From a59cb7c4e8d5ddc58790f5dce14ea99453311375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 6 Mar 2024 11:16:44 +0100 Subject: [PATCH] [bitnami/postgresql-ha] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23887) Signed-off-by: Javier Salmeron Garcia Signed-off-by: Alejandro Moreno Co-authored-by: Alejandro Moreno --- bitnami/postgresql-ha/Chart.yaml | 2 +- bitnami/postgresql-ha/README.md | 5 ++- .../templates/backup/cronjob.yaml | 9 ++--- .../templates/pgpool/deployment.yaml | 24 +++++++++++-- .../templates/postgresql/statefulset.yaml | 34 ++++++++++++++++++- .../postgresql/witness-statefulset.yaml | 32 +++++++++++++++++ bitnami/postgresql-ha/values.yaml | 16 ++++++--- 7 files changed, 108 insertions(+), 14 deletions(-) diff --git a/bitnami/postgresql-ha/Chart.yaml b/bitnami/postgresql-ha/Chart.yaml index 5037237cc9..632aa4494c 100644 --- a/bitnami/postgresql-ha/Chart.yaml +++ b/bitnami/postgresql-ha/Chart.yaml @@ -40,4 +40,4 @@ maintainers: name: postgresql-ha sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha -version: 13.4.5 +version: 13.5.0 diff --git a/bitnami/postgresql-ha/README.md b/bitnami/postgresql-ha/README.md index 0e92309fc7..b45bf47c2f 100644 --- a/bitnami/postgresql-ha/README.md +++ b/bitnami/postgresql-ha/README.md @@ -144,6 +144,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `postgresql.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `postgresql.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `postgresql.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `postgresql.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `postgresql.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `postgresql.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `postgresql.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -283,6 +284,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `witness.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `witness.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `witness.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `witness.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `witness.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `witness.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `witness.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -414,6 +416,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `pgpool.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `pgpool.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `pgpool.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `pgpool.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `pgpool.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `pgpool.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `pgpool.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -655,7 +658,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` | | `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `true` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `false` | | `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate backup pod(s) privileges | `false` | | `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set backup container's Security Context seccompProfile type | `RuntimeDefault` | | `backup.cronjob.containerSecurityContext.capabilities.drop` | Set backup container's Security Context capabilities to drop | `["ALL"]` | diff --git a/bitnami/postgresql-ha/templates/backup/cronjob.yaml b/bitnami/postgresql-ha/templates/backup/cronjob.yaml index cd72350715..93aae5bdbe 100644 --- a/bitnami/postgresql-ha/templates/backup/cronjob.yaml +++ b/bitnami/postgresql-ha/templates/backup/cronjob.yaml @@ -82,6 +82,9 @@ spec: {{- end }} command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.postgresql.tls.enabled }} - name: certs mountPath: /certs @@ -98,10 +101,8 @@ spec: fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }} {{- end }} volumes: - {{- if .Values.postgresql.tls.enabled }} - - name: raw-certificates - emptyDir: /tmp/certs - {{- end }} + - name: empty-dir + emptyDir: {} {{- if .Values.backup.cronjob.storage.existingClaim }} - name: datadir persistentVolumeClaim: diff --git a/bitnami/postgresql-ha/templates/pgpool/deployment.yaml b/bitnami/postgresql-ha/templates/pgpool/deployment.yaml index 3cd61b5f8e..f4591e9c60 100644 --- a/bitnami/postgresql-ha/templates/pgpool/deployment.yaml +++ b/bitnami/postgresql-ha/templates/pgpool/deployment.yaml @@ -107,6 +107,9 @@ spec: mountPath: /tmp/certs - name: pgpool-certificates mountPath: /opt/bitnami/pgpool/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.pgpool.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.pgpool.initContainers "context" $) | nindent 8 }} @@ -343,8 +346,23 @@ spec: {{- else if ne .Values.pgpool.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.pgpool.resourcesPreset) | nindent 12 }} {{- end }} - {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/pgpool/etc + subPath: app-etc-dir + - name: empty-dir + mountPath: /opt/bitnami/pgpool/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/pgpool/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/pgpool/logs + subPath: app-logs-dir + {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }} {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }} - name: pgpool-config mountPath: /opt/bitnami/pgpool/user_config/ @@ -381,8 +399,10 @@ spec: {{- if .Values.pgpool.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.pgpool.sidecars "context" $) | nindent 8 }} {{- end }} - {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }} volumes: + - name: empty-dir + emptyDir: {} + {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }} {{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }} - name: pgpool-config configMap: diff --git a/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml b/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml index 72d81b1cb1..a73658e2e1 100644 --- a/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml +++ b/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml @@ -111,6 +111,9 @@ spec: mountPath: /tmp/certs - name: postgresql-certificates mountPath: /opt/bitnami/postgresql/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.postgresql.extendedConf)) (not (empty .Values.postgresql.extendedConfCM))) .Values.persistence.enabled) }} - name: init-chmod-data @@ -136,6 +139,9 @@ spec: volumeMounts: - name: data mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if or .Values.postgresql.initContainers .Values.postgresql.extraInitContainers }} {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.postgresql.initContainers .Values.postgresql.extraInitContainers) "context" $ ) | nindent 8 }} @@ -432,6 +438,27 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.postgresql.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/conf + subPath: repmgr-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/tmp + subPath: repmgr-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/logs + subPath: repmgr-logs-dir {{- if or .Values.postgresql.repmgrConfiguration .Values.postgresql.configuration .Values.postgresql.pgHbaConfiguration .Values.postgresql.configurationCM }} - name: postgresql-config mountPath: /bitnami/repmgr/conf @@ -538,8 +565,11 @@ spec: {{- else if ne .Values.metrics.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} - {{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }} {{- if .Values.postgresql.usePasswordFile }} - name: password mountPath: /opt/bitnami/postgresql/secrets/ @@ -568,6 +598,8 @@ spec: {{- if .Values.postgresql.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.postgresql.extraVolumes "context" $) | nindent 8 }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - name: custom-metrics configMap: diff --git a/bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml b/bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml index 1cd1e26bb3..d15234224b 100644 --- a/bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml +++ b/bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml @@ -106,6 +106,9 @@ spec: mountPath: /tmp/certs - name: postgresql-certificates mountPath: /opt/bitnami/postgresql/certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.witness.extendedConf)) (not (empty .Values.witness.extendedConfCM))) .Values.persistence.enabled) }} - name: init-chmod-data @@ -129,6 +132,9 @@ spec: volumeMounts: - name: data mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if or .Values.witness.initContainers .Values.witness.extraInitContainers }} {{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.witness.initContainers .Values.witness.extraInitContainers) "context" $ ) | nindent 8 }} @@ -394,6 +400,27 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.witness.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/postgresql/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/conf + subPath: repmgr-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/tmp + subPath: repmgr-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/repmgr/logs + subPath: repmgr-logs-dir {{- if or .Values.witness.repmgrConfiguration .Values.witness.configuration .Values.witness.pgHbaConfiguration .Values.witness.configurationCM }} - name: postgresql-config mountPath: /bitnami/repmgr/conf @@ -498,6 +525,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.postgresql.usePasswordFile }} - name: password mountPath: /opt/bitnami/postgresql/secrets/ @@ -523,6 +553,8 @@ spec: {{- if .Values.witness.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.witness.extraVolumes "context" $) | nindent 8 }} {{- end }} + - name: empty-dir + emptyDir: {} {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - name: custom-metrics configMap: diff --git a/bitnami/postgresql-ha/values.yaml b/bitnami/postgresql-ha/values.yaml index 483b503801..dd0693041d 100644 --- a/bitnami/postgresql-ha/values.yaml +++ b/bitnami/postgresql-ha/values.yaml @@ -102,7 +102,7 @@ postgresql: image: registry: docker.io repository: bitnami/postgresql-repmgr - tag: 16.2.0-debian-12-r4 + tag: 16.2.0-debian-12-r5 digest: "" ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -238,6 +238,7 @@ postgresql: ## @param postgresql.containerSecurityContext.enabled Enabled containers' Security Context ## @param postgresql.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param postgresql.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param postgresql.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param postgresql.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param postgresql.containerSecurityContext.privileged Set container's Security Context privileged ## @param postgresql.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -255,6 +256,7 @@ postgresql: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -802,6 +804,7 @@ witness: ## @param witness.containerSecurityContext.enabled Enabled containers' Security Context ## @param witness.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param witness.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param witness.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param witness.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param witness.containerSecurityContext.privileged Set container's Security Context privileged ## @param witness.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -813,12 +816,13 @@ witness: ## enabled: true ## capabilities: ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true + ## readOnlyRootFilesystem: false ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1115,7 +1119,7 @@ pgpool: image: registry: docker.io repository: bitnami/pgpool - tag: 4.5.0-debian-12-r9 + tag: 4.5.0-debian-12-r10 digest: "" ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1295,6 +1299,7 @@ pgpool: ## @param pgpool.containerSecurityContext.enabled Enabled containers' Security Context ## @param pgpool.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param pgpool.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param pgpool.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param pgpool.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param pgpool.containerSecurityContext.privileged Set container's Security Context privileged ## @param pgpool.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1306,12 +1311,13 @@ pgpool: ## enabled: true ## capabilities: ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true + ## readOnlyRootFilesystem: false ## containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -2175,7 +2181,7 @@ backup: runAsGroup: 0 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false seccompProfile: type: RuntimeDefault capabilities: