Merge pull request #119 from omkarjoshi0304/lcore

openshift-merge-bot[bot] · web-flow · commit 651fae6b1dc2 · 2026-06-24T08:54:41.000Z
Add PGSSLMODE and PGSSLROOTCERT env vars to OGX container
diff --git a/internal/controller/lcore_deployment.go b/internal/controller/lcore_deployment.go
@@ -555,6 +555,19 @@ func buildLlamaStackEnvVars(h *common_helper.Helper, ctx context.Context, instan
 	// Postgres password for ${env.POSTGRES_PASSWORD} substitution in llama-stack config
 	envVars = append(envVars, buildPostgresPasswordEnvVar())
 
+	// PostgreSQL SSL configuration for OGX (llama-stack).
+	// OGX's PostgresSqlStoreConfig does not support ssl_mode/ca_cert_path fields yet
+	// (ogx-ai/ogx#5978), so we configure asyncpg via standard libpq environment
+	// variables to enforce TLS with full certificate verification.
+	envVars = append(envVars, corev1.EnvVar{
+		Name:  "PGSSLMODE",
+		Value: PostgresDefaultSSLMode,
+	})
+	envVars = append(envVars, corev1.EnvVar{
+		Name:  "PGSSLROOTCERT",
+		Value: CABundleMountPath,
+	})
+
 	// Logging configuration - set both for compatibility with llama-stack and OGX
 	ogxLogLevel := getOGXLogLevel(instance)
 	envVars = append(envVars, corev1.EnvVar{
diff --git a/test/kuttl/common/openstack-lightspeed-instance/assert-openstack-lightspeed-instance.yaml b/test/kuttl/common/openstack-lightspeed-instance/assert-openstack-lightspeed-instance.yaml
@@ -189,6 +189,10 @@ spec:
                 secretKeyRef:
                   key: password
                   name: lightspeed-postgres-secret
+            - name: PGSSLMODE
+              value: verify-full
+            - name: PGSSLROOTCERT
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
             - name: LLAMA_STACK_LOGGING
               value: all=debug
             - name: OGX_LOGGING
diff --git a/test/kuttl/tests/okp-configuration/03-assert-okp-instance.yaml b/test/kuttl/tests/okp-configuration/03-assert-okp-instance.yaml
@@ -72,6 +72,10 @@ spec:
                 secretKeyRef:
                   key: password
                   name: lightspeed-postgres-secret
+            - name: PGSSLMODE
+              value: verify-full
+            - name: PGSSLROOTCERT
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
             - name: LLAMA_STACK_LOGGING
               value: all=debug
             - name: OGX_LOGGING
diff --git a/test/kuttl/tests/update-openstacklightspeed/08-assert-openstacklightspeed-update.yaml b/test/kuttl/tests/update-openstacklightspeed/08-assert-openstacklightspeed-update.yaml
@@ -106,6 +106,10 @@ spec:
                 secretKeyRef:
                   key: password
                   name: lightspeed-postgres-secret
+            - name: PGSSLMODE
+              value: verify-full
+            - name: PGSSLROOTCERT
+              value: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
             - name: LLAMA_STACK_LOGGING
               value: core=debug,providers=info
             - name: OGX_LOGGING
