chore: enable genai to connect to db over TLS (#9260)

helm/charts/determined/templates/_helpers.tpl

@@ -14,6 +14,28 @@
     {{- end -}}
 {{- end -}}
 
+{{- define "determined.dbCertVolumeMount" -}}
+{{- if .Values.db.certResourceName -}}
+- name: database-cert
+  mountPath: {{ include "determined.secretPath" . }}
+  readOnly: true
+{{- end }}
+{{- end -}}
+
+{{- define "determined.dbCertVolume" }}
+{{- if .Values.db.sslMode -}}
+- name: database-cert
+  {{- $resourceType := (required "A valid .Values.db.resourceType entry required!" .Values.db.resourceType | trim)}}
+  {{- if eq $resourceType "configMap"}}
+  configMap:
+    name: {{ required  "A valid Values.db.certResourceName entry is required!" .Values.db.certResourceName }}
+  {{- else }}
+  secret:
+    secretName: {{ required  "A valid Values.db.certResourceName entry is required!" .Values.db.certResourceName }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "genai.PVCName" -}}
     {{- if .Values.genai.sharedPVCName }}
         {{- .Values.genai.sharedPVCName }}

helm/charts/determined/templates/genai/genai-deployment.yaml

@@ -48,6 +48,13 @@ spec:
             value: {{ .Values.db.port | quote }}
           - name: DB_HOST
             value: {{ include "determined.dbHost" . }}
+          {{- if .Values.db.sslMode }}
+          - name: DB_SSL_MODE
+            value: {{ .Values.db.sslMode }}
+          {{- $rootCert := (required "A valid .Values.db.sslRootCert entry required!" .Values.db.sslRootCert )}}
+          - name: DB_SSL_ROOT_CERT
+            value: {{ include "determined.secretPath" . }}{{ $rootCert }}
+          {{- end }}
           - name: LORE_DOCKER_TAG_SUFFIX
             value: {{ $tag | quote }}
           {{- if .Values.genai.sharedFSHostPath }}
@@ -79,6 +86,7 @@ spec:
           - name: genai-resource-pool-metadata
             mountPath: /run/determined/workdir/rp_config
             readOnly: true
+          {{- include "determined.dbCertVolumeMount" . | nindent 10 }}
         resources:
           requests:
             {{- if .Values.genai.cpuRequest }}
@@ -114,5 +122,6 @@ spec:
         - name: genai-resource-pool-metadata
           configMap:
             name: genai-resource-pool-metadata-{{ .Release.Name }}
+        {{- include "determined.dbCertVolume" . | nindent 8 }}
 {{ end }}
 {{ end }}

helm/charts/determined/templates/master-deployment.yaml

@@ -65,11 +65,7 @@ spec:
             mountPath: {{ include "determined.secretPath" . }}{{ $index }}/
             readOnly: true
           {{- end }}
-          {{- if .Values.db.certResourceName }}
-          - name: database-cert
-            mountPath: {{ include "determined.secretPath" . }}
-            readOnly: true
-          {{- end }}
+          {{- include "determined.dbCertVolumeMount" . | nindent 10 }}
           # Additional volume mount for ca.crt or boundle to perform the ca cert injection
           {{- if .Values.externalCaCertSecretName }}
           - name: etc-ssl-certs
@@ -138,17 +134,7 @@ spec:
           secret:
             secretName: {{ required "for each additional_resource_managers, resource_manager.kubeconfig_secret_name must be specified" $manager.resource_manager.kubeconfig_secret_name }}
         {{- end }}
-        {{- if .Values.db.sslMode }}
-        - name: database-cert
-          {{- $resourceType := (required "A valid .Values.db.resourceType entry required!" .Values.db.resourceType | trim)}}
-          {{- if eq $resourceType "configMap"}}
-          configMap:
-            name: {{ required  "A valid Values.db.certResourceName entry is required!" .Values.db.certResourceName }}
-          {{- else }}
-          secret:
-            secretName: {{ required  "A valid Values.db.certResourceName entry is required!" .Values.db.certResourceName }}
-          {{- end }}
-        {{- end }}
+        {{- include "determined.dbCertVolume" . | nindent 8 }}
         # Additional volumes for ca.crt or ca boundle injection
         {{- if .Values.externalCaCertSecretName }}
         - name: usr-local-share-ca-certificates