Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-26 07:37:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql-ha] feat: 🔒 Add readOnlyRootFilesystem support (#23887)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Co-authored-by: Alejandro Moreno <amorenoc@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-06 11:16:44 +01:00
committed by GitHub
parent 55b8043f73
commit a59cb7c4e8
7 changed files with 108 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/postgresql-ha/Chart.yaml
View File

@@ -40,4 +40,4 @@ maintainers:
name: postgresql-ha
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha
version: 13.4.5
version: 13.5.0

5
bitnami/postgresql-ha/README.md
View File

@@ -144,6 +144,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `postgresql.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `postgresql.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `postgresql.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `postgresql.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `postgresql.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `postgresql.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `postgresql.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -283,6 +284,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `witness.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `witness.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `witness.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `witness.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `witness.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `witness.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `witness.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -414,6 +416,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `pgpool.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `pgpool.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `pgpool.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `pgpool.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `pgpool.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `pgpool.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `pgpool.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -655,7 +658,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` |
| `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` |
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` |
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `true` |
| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `false` |
| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate backup pod(s) privileges | `false` |
| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set backup container's Security Context seccompProfile type | `RuntimeDefault` |
| `backup.cronjob.containerSecurityContext.capabilities.drop` | Set backup container's Security Context capabilities to drop | `["ALL"]` |

9
bitnami/postgresql-ha/templates/backup/cronjob.yaml
View File

@@ -82,6 +82,9 @@ spec:
{{- end }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.postgresql.tls.enabled }}
- name: certs
mountPath: /certs
@@ -98,10 +101,8 @@ spec:
fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
{{- end }}
volumes:
{{- if .Values.postgresql.tls.enabled }}
- name: raw-certificates
emptyDir: /tmp/certs
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if .Values.backup.cronjob.storage.existingClaim }}
- name: datadir
persistentVolumeClaim:

24
bitnami/postgresql-ha/templates/pgpool/deployment.yaml
View File

@@ -107,6 +107,9 @@ spec:
mountPath: /tmp/certs
- name: pgpool-certificates
mountPath: /opt/bitnami/pgpool/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.pgpool.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.pgpool.initContainers "context" $) | nindent 8 }}
@@ -343,8 +346,23 @@ spec:
{{- else if ne .Values.pgpool.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.pgpool.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/etc
subPath: app-etc-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/logs
subPath: app-logs-dir
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }}
- name: pgpool-config
mountPath: /opt/bitnami/pgpool/user_config/
@@ -381,8 +399,10 @@ spec:
{{- if .Values.pgpool.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.pgpool.sidecars "context" $) | nindent 8 }}
{{- end }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }}
- name: pgpool-config
configMap:

34
bitnami/postgresql-ha/templates/postgresql/statefulset.yaml
View File

@@ -111,6 +111,9 @@ spec:
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.postgresql.extendedConf)) (not (empty .Values.postgresql.extendedConfCM))) .Values.persistence.enabled) }}
- name: init-chmod-data
@@ -136,6 +139,9 @@ spec:
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if or .Values.postgresql.initContainers .Values.postgresql.extraInitContainers }}
{{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.postgresql.initContainers .Values.postgresql.extraInitContainers) "context" $ ) | nindent 8 }}
@@ -432,6 +438,27 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.postgresql.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/conf
subPath: repmgr-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/tmp
subPath: repmgr-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/logs
subPath: repmgr-logs-dir
{{- if or .Values.postgresql.repmgrConfiguration .Values.postgresql.configuration .Values.postgresql.pgHbaConfiguration .Values.postgresql.configurationCM }}
- name: postgresql-config
mountPath: /bitnami/repmgr/conf
@@ -538,8 +565,11 @@ spec:
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }}
{{- if .Values.postgresql.usePasswordFile }}
- name: password
mountPath: /opt/bitnami/postgresql/secrets/
@@ -568,6 +598,8 @@ spec:
{{- if .Values.postgresql.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.postgresql.extraVolumes "context" $) | nindent 8 }}
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:

32
bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml
View File

@@ -106,6 +106,9 @@ spec:
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.witness.extendedConf)) (not (empty .Values.witness.extendedConfCM))) .Values.persistence.enabled) }}
- name: init-chmod-data
@@ -129,6 +132,9 @@ spec:
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if or .Values.witness.initContainers .Values.witness.extraInitContainers }}
{{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.witness.initContainers .Values.witness.extraInitContainers) "context" $ ) | nindent 8 }}
@@ -394,6 +400,27 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.witness.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/conf
subPath: repmgr-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/tmp
subPath: repmgr-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/logs
subPath: repmgr-logs-dir
{{- if or .Values.witness.repmgrConfiguration .Values.witness.configuration .Values.witness.pgHbaConfiguration .Values.witness.configurationCM }}
- name: postgresql-config
mountPath: /bitnami/repmgr/conf
@@ -498,6 +525,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.postgresql.usePasswordFile }}
- name: password
mountPath: /opt/bitnami/postgresql/secrets/
@@ -523,6 +553,8 @@ spec:
{{- if .Values.witness.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.witness.extraVolumes "context" $) | nindent 8 }}
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:

16
bitnami/postgresql-ha/values.yaml
View File

@@ -102,7 +102,7 @@ postgresql:
image:
registry: docker.io
repository: bitnami/postgresql-repmgr
tag: 16.2.0-debian-12-r4
tag: 16.2.0-debian-12-r5
digest: ""
## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -238,6 +238,7 @@ postgresql:
## @param postgresql.containerSecurityContext.enabled Enabled containers' Security Context
## @param postgresql.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param postgresql.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param postgresql.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param postgresql.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param postgresql.containerSecurityContext.privileged Set container's Security Context privileged
## @param postgresql.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -255,6 +256,7 @@ postgresql:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -802,6 +804,7 @@ witness:
## @param witness.containerSecurityContext.enabled Enabled containers' Security Context
## @param witness.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param witness.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param witness.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param witness.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param witness.containerSecurityContext.privileged Set container's Security Context privileged
## @param witness.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -813,12 +816,13 @@ witness:
## enabled: true
## capabilities:
## drop: ["NET_RAW"]
## readOnlyRootFilesystem: true
## readOnlyRootFilesystem: false
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -1115,7 +1119,7 @@ pgpool:
image:
registry: docker.io
repository: bitnami/pgpool
tag: 4.5.0-debian-12-r9
tag: 4.5.0-debian-12-r10
digest: ""
## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -1295,6 +1299,7 @@ pgpool:
## @param pgpool.containerSecurityContext.enabled Enabled containers' Security Context
## @param pgpool.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param pgpool.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param pgpool.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param pgpool.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param pgpool.containerSecurityContext.privileged Set container's Security Context privileged
## @param pgpool.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1306,12 +1311,13 @@ pgpool:
## enabled: true
## capabilities:
## drop: ["NET_RAW"]
## readOnlyRootFilesystem: true
## readOnlyRootFilesystem: false
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -2175,7 +2181,7 @@ backup:
runAsGroup: 0
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
readOnlyRootFilesystem: false
seccompProfile:
type: RuntimeDefault
capabilities: