
+        - key: ca-certificates.crt
+          path: ca-certificates.crt
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: ca-certificates
+    readOnly: true
+    mountPath: /etc/ssl/certs