feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed #2437

renovate · 2024-03-18T18:29:31Z

This PR contains the following updates:

Package	Update	Change
postgresql (source)	major	`11.9.8` -> `15.5.38`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

bitnami/charts (postgresql)

`v15.5.38`

[bitnami/postgresql] Release 15.5.38 (#29681)

`v15.5.37`

[bitnami/postgresql] Release 15.5.37 (#29660)

`v15.5.36`

[bitnami/postgresql] Release 15.5.36 (#29640) (074e377), closes #29640

`v15.5.35`

[bitnami/postgresql] Release 15.5.35 (#29610) (1f3717a), closes #29610

`v15.5.34`

[bitnami/postgresql] Release 15.5.34 (#29580) (1450838), closes #29580

`v15.5.33`

[bitnami/postgresql] Release 15.5.33 (#29579) (e081955), closes #29579

`v15.5.32`

[bitnami/postgresql] test: ✅ Improve reliability of ginkgo tests (#29472) (c43177e), closes #29472

`v15.5.31`

[bitnami/postgresql] Release 15.5.31 (#29404) (baf9a0f), closes #29404

`v15.5.30`

[bitnami/postgresql] collect metrics as postgres user (#29201) (7240870), closes #29201

`v15.5.29`

[bitnami/postgresql] Release 15.5.29 (#29330) (3c161f7), closes #29330

`v15.5.28`

[bitnami/postgresql] Release 15.5.28 (#29206) (2b42eb7), closes #29206

`v15.5.27`

[bitnami/postgresql] Release 15.5.27 (#29122) (08dfd32), closes #29122

`v15.5.26`

[bitnami/postgresql] Release 15.5.26 (#29040) (fd112fb), closes #29040

`v15.5.25`

[bitnami/postgresql] Release 15.5.25 (#29037) (8267ba0), closes #29037

`v15.5.24`

[bitnami/postgresql] eval. certificatesSecret as template (#28831) (05c09db), closes #28831

`v15.5.23`

[bitnami/postgresql] Release 15.5.23 (#28922) (d60e431), closes #28922

`v15.5.22`

[bitnami/postgresql] Release 15.5.22 (#28905) (9666e6a), closes #28905

`v15.5.21`

[bitnami/postgresql] Release 15.5.21 (#28800) (da5f1c5), closes #28800

`v15.5.20`

[bitnami/postgresql] Release 15.5.20 (#28489)

`v15.5.19`

[bitnami/postgresql] Release 15.5.19 (#28352) (59696e9), closes #28352

`v15.5.18`

[bitnami/postgresql] Release 15.5.18 (#28221) (8976498), closes #28221

`v15.5.17`

[bitnami/postgresql] Global StorageClass as default value (#28082) (6267bb7), closes #28082

`v15.5.16`

[bitnami/postgresql] Move comments inside conditionals (#27627) (7d3b0f0), closes #27627

`v15.5.15`

Postgres exporter URI fix (#27734) (d8d0dfe), closes #27734

`v15.5.14`

[bitnami/postgresql] Release 15.5.14 (#27819) (a4baae5), closes #27819

`v15.5.13`

[bitnami/postgresql] Release 15.5.13 (#27733) (e51f4a8), closes #27733

`v15.5.12`

postgres exporter monitor all databases (#27586) (4feb56d), closes #27586

`v15.5.11`

[bitnami/postgresql] Release 15.5.11 (#27548)

`v15.5.10`

[bitnami/postgresql] Release 15.5.10 (#27521) (59f0aa2), closes #27521

`v15.5.9`

[bitnami/postgresql] Remove deprecated (and removed) annotation (#27463) (2907ba0), closes #27463

`v15.5.8`

[bitnami/postgresql] Add pre-init scripts (#26467) (0cdafb8), closes #26467

`v15.5.7`

[bitnami/postgresql] Release 15.5.7 (#27401) (2fff79d), closes #27401

`v15.5.6`

[bitnami/postgresql] Release 15.5.6 (#27293) (d36be80), closes #27293

`v15.5.5`

[bitnami/postgresql] Release 15.5.5 (#27096) (c84850a), closes #27096

`v15.5.4`

[bitnami/postgresql] Release 15.5.4 (#27006) (613a7a4), closes #27006

`v15.5.3`

[bitnami/postgresql] Release 15.5.3 (#26914) (f7df496), closes #26914

`v15.5.1`

[bitnami/postgresql] Release 15.5.1 (#26546) (99f0841), closes #26546

`v15.5.0`

[bitnami/postgresql] Enable PodDisruptionBudgets (#26530) (c6b2f1c), closes #26530

`v15.4.2`

[bitnami/postgresql] Release 15.4.2 (#26475) (748b515), closes #26475

`v15.4.1`

[bitnami/postgresql] Release 15.4.1 (#26451) (8852396), closes #26451

`v15.4.0`

[bitnami/postgresql] feat: ✨ 🔒 Add warning when original images are replaced (#26264)

`v15.3.5`

[bitnami/postgresql] Release 15.3.5 updating components versions (#26147) (0bafcd7), closes #26147

`v15.3.4`

[bitnami/postgresql] Release 15.3.4 updating components versions (#26142) (231e25b), closes #26142

`v15.3.3`

[bitnami/postgresql] Release 15.3.3 updating components versions (#26066) (21f932c), closes #26066

`v15.3.2`

[bitnami/postgresql] Release 15.3.2 updating components versions (#25812) (3f7c2cb), closes #25812

`v15.3.1`

[bitnami/postgresql] Release 15.3.1 updating components versions (#25723) (031d2cf), closes #25723

`v15.3.0`

[bitnami/postgresql] Allow loadBalancerClass to be customized (#25569) (e6fecf9), closes #25569

`v15.2.13`

[bitnami/postgresql] Allow backup pod to use DNS (#25534) (960550a), closes #25534

`v15.2.12`

[bitnami/postgresql] Release 15.2.12 updating components versions (#25678) (0fd1557), closes #25678

`v15.2.11`

[bitnami/postgresql] Release 15.2.11 updating components versions (#25672) (9b809c6), closes #25672

`v15.2.10`

[bitnami/*] Change non-root and rolling-tags doc URLs (#25628) (b067c94), closes #25628
[bitnami/*] Set new header/owner (#25558) (8d1dc11), closes #25558
[bitnami/postgresql] add backup.cronjob.tolerations options (#25664) (4a798ec), closes #25664

`v15.2.9`

[bitnami/postgresql] Remove unicode characters (#25546) (219d22f), closes #25546

`v15.2.8`

[bitnami/postgresql] Release 15.2.8 updating components versions (#25484) (d3084fc), closes #25484

`v15.2.7`

[bitnami/postgresql] Release 15.2.7 updating components versions (#25391) (0db34f6), closes #25391

`v15.2.6`

[bitnami/multiple charts] Fix typo: "NetworkPolice" vs "NetworkPolicy" (#25348) (6970c1b), closes #25348
[bitnami/postgresql] Remove RW emptyDir for postgresql logs (#25206) (8bae0c5), closes #25206
Replace VMware by Broadcom copyright text (#25306) (a5e4bd0), closes #25306

`v15.2.5`

[bitnami/postgresql] Release 15.2.5 updating components versions (#25099) (eba61bd), closes #25099

`v15.2.4`

[bitnami/postgresql] Release 15.2.4 updating components versions (#24972) (62e4683), closes #24972

`v15.2.3`

[bitnami/postgresql] Release 15.2.3 (#24924) (1f68239), closes #24924
Update resourcesPreset comments (#24467) (92e3e8a), closes #24467

`v15.2.2`

[bitnami/postgresql] Release 15.2.2 updating components versions (#24840) (34f94f3), closes #24840

`v15.2.1`

[bitnami/postgresql] Allow backup pod to use DNS (#25534) (960550a), closes #25534

`v15.2.0`

[bitnami/postgresql] Allow customizing primary persistence volume/claim (#24625) (79b5845), closes #24625

`v15.1.4`

[bitnami/postgresql] Release 15.1.4 updating components versions (#24641) (9fea6e0), closes #24641

`v15.1.3`

[bitnami/postgresql] Release 15.1.3 updating components versions (#24640) (a318638), closes #24640

`v15.1.2`

[bitnami/postgresql] feat: add parameter backup.cronjob.storage.existingVolume (#23979) (0a3ebd5), closes #23979
[bitnami/postgresql] fixing tls for cronjobs (#24468) (5e7f4e1), closes #24468

`v15.1.1`

[bitnami/postgres] don't include backup netpol when backup aren't enabled (#24572) (10584d1), closes #24572

`v15.1.0`

[bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary nodes (#24363) (dc93455), closes #24363

`v15.0.0`

[bitnami/*] Reorder Chart sections (#24455) (0cf4048), closes #24455
[bitnami/postgresql] feat!: 🔒 💥 Improve security defaults (#24171) (3911a57), closes #24171

`v14.3.3`

[bitnami/postgresql] Release 14.3.3 updating components versions (#24358) (239ba28), closes #24358

`v14.3.2`

[bitnami/postgresql] Fix TLS by removing faulty white trimming in cronjob.yaml (#24239) (1a67326), closes #24239
[bitnami/postgresql] Release 14.3.2 updating components versions (#24357) (17bcbcb), closes #24357

`v14.3.1`

[bitnami/postgresql] Release 14.3.1 updating components versions (#24237) (33b8e70), closes #24237

`v14.3.0`

[bitnami/postgresql] postgresql backup container adds resources parameter (#23955) (8da2a95), closes #23955
[bitnami/postgresql] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SC (1a2217f), closes #24141

`v14.2.4`

[bitnami/postgresql] Set allowExternalEgress=true by default (#24036) (cfa4d49), closes #24036

`v14.2.3`

Add missing version, kind to volumeClaimTemplates (#23862) (50b25b8), closes #23862

`v14.2.2`

[bitnami/postgresql] Release 14.2.2 updating components versions (#23820) (2da202b), closes #23820

`v14.2.1`

[bitnami/postgresql] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23565) (d96a96f), closes #23565
[bitnami/postgresql] Release 14.2.1 updating components versions (#23682) (60d8d72), closes #23682

`v14.1.3`

[bitnami/postgresql] Release 14.1.3 updating components versions (#23587) (0c94e7a), closes #23587

`v14.1.2`

[bitnami/postgresql] Release 14.1.2 updating components versions (#23585) (0f5b808), closes #23585

`v14.1.1`

[bitnami/postgresql] Do not create a NetworkPolicy for "read" instance when "standalone" (#23392) (7ef876c), closes #23392

`v14.1.0`

[bitnami/postgresql] feat: ✨ 🔒 Add resource preset support (#23509) (0c94e15), closes #23509

`v14.0.5`

[bitnami/postgresql] fix: 🐛 Set correct references in network policy (#23328) (e8c2230), closes #23328

`v14.0.4`

[bitnami/postgresql] Release 14.0.4 updating components versions (#23354) (81e3d65), closes #23354

`v14.0.3`

[bitnami/postgresql] Release 14.0.3 updating components versions (#23350) (60ea843), closes #23350

`v14.0.2`

[bitnami/postgresql] Release 14.0.2 updating components versions (#23333) (7f5a8e6), closes #23333

`v14.0.1`

[bitnami/postgresql] Release 14.0.1 updating components versions (#23129) (e81bc0c), closes #23129

`v14.0.0`

[bitnami/postgresql] feat!: 🔒 ♻️ Refactor and enable networkPolicy (#22750) (2508c4b), closes #22750

`v13.4.4`

[bitnami/postgresql] Release 13.4.4 updating components versions (#23002) (a87898d), closes #23002

`v13.4.3`

[bitnami/postgresql] Release 13.4.3 updating components versions (#22811) (fdc3ad4), closes #22811

`v13.4.2`

[bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#22203) (7564f36), closes #22203
[bitnami/postgresql] fix: 🐛 Set seLinuxOptions to null for Openshift compatibility (#22646) (b119bec), closes #22646
[bitnami/postgresql] Release 13.4.2 updating components versions (#22785) (6682e9c), closes #22785

`v13.4.1`

[bitnami/postgresql] Release 13.4.1 updating components versions (#22677) (0bb8b48), closes #22677

`v13.4.0`

[bitnami/postgresql] fix: 🔒 Move service-account token auto-mount to pod declaration (#22450) (002c752), closes #22450

`v13.3.1`

[bitnami/postgresql] Release 13.3.1 updating components versions (#22359) (361f7ab), closes #22359

`v13.3.0`

[bitnami/postgresql] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essent (fe72f51), closes #22177

`v13.2.30`

[bitnami/*] Fix ref links (in comments) (#21822) (e4fa296), closes #21822
[bitnami/postgresql] fix: 🔒 Do not use the default service account (#22026) (1b20745), closes #22026

`v13.2.29`

[bitnami/*] Fix docs.bitnami.com broken links (#21901) (f35506d), closes #21901
[bitnami/postgresql] Release 13.2.29 updating components versions (#21970) (dcfb216), closes #21970
fixed backup with autogenerated cert (#21888) (2d25138), closes #21888

`v13.2.28`

[bitnami/*] Update copyright: Year and company (#21815) (6c4bf75), closes #21815
[bitnami/postgresql] Release 13.2.28 updating components versions (#21902) (d0f6b90), closes #21902

`v13.2.27`

[bitnami/postgresql] Release 13.2.27 updating components versions (#21795) (26711f8), closes #21795

`v13.2.26`

[bitnami/postgresql] Release 13.2.26 updating components versions (#21774) (0f0f93b), closes #21774

`v13.2.25`

[bitnami/postgresql] Release 13.2.25 updating components versions (#21710) (813da6b), closes #21710

`v13.2.24`

[bitnami/postgresql] Replace deprecated pull secret partial (#21392) (cee371d), closes #21392

`v13.2.23`

[bitnami/postgresql] Release 13.2.23 updating components versions (#21336) (c3dc56f), closes #21336

`v13.2.22`

[bitnami/postgresql] Release 13.2.22 updating components versions (#21335) (f759303), closes #21335

`v13.2.21`

[bitnami/postgresql] Release 13.2.21 updating components versions (#21276) (46a4f54), closes #21276

`v13.2.20`

[bitnami/postgresql] Release 13.2.20 updating components versions (#21272) (6de0ade), closes #21272

`v13.2.19`

[bitnami/postgresql] Fix PostgreSQL password in metrics container (#21202) (a7b72aa), closes #21202

`v13.2.18`

[bitnami/postgresql] Release 13.2.18 updating components versions (#21256) (f4a4548), closes #21256

`v13.2.17`

[bitnami/postgresql] Release 13.2.17 updating components versions (#21255) (e395fd8), closes #21255

`v13.2.16`

[bitnami/postgresql] value to configure posgres_exporter collectors (#21162) (0ba581c), closes #21162
Update configmap.yaml (#21020) (b91e518), closes #21020

`v13.2.15`

[bitnami/*] Rename solutions to "Bitnami package for ..." (#21038) (b82f979), closes #21038
[bitnami/postgresql] Release 13.2.15 updating components versions (#21160) (e6ec2c2), closes #21160

`v13.2.14`

[bitnami/postgresql] Release 13.2.14 updating components versions (#21068) (576be48), closes #21068

`v13.2.13`

[bitnami/postgresql] Release 13.2.13 updating components versions (#21066) (54a372f), closes #21066

`v13.2.12`

[bitnami/postgresql] Release 13.2.12 updating components versions (#21057) (0cffbfe), closes #21057

`v13.2.11`

[bitnami/postgresql] Release 13.2.11 updating components versions (#21044) (17e4ada), closes #21044

`v13.2.10`

[bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR (1103633), closes #20967
[bitnami/postgresql] Release 13.2.10 updating components versions (#21039) (2b176c0), closes #21039

`v13.2.9`

[bitnami/postgresql] Release 13.2.9 updating components versions (#20930) (02dc5ff), closes #20930

`v13.2.8`

[bitnami/postgresql] Release 13.2.8 updating components versions (#20929) (129cbf1), closes #20929

`v13.2.7`

[bitnami/postgresql] Release 13.2.7 updating components versions (#20918) (860eb62), closes #20918

`v13.2.6`

[bitnami/postgresql] Release 13.2.6 updating components versions (#20908) (a942587), closes #20908

`v13.2.5`

[bitnami/postgresql] Release 13.2.5 updating components versions (#20889) (ca3f6a7), closes #20889

`v13.2.4`

[bitnami/postgresql] Release 13.2.4 updating components versions (#20876) (435c8af), closes #20876

`v13.2.3`

[bitnami/*] Fix ref links (in comments) (#21822) (e4fa296), closes #21822
[bitnami/postgresql] fix: 🔒 Do not use the default service account (#22026) (1b20745), closes #22026

`v13.2.2`

[bitnami/*] Fix docs.bitnami.com broken links (#21901) (f35506d), closes #21901
[bitnami/postgresql] Release 13.2.29 updating components versions (#21970) (dcfb216), closes #21970
fixed backup with autogenerated cert (#21888) (2d25138), closes #21888

`v13.2.1`

[bitnami/postgresql] Fix PostgreSQL password in metrics container (#21202) (a7b72aa), closes #21202

`v13.2.0`

[bitnami/*] Rename VMware Application Catalog (#20361) (3acc734), closes #20361
[bitnami/*] Skip image's tag in the README files of the Bitnami Charts (#19841) (bb9a01b), closes #19841
[bitnami/*] Standardize documentation (#19835) (af5f753), closes [#19835](https://redirect.github.c

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2024-03-18T18:29:58Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.0.0

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Z0lOSmM4SWNwVA=="
+  postgres-password: "UTBSWDh3TUlWTw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-20T12:05:41Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.0

@@ -1,3 +1,66 @@
+# Source: postgresql/templates/backup/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql-pgdumpall
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: pg_dumpall
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: pg_dumpall
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 5432
+          protocol: TCP
+---
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +68,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "c3hoc1Y4U3NwTg=="
+  postgres-password: "Vk9SNkpXYTloMA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +84,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +99,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +110,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +132,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +156,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +167,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +179,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +197,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +206,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +248,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +312,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +385,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +422,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-21T11:04:01Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.1

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "c1lyMEh2elVkUg=="
+  postgres-password: "enl5MzZ1N2lSUw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-21T13:04:36Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.2

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cElHRjZtbHQ1Yg=="
+  postgres-password: "bHZ2cTZjVFZEdg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-25T08:17:47Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.4

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "SWVSUFp5bTBZVA=="
+  postgres-password: "RE5zNGx1T0o2Ug=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-01T10:18:25Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.0

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eFdoQnBOM2x4eg=="
+  postgres-password: "c2pIM1hOdnh0bg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-02T13:37:43Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.1

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dVRlWUx4dHo4bQ=="
+  postgres-password: "SkZLS043MFFmbA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-02T22:36:08Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.2

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Tm5BSVo3clk1Zg=="
+  postgres-password: "MFY0NDdnMGFrSw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r15
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-05T04:02:23Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.3

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "TzJHY1ZVdmVZMQ=="
+  postgres-password: "MDJObUhGMVh6aw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r16
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-07T05:43:18Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.4

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eUprYlJsdWt0TA=="
+  postgres-password: "OHgzR2FNZXM0Vg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r16
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-13T16:34:34Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.30

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "R3F5N2hmS1l5OQ=="
+  postgres-password: "dzZSNkdlYmxBYw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-13T23:00:30Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.31

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "UVN5cXltcXJ3Rg=="
+  postgres-password: "Nk1MNHNpSmxXUA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-17T16:03:30Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.32

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "WkdaalRjbXZ1bg=="
+  postgres-password: "SmJENm5BOHBBMQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-23T16:24:09Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.33

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "c1lWSUtwT3Naeg=="
+  postgres-password: "OWJhTU40NG8zTA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-23T18:51:26Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.34

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dEI2ZjZWeHlYaw=="
+  postgres-password: "WlNkeTA0c2htUA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-26T08:14:55Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.35

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "ODYwVVdFSG1JWA=="
+  postgres-password: "Z05pc3FEU0xveQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-27T00:11:37Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.36

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cWtVUlJGMXZrVg=="
+  postgres-password: "SW9DNFFLTkpHVw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-09-30T09:53:32Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.37

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Wm9kQURnZTJSNA=="
+  postgres-password: "M0NGYXpHbmxsRw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

Signed-off-by: Danny Froberg <[email protected]>

github-actions · 2024-10-01T18:38:08Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.38

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "OGNweDg2R0NJTA=="
+  postgres-password: "YlpQdGs5Q205bA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r43
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

renovate bot requested a review from dfroberg as a code owner March 18, 2024 18:29

renovate bot added the renovate/helm label Mar 18, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 2fabaa8 to c476421 Compare March 20, 2024 12:05

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.0.0~~ feat(charts)!: Update Helm release postgresql to 15.1.0 Mar 20, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from c476421 to 2eeaa29 Compare March 21, 2024 11:03

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.0~~ feat(charts)!: Update Helm release postgresql to 15.1.1 Mar 21, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 2eeaa29 to db76b43 Compare March 21, 2024 13:04

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.1~~ feat(charts)!: Update Helm release postgresql to 15.1.2 Mar 21, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from db76b43 to b13d384 Compare March 25, 2024 08:17

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.2~~ feat(charts)!: Update Helm release postgresql to 15.1.4 Mar 25, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from b13d384 to a2238a0 Compare April 1, 2024 10:17

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.4~~ feat(charts)!: Update Helm release postgresql to 15.2.0 Apr 1, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from a2238a0 to 9b5bdc4 Compare April 2, 2024 13:37

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.0~~ feat(charts)!: Update Helm release postgresql to 15.2.1 Apr 2, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 9b5bdc4 to e87036b Compare April 2, 2024 22:35

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.1~~ feat(charts)!: Update Helm release postgresql to 15.2.2 Apr 2, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from e87036b to e3f62e7 Compare April 5, 2024 04:01

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.2~~ feat(charts)!: Update Helm release postgresql to 15.2.3 Apr 5, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from e3f62e7 to 5a206ef Compare April 7, 2024 05:42

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.3~~ feat(charts)!: Update Helm release postgresql to 15.2.4 Apr 7, 2024

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.29~~ feat(charts)!: Update Helm release postgresql to 15.5.30 Sep 13, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 29086a1 to ac30743 Compare September 13, 2024 22:59

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.30~~ feat(charts)!: Update Helm release postgresql to 15.5.31 Sep 13, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from ac30743 to a67bbf4 Compare September 17, 2024 16:02

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.31~~ feat(charts)!: Update Helm release postgresql to 15.5.32 Sep 17, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from a67bbf4 to d1f4ae4 Compare September 23, 2024 16:23

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.32~~ feat(charts)!: Update Helm release postgresql to 15.5.33 Sep 23, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from d1f4ae4 to deb616a Compare September 23, 2024 18:50

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.33~~ feat(charts)!: Update Helm release postgresql to 15.5.34 Sep 23, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from deb616a to 6f69629 Compare September 26, 2024 08:14

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.34~~ feat(charts)!: Update Helm release postgresql to 15.5.35 Sep 26, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 6f69629 to 1569fd2 Compare September 27, 2024 00:10

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.35~~ feat(charts)!: Update Helm release postgresql to 15.5.36 Sep 27, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 1569fd2 to 4ee8775 Compare September 30, 2024 09:52

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.36~~ feat(charts)!: Update Helm release postgresql to 15.5.37 Sep 30, 2024

feat(charts)!: Update Helm release postgresql to 15.5.38

a91faa2

Signed-off-by: Danny Froberg <[email protected]>

renovate bot force-pushed the renovate/postgresql-15.x branch from 4ee8775 to a91faa2 Compare October 1, 2024 18:37

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.37~~ feat(charts)!: Update Helm release postgresql to 15.5.38 Oct 1, 2024

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.38~~ feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed Oct 3, 2024

renovate bot closed this Oct 3, 2024

renovate bot deleted the renovate/postgresql-15.x branch October 3, 2024 05:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed #2437

feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed #2437

renovate bot commented Mar 18, 2024 •

edited

Loading

github-actions bot commented Mar 18, 2024

github-actions bot commented Mar 20, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 25, 2024

github-actions bot commented Apr 1, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 5, 2024

github-actions bot commented Apr 7, 2024

github-actions bot commented Sep 13, 2024

github-actions bot commented Sep 13, 2024

github-actions bot commented Sep 17, 2024

github-actions bot commented Sep 23, 2024

github-actions bot commented Sep 23, 2024

github-actions bot commented Sep 26, 2024

github-actions bot commented Sep 27, 2024

github-actions bot commented Sep 30, 2024

github-actions bot commented Oct 1, 2024

feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed #2437

feat(charts)!: Update Helm release postgresql to 15.5.38 - autoclosed #2437

Conversation

renovate bot commented Mar 18, 2024 • edited Loading

Release Notes

Configuration

github-actions bot commented Mar 18, 2024

github-actions bot commented Mar 20, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 25, 2024

github-actions bot commented Apr 1, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 5, 2024

github-actions bot commented Apr 7, 2024

github-actions bot commented Sep 13, 2024

github-actions bot commented Sep 13, 2024

github-actions bot commented Sep 17, 2024

github-actions bot commented Sep 23, 2024

github-actions bot commented Sep 23, 2024

github-actions bot commented Sep 26, 2024

renovate bot commented Mar 18, 2024 •

edited

Loading