Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-14 06:47:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql-ha] feat: 🔒 Add readOnlyRootFilesystem support (#23887)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Co-authored-by: Alejandro Moreno <amorenoc@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-06 11:16:44 +01:00
committed by GitHub
parent 55b8043f73
commit a59cb7c4e8
7 changed files with 108 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
bitnami/postgresql-ha/templates/backup/cronjob.yaml
View File

@@ -82,6 +82,9 @@ spec:
{{- end }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.postgresql.tls.enabled }}
- name: certs
mountPath: /certs
@@ -98,10 +101,8 @@ spec:
fsGroup: {{ .Values.backup.cronjob.podSecurityContext.fsGroup }}
{{- end }}
volumes:
{{- if .Values.postgresql.tls.enabled }}
- name: raw-certificates
emptyDir: /tmp/certs
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if .Values.backup.cronjob.storage.existingClaim }}
- name: datadir
persistentVolumeClaim:

24
bitnami/postgresql-ha/templates/pgpool/deployment.yaml
View File

@@ -107,6 +107,9 @@ spec:
mountPath: /tmp/certs
- name: pgpool-certificates
mountPath: /opt/bitnami/pgpool/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if .Values.pgpool.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.pgpool.initContainers "context" $) | nindent 8 }}
@@ -343,8 +346,23 @@ spec:
{{- else if ne .Values.pgpool.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.pgpool.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/etc
subPath: app-etc-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/pgpool/logs
subPath: app-logs-dir
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.postgresql.usePasswordFile .Values.pgpool.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumeMounts }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }}
- name: pgpool-config
mountPath: /opt/bitnami/pgpool/user_config/
@@ -381,8 +399,10 @@ spec:
{{- if .Values.pgpool.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.pgpool.sidecars "context" $) | nindent 8 }}
{{- end }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM .Values.pgpool.initdbScripts .Values.pgpool.initdbScriptsCM .Values.pgpool.initdbScriptsSecret .Values.pgpool.usePasswordFile .Values.postgresql.usePasswordFile .Values.pgpool.tls.enabled .Values.pgpool.extraVolumes }}
{{- if or .Values.pgpool.configuration .Values.pgpool.configurationCM }}
- name: pgpool-config
configMap:

34
bitnami/postgresql-ha/templates/postgresql/statefulset.yaml
View File

@@ -111,6 +111,9 @@ spec:
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.postgresql.extendedConf)) (not (empty .Values.postgresql.extendedConfCM))) .Values.persistence.enabled) }}
- name: init-chmod-data
@@ -136,6 +139,9 @@ spec:
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if or .Values.postgresql.initContainers .Values.postgresql.extraInitContainers }}
{{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.postgresql.initContainers .Values.postgresql.extraInitContainers) "context" $ ) | nindent 8 }}
@@ -432,6 +438,27 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.postgresql.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/conf
subPath: repmgr-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/tmp
subPath: repmgr-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/logs
subPath: repmgr-logs-dir
{{- if or .Values.postgresql.repmgrConfiguration .Values.postgresql.configuration .Values.postgresql.pgHbaConfiguration .Values.postgresql.configurationCM }}
- name: postgresql-config
mountPath: /bitnami/repmgr/conf
@@ -538,8 +565,11 @@ spec:
{{- else if ne .Values.metrics.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if or .Values.postgresql.usePasswordFile .Values.metrics.customMetrics }}
{{- if .Values.postgresql.usePasswordFile }}
- name: password
mountPath: /opt/bitnami/postgresql/secrets/
@@ -568,6 +598,8 @@ spec:
{{- if .Values.postgresql.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.postgresql.extraVolumes "context" $) | nindent 8 }}
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:

32
bitnami/postgresql-ha/templates/postgresql/witness-statefulset.yaml
View File

@@ -106,6 +106,9 @@ spec:
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if and .Values.volumePermissions.enabled (or (or (not (empty .Values.witness.extendedConf)) (not (empty .Values.witness.extendedConfCM))) .Values.persistence.enabled) }}
- name: init-chmod-data
@@ -129,6 +132,9 @@ spec:
volumeMounts:
- name: data
mountPath: {{ .Values.persistence.mountPath }}
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
{{- if or .Values.witness.initContainers .Values.witness.extraInitContainers }}
{{- include "common.tplvalues.render" ( dict "value" (coalesce .Values.witness.initContainers .Values.witness.extraInitContainers) "context" $ ) | nindent 8 }}
@@ -394,6 +400,27 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.witness.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/postgresql/logs
subPath: app-logs-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/conf
subPath: repmgr-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/tmp
subPath: repmgr-tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/repmgr/logs
subPath: repmgr-logs-dir
{{- if or .Values.witness.repmgrConfiguration .Values.witness.configuration .Values.witness.pgHbaConfiguration .Values.witness.configurationCM }}
- name: postgresql-config
mountPath: /bitnami/repmgr/conf
@@ -498,6 +525,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.postgresql.usePasswordFile }}
- name: password
mountPath: /opt/bitnami/postgresql/secrets/
@@ -523,6 +553,8 @@ spec:
{{- if .Values.witness.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.witness.extraVolumes "context" $) | nindent 8 }}
{{- end }}
- name: empty-dir
emptyDir: {}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap: