mirror of
https://github.com/bitnami/charts.git
synced 2026-02-13 06:27:12 +08:00
[bitnami/postgresql] Fix issues when using enablePostgresUser=false (#17398)
* [bitnami/postgresql] Fix issues when using enablePostgresUser=false Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * Helm dep update Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * Update Notes.txt Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * [bitnami/postgresql] Update custom database environment variable to ensure it is created Signed-off-by: Gonzalo Gomez Gracia <gonzalog@vmware.com> * [bitnami/postgresql] Set postgres password when customUser not postgres and enablePostgresUser Signed-off-by: Gonzalo Gomez Gracia <gonzalog@vmware.com> * [bitnami/postgresql] Restore POSTGRES_ variables Signed-off-by: Gonzalo Gomez Gracia <gonzalog@vmware.com> --------- Signed-off-by: Miguel Ruiz <miruiz@vmware.com> Signed-off-by: Gonzalo Gomez Gracia <gonzalog@vmware.com> Co-authored-by: Gonzalo Gomez Gracia <gonzalog@vmware.com>
This commit is contained in:
Miguel Ruiz
@@ -1,6 +1,6 @@
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.4.0
|
||||
digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
|
||||
generated: "2023-05-21T19:47:56.903329844Z"
|
||||
version: 2.5.0
|
||||
digest: sha256:79f3252b369ae10fe4c84a50441c7d2e014130b3a4b9b99b299611b02db3d58e
|
||||
generated: "2023-06-30T16:15:11.613863+02:00"
|
||||
|
||||
@@ -28,4 +28,4 @@ maintainers:
|
||||
name: postgresql
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
|
||||
version: 12.6.0
|
||||
version: 12.6.1
|
||||
|
||||
@@ -468,7 +468,7 @@ helm install my-release \
|
||||
The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
|
||||
|
||||
> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
|
||||
> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
|
||||
> **Warning** Setting a password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
|
||||
|
||||
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
|
||||
|
||||
@@ -682,4 +682,4 @@ Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
limitations under the License.
|
||||
|
||||
@@ -24,6 +24,14 @@ In order to replicate the container startup scripts execute this command:
|
||||
|
||||
{{- else }}
|
||||
|
||||
{{- $customUser := include "postgresql.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
|
||||
{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }}
|
||||
{{- if not $authEnabled }}
|
||||
|
||||
WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments.
|
||||
{{- end }}
|
||||
|
||||
PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster:
|
||||
|
||||
{{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection
|
||||
@@ -34,29 +42,36 @@ PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- $customUser := include "postgresql.username" . }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "postgres" run:
|
||||
|
||||
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.adminPasswordKey" .}}}" | base64 -d)
|
||||
{{- end }}
|
||||
|
||||
To get the password for "{{ $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.userPasswordKey" .}}}" | base64 -d)
|
||||
|
||||
{{- else }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
|
||||
To get the password for "{{ default "postgres" $customUser }}" run:
|
||||
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d)
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
To connect to your database run the following command:
|
||||
{{- if $authEnabled }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \
|
||||
--command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
|
||||
{{- else }}
|
||||
|
||||
kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} \
|
||||
--command -- psql --host {{ include "postgresql.primary.fullname" . }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
|
||||
{{- end }}
|
||||
|
||||
> NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist"
|
||||
|
||||
@@ -66,25 +81,34 @@ To connect to your database from outside the cluster execute the following comma
|
||||
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }})
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
|
||||
|
||||
{{- else }}
|
||||
psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "LoadBalancer" .Values.primary.service.type }}
|
||||
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}'
|
||||
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
|
||||
|
||||
{{- else }}
|
||||
psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "ClusterIP" .Values.primary.service.type }}
|
||||
|
||||
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} &
|
||||
{{- if $authEnabled }}
|
||||
PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
|
||||
|
||||
{{- else }}
|
||||
psql --host 127.0.0.1 -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
WARNING: The configured password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
|
||||
WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue.
|
||||
|
||||
{{- include "postgresql.validateValues" . -}}
|
||||
{{- include "common.warnings.rollingTag" .Values.image -}}
|
||||
|
||||
@@ -10,7 +10,7 @@ Create a default fully qualified app name for PostgreSQL Primary objects
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "postgresql.primary.fullname" -}}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- if eq .Values.architecture "replication" -}}
|
||||
{{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- include "common.names.fullname" . -}}
|
||||
@@ -30,7 +30,7 @@ Create the default FQDN for PostgreSQL primary headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.primary.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
@@ -38,7 +38,7 @@ Create the default FQDN for PostgreSQL read-only replicas headless service
|
||||
We truncate at 63 chars because of the DNS naming spec.
|
||||
*/}}
|
||||
{{- define "postgresql.readReplica.svc.headless" -}}
|
||||
{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
@@ -73,7 +73,7 @@ Return the proper Docker Image Registry Secret Names
|
||||
Return the name for a custom user to create
|
||||
*/}}
|
||||
{{- define "postgresql.username" -}}
|
||||
{{- if .Values.global.postgresql.auth.username }}
|
||||
{{- if .Values.global.postgresql.auth.username -}}
|
||||
{{- .Values.global.postgresql.auth.username -}}
|
||||
{{- else -}}
|
||||
{{- .Values.auth.username -}}
|
||||
@@ -84,7 +84,7 @@ Return the name for a custom user to create
|
||||
Return the name for a custom database to create
|
||||
*/}}
|
||||
{{- define "postgresql.database" -}}
|
||||
{{- if .Values.global.postgresql.auth.database }}
|
||||
{{- if .Values.global.postgresql.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}}
|
||||
{{- else if .Values.auth.database -}}
|
||||
{{- printf "%s" (tpl .Values.auth.database $) -}}
|
||||
@@ -95,7 +95,7 @@ Return the name for a custom database to create
|
||||
Get the password secret.
|
||||
*/}}
|
||||
{{- define "postgresql.secretName" -}}
|
||||
{{- if .Values.global.postgresql.auth.existingSecret }}
|
||||
{{- if .Values.global.postgresql.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}}
|
||||
{{- else if .Values.auth.existingSecret -}}
|
||||
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
|
||||
@@ -108,8 +108,8 @@ Get the password secret.
|
||||
Get the replication-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.replicationPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey }}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.replicationPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}}
|
||||
@@ -125,8 +125,8 @@ Get the replication-password key.
|
||||
Get the admin-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.adminPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey }}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.adminPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}}
|
||||
@@ -140,18 +140,18 @@ Get the admin-password key.
|
||||
Get the user-password key.
|
||||
*/}}
|
||||
{{- define "postgresql.userPasswordKey" -}}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }}
|
||||
{{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") }}
|
||||
{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}}
|
||||
{{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") -}}
|
||||
{{- printf "%s" (include "postgresql.adminPasswordKey" .) -}}
|
||||
{{- else -}}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey }}
|
||||
{{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- else if .Values.auth.secretKeys.userPasswordKey -}}
|
||||
{{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- ternary "password" "postgres-password" (and (not (empty (include "postgresql.username" .))) (ne (include "postgresql.username" .) "postgres")) -}}
|
||||
{{- "password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -159,7 +159,10 @@ Get the user-password key.
|
||||
Return true if a secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.createSecret" -}}
|
||||
{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (.Values.auth.enablePostgresUser) -}}
|
||||
{{- $customUser := include "postgresql.username" . -}}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}}
|
||||
{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret))
|
||||
(or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -168,7 +171,7 @@ Return true if a secret object should be created
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql }}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.primary.service.ports.postgresql -}}
|
||||
@@ -179,7 +182,7 @@ Return PostgreSQL service port
|
||||
Return PostgreSQL service port
|
||||
*/}}
|
||||
{{- define "postgresql.readReplica.service.port" -}}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql }}
|
||||
{{- if .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- .Values.global.postgresql.service.ports.postgresql -}}
|
||||
{{- else -}}
|
||||
{{- .Values.readReplicas.service.ports.postgresql -}}
|
||||
@@ -201,7 +204,7 @@ Get the PostgreSQL primary configuration ConfigMap name.
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the configuration
|
||||
*/}}
|
||||
{{- define "postgresql.primary.createConfigmap" -}}
|
||||
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }}
|
||||
{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
@@ -229,7 +232,7 @@ Get the PostgreSQL read replica extended configuration ConfigMap name.
|
||||
Return true if a configmap object should be created for PostgreSQL primary with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.primary.createExtendedConfigmap" -}}
|
||||
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }}
|
||||
{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
@@ -239,7 +242,7 @@ Return true if a configmap object should be created for PostgreSQL primary with
|
||||
Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration
|
||||
*/}}
|
||||
{{- define "postgresql.readReplicas.createExtendedConfigmap" -}}
|
||||
{{- if .Values.readReplicas.extendedConfiguration }}
|
||||
{{- if .Values.readReplicas.extendedConfiguration -}}
|
||||
{{- true -}}
|
||||
{{- else -}}
|
||||
{{- end -}}
|
||||
@@ -260,7 +263,7 @@ Return true if a configmap object should be created for PostgreSQL read replica
|
||||
Return true if a configmap should be mounted with PostgreSQL configuration
|
||||
*/}}
|
||||
{{- define "postgresql.mountConfigurationCM" -}}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }}
|
||||
{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -276,13 +279,13 @@ Get the initialization scripts ConfigMap name.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{/*
|
||||
{{/*
|
||||
Return true if TLS is enabled for LDAP connection
|
||||
*/}}
|
||||
{{- define "postgresql.ldap.tls.enabled" -}}
|
||||
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) }}
|
||||
{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}}
|
||||
{{- true -}}
|
||||
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled }}
|
||||
{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -291,7 +294,7 @@ Return true if TLS is enabled for LDAP connection
|
||||
Get the readiness probe command
|
||||
*/}}
|
||||
{{- define "postgresql.readinessProbeCommand" -}}
|
||||
{{- $customUser := include "postgresql.username" . }}
|
||||
{{- $customUser := include "postgresql.username" . -}}
|
||||
- |
|
||||
{{- if (include "postgresql.database" .) }}
|
||||
exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }}
|
||||
@@ -300,7 +303,7 @@ Get the readiness probe command
|
||||
{{- end }}
|
||||
{{- if contains "bitnami/" .Values.image.repository }}
|
||||
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
@@ -322,7 +325,7 @@ Compile all warnings into a single message, and call fail.
|
||||
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
|
||||
*/}}
|
||||
{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
|
||||
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
|
||||
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}}
|
||||
postgresql: ldap.url, ldap.server
|
||||
You cannot set both `ldap.url` and `ldap.server` at the same time.
|
||||
Please provide a unique way to configure LDAP.
|
||||
@@ -334,7 +337,7 @@ postgresql: ldap.url, ldap.server
|
||||
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
|
||||
*/}}
|
||||
{{- define "postgresql.validateValues.psp" -}}
|
||||
{{- if and .Values.psp.create (not .Values.rbac.create) }}
|
||||
{{- if and .Values.psp.create (not .Values.rbac.create) -}}
|
||||
postgresql: psp.create, rbac.create
|
||||
RBAC should be enabled if PSP is enabled in order for PSP to work.
|
||||
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
|
||||
@@ -345,7 +348,7 @@ postgresql: psp.create, rbac.create
|
||||
Return the path to the cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.tlsCert" -}}
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
@@ -356,7 +359,7 @@ Return the path to the cert file.
|
||||
Return the path to the cert key file.
|
||||
*/}}
|
||||
{{- define "postgresql.tlsCertKey" -}}
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/tls.key" -}}
|
||||
{{- else -}}
|
||||
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
@@ -367,7 +370,7 @@ Return the path to the cert key file.
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.tlsCACert" -}}
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}}
|
||||
{{- else -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
|
||||
@@ -387,7 +390,7 @@ Return the path to the CRL file.
|
||||
Return true if a TLS credentials secret object should be created
|
||||
*/}}
|
||||
{{- define "postgresql.createTlsSecret" -}}
|
||||
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }}
|
||||
{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -396,7 +399,7 @@ Return true if a TLS credentials secret object should be created
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql.tlsSecretName" -}}
|
||||
{{- if .Values.tls.autoGenerated }}
|
||||
{{- if .Values.tls.autoGenerated -}}
|
||||
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
|
||||
{{- else -}}
|
||||
{{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
|
||||
|
||||
@@ -212,18 +212,12 @@ spec:
|
||||
value: {{ .Values.containerPorts.postgresql | quote }}
|
||||
- name: POSTGRESQL_VOLUME_DIR
|
||||
value: {{ .Values.primary.persistence.mountPath | quote }}
|
||||
{{- if not .Values.auth.enablePostgresUser }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- if .Values.primary.persistence.mountPath }}
|
||||
- name: PGDATA
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
@@ -235,9 +229,13 @@ spec:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
@@ -248,9 +246,24 @@ spec:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
|
||||
{{- else if .Values.auth.postgresPassword }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
value: {{ .Values.auth.postgresPassword }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "postgresql.database" .) }}
|
||||
- name: POSTGRES_DB
|
||||
- name: POSTGRES_DATABASE
|
||||
value: {{ (include "postgresql.database" .) | quote }}
|
||||
{{- end }}
|
||||
# Replication
|
||||
@@ -269,7 +282,7 @@ spec:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.replicationPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if not (eq .Values.replication.synchronousCommit "off") }}
|
||||
{{- if ne .Values.replication.synchronousCommit "off" }}
|
||||
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
|
||||
value: {{ .Values.replication.synchronousCommit | quote }}
|
||||
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
|
||||
@@ -288,11 +301,11 @@ spec:
|
||||
value: {{ .Values.primary.initdb.postgresqlWalDir | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.user }}
|
||||
- name: POSTGRESQL_INITSCRIPTS_USERNAME
|
||||
- name: POSTGRES_INITSCRIPTS_USERNAME
|
||||
value: {{ .Values.primary.initdb.user }}
|
||||
{{- end }}
|
||||
{{- if .Values.primary.initdb.password }}
|
||||
- name: POSTGRESQL_INITSCRIPTS_PASSWORD
|
||||
- name: POSTGRES_INITSCRIPTS_PASSWORD
|
||||
value: {{ .Values.primary.initdb.password | quote }}
|
||||
{{- end }}
|
||||
# Standby
|
||||
|
||||
@@ -215,7 +215,36 @@ spec:
|
||||
value: {{ .Values.postgresqlDataDir | quote }}
|
||||
{{- end }}
|
||||
# Authentication
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }}
|
||||
{{- if or (eq $customUser "postgres") (empty $customUser) }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: ALLOW_EMPTY_PASSWORD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_USER
|
||||
value: {{ $customUser | quote }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }}
|
||||
@@ -226,16 +255,7 @@ spec:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.adminPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.usePasswordFiles }}
|
||||
- name: POSTGRES_PASSWORD_FILE
|
||||
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
|
||||
{{- else }}
|
||||
- name: POSTGRES_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "postgresql.secretName" . }}
|
||||
key: {{ include "postgresql.userPasswordKey" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Replication
|
||||
- name: POSTGRES_REPLICATION_MODE
|
||||
|
||||
@@ -5,9 +5,10 @@ SPDX-License-Identifier: APACHE-2.0
|
||||
|
||||
{{- $host := include "postgresql.primary.fullname" . }}
|
||||
{{- $port := include "postgresql.service.port" . }}
|
||||
{{- $postgresPassword := "" }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- $postgresPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.adminPasswordKey "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- $customUser := include "postgresql.username" . }}
|
||||
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
|
||||
{{- $postgresPassword = randAlphaNum 10 }}
|
||||
{{- end }}
|
||||
{{- $replicationPassword := "" }}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
@@ -17,9 +18,8 @@ SPDX-License-Identifier: APACHE-2.0
|
||||
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
|
||||
{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }}
|
||||
{{- end }}
|
||||
{{- $customUser := include "postgresql.username" . }}
|
||||
{{- $password := "" }}
|
||||
{{- if not (empty (include "postgresql.username" .)) }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" $.Values.auth.secretKeys.userPasswordKey "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
|
||||
{{- end }}
|
||||
{{- $database := include "postgresql.database" . }}
|
||||
@@ -38,13 +38,13 @@ metadata:
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if $postgresPassword }}
|
||||
postgres-password: {{ $postgresPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if not (empty (include "postgresql.username" .)) }}
|
||||
{{- if $password }}
|
||||
password: {{ $password | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.architecture "replication" }}
|
||||
{{- if $replicationPassword }}
|
||||
replication-password: {{ $replicationPassword | b64enc | quote }}
|
||||
{{- end }}
|
||||
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
|
||||
@@ -53,7 +53,7 @@ data:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceBindings.enabled }}
|
||||
{{- if .Values.auth.enablePostgresUser }}
|
||||
{{- if $postgresPassword }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@@ -78,7 +78,7 @@ data:
|
||||
password: {{ $postgresPassword | b64enc | quote }}
|
||||
uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }}
|
||||
{{- end }}
|
||||
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
||||
{{- if $password }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
||||
Reference in New Issue
Block a user