[bitnami/postgresql] Allow enabling TLS without volume-permissions (#9016)

This commit is contained in:
Juan Ariza Toledano
2022-02-17 08:50:47 +01:00
committed by GitHub
parent be26f17757
commit 6cb95dbe16
4 changed files with 49 additions and 21 deletions

View File

@@ -26,4 +26,4 @@ name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
- https://www.postgresql.org/
version: 11.0.4
version: 11.0.5

View File

@@ -226,7 +226,6 @@ Compile all warnings into a single message, and call fail.
{{- $messages := list -}}
{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
@@ -258,17 +257,6 @@ postgresql: psp.create, rbac.create
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions
*/}}
{{- define "postgresql.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
postgresql: tls.enabled, volumePermissions.enabled
When TLS is enabled you must enable volumePermissions as well to ensure certificates files have
the right permissions.
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert file.
*/}}

View File

@@ -87,9 +87,30 @@ spec:
{{- if .Values.primary.podSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if or .Values.primary.initContainers (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled .Values.tls.enabled) }}
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
- name: copy-certs
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.primary.resources }}
resources: {{- toYaml .Values.primary.resources | nindent 12 }}
{{- end }}
# We don't require a privileged container in this case
{{- if .Values.primary.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.tlsCertKey" . }}
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }}
- name: init-chmod-data
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -98,7 +119,7 @@ spec:
{{- end }}
command:
- /bin/sh
- -cx
- -ec
- |
{{- if .Values.primary.persistence.enabled }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
@@ -154,7 +175,6 @@ spec:
{{- if .Values.primary.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: postgresql
image: {{ include "postgresql.image" . }}

View File

@@ -82,9 +82,30 @@ spec:
{{- if .Values.readReplicas.podSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if or .Values.readReplicas.initContainers (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled .Values.tls.enabled) }}
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
- name: copy-certs
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.readReplicas.resources }}
resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }}
{{- end }}
# We don't require a privileged container in this case
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
chmod 600 {{ include "postgresql.tlsCertKey" . }}
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }}
- name: init-chmod-data
image: {{ include "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -93,7 +114,7 @@ spec:
{{- end }}
command:
- /bin/sh
- -cx
- -ec
- |
{{- if .Values.readReplicas.persistence.enabled }}
{{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }}
@@ -149,7 +170,6 @@ spec:
{{- if .Values.readReplicas.initContainers }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: postgresql
image: {{ include "postgresql.image" . }}