ROSAENG-130 - feat: add database SSL mode configuration to helm chart

[cdoan1]

Add configurable database.sslMode to values.yaml with default "require" and pass --db-sslmode flag to both db-migrate initContainer and main serve container for secure database connections in production.

Summary

Regional team deploys with aws rds, so we need db sslmode

Test Plan

• Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• Deployed to a development cluster and verified (if Helm/config changes)
• E2E tests passed (if cross-component or major changes)

Summary by CodeRabbit

• New Features
  • Added configurable SSL mode for database connections (options include disable, allow, prefer, require, verify-ca, verify-full) with default "prefer".
  • Database SSL mode is now applied to migration and serve processes so runtime and init steps use the configured mode.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yingzhanredhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @cdoan1. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89fc3357-2c2a-4919-abbd-d0aa252734c1

📥 Commits

Reviewing files that changed from the base of the PR and between 5bcc2ab and 6d0eab1.

📒 Files selected for processing (2)

• charts/templates/deployment.yaml
• charts/values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• charts/templates/deployment.yaml
• charts/values.yaml

---

Walkthrough

The Helm chart adds a new values entry database.sslMode (default "prefer") and updates the deployment template to pass --db-sslmode={{ .Values.database.sslMode | default "prefer" }} to both the db-migrate initContainer command and the main application container serve args.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding database SSL mode configuration to the Helm chart, which matches the core modifications in both deployment.yaml and values.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/templates/deployment.yaml`:
- Line 52: The startup/migrate command passes the wrong flag name
`--db-sslmode`; update the command invocation(s) for the hyperfleet-api migrate
runner to use the registered flag `--db-ssl-mode` instead (the flag is defined
in pkg/config/flags.go), i.e., replace occurrences of `--db-sslmode` with
`--db-ssl-mode` in the command arrays so the CLI recognizes the option and
migrations/startup won't fail.
- Around line 74-76: The template uses the wrong values path for the
bind-address flags: update the three arguments that reference .Values.server.*
to read from .Values.config.* (e.g. change --api-server-bindaddress to use
.Values.config.server.bindAddress | default ":8000", --health-server-bindaddress
to use .Values.config.health.bindAddress | default ":8080", and
--metrics-server-bindaddress to use .Values.config.metrics.metricsBindAddress or
.Values.config.metrics.bindAddress | default ":9090" as appropriate) so the
flags pull from the values.yml structure that actually defines these defaults.

In `@charts/values.yaml`:
- Around line 218-222: The default database SSL mode currently set by the value
sslMode: "prefer" is insecure for production because it can fall back to
plaintext; change the default value for the configuration key named sslMode
under database to "require" (one of the allowed options: disable, allow, prefer,
require, verify-ca, verify-full) so connections must use TLS by default; update
any related documentation lines or comments near the sslMode key to reflect the
new secure default.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d280bcc9-68b0-47eb-809f-0134b6a18756

📥 Commits

Reviewing files that changed from the base of the PR and between 1b4fd31 and 5bcc2ab.

📒 Files selected for processing (2)

• charts/templates/deployment.yaml
• charts/values.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Use the registered flag name --db-ssl-mode.

Line 52 and Line 77 pass --db-sslmode, but the CLI registers --db-ssl-mode (pkg/config/flags.go). This will fail with an unknown-flag error and block startup/migration.

Suggested change

-        command: ["/app/hyperfleet-api", "migrate", "--db-sslmode={{ .Values.database.sslMode | default "require" }}"]
+        command: ["/app/hyperfleet-api", "migrate", "--db-ssl-mode={{ .Values.database.sslMode | default "require" }}"]
...
-        - --db-sslmode={{ .Values.database.sslMode | default "require" }}
+        - --db-ssl-mode={{ .Values.database.sslMode | default "require" }}

Also applies to: 77-77

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/templates/deployment.yaml` at line 52, The startup/migrate command
passes the wrong flag name `--db-sslmode`; update the command invocation(s) for
the hyperfleet-api migrate runner to use the registered flag `--db-ssl-mode`
instead (the flag is defined in pkg/config/flags.go), i.e., replace occurrences
of `--db-sslmode` with `--db-ssl-mode` in the command arrays so the CLI
recognizes the option and migrations/startup won't fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Set a secure default for database.sslMode.

Line 221 sets sslMode: "prefer", which can downgrade to non-TLS if the server allows it. For a production-safe baseline, this should default to "require".

Suggested change

-  sslMode: "prefer"
+  sslMode: "require"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# SSL mode for database connections
	# Options: disable, allow, prefer, require, verify-ca, verify-full
	# For production, use "require" or higher
	sslMode: "prefer"
	# SSL mode for database connections
	# Options: disable, allow, prefer, require, verify-ca, verify-full
	# For production, use "require" or higher
	sslMode: "require"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/values.yaml` around lines 218 - 222, The default database SSL mode
currently set by the value sslMode: "prefer" is insecure for production because
it can fall back to plaintext; change the default value for the configuration
key named sslMode under database to "require" (one of the allowed options:
disable, allow, prefer, require, verify-ca, verify-full) so connections must use
TLS by default; update any related documentation lines or comments near the
sslMode key to reflect the new secure default.

[ciaranRoche]

Do you require this, or can you use config.database.ssl.mode to override the ssl mode in the configmap?