Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-10 20:27:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql] feat: Add password update job (#30444)

Browse Source 
* [bitnami/postgresql] feat:  Add password update job

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* fix: 🐛 Set correct references

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* chore: 🔧 Add missing elements

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Javier J. Salmerón García <javier.salmeron@broadcom.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón García
2024-11-14 09:40:01 +01:00
committed by GitHub
parent d9d2d921e0
commit ea896dbfbf
12 changed files with 589 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bitnami/postgresql/CHANGELOG.md
View File

@@ -1,8 +1,12 @@
# Changelog
## 16.1.2 (2024-11-06)
## 16.2.0 (2024-11-13)
* [bitnami/postgresql] Release 16.1.2 ([#30250](https://github.com/bitnami/charts/pull/30250))
* [bitnami/postgresql] feat: :sparkles: Add password update job ([#30444](https://github.com/bitnami/charts/pull/30444))
## <small>16.1.2 (2024-11-06)</small>
* [bitnami/postgresql] Release 16.1.2 (#30250) ([423c554](https://github.com/bitnami/charts/commit/423c55454743745dc486e426089141fa814fd401)), closes [#30250](https://github.com/bitnami/charts/issues/30250)
## <small>16.1.1 (2024-11-04)</small>

6
bitnami/postgresql/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.26.0
digest: sha256:5ff7837915aef0067bd32271ee2b10c990774c16c4b6fe0a7c5eb6e53530ce08
generated: "2024-10-16T12:20:00.574957406Z"
version: 2.27.0
digest: sha256:b711ab5874abf868a0c64353a790f17771758cee6f802acb9819be004c8460af
generated: "2024-11-13T13:17:51.58819475+01:00"

2
bitnami/postgresql/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: postgresql
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
version: 16.1.2
version: 16.2.0

94
bitnami/postgresql/README.md
View File

@@ -98,6 +98,55 @@ Next, login to the PostgreSQL server using the `psql` client and add the PAM aut
> Note: Parameters including commas must be escaped as shown in the above example.
### Update credentials
Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods:
### Manual update of the passwords and secrets
- Update the user password following [the upstream documentation](https://www.postgresql.org/docs/current/sql-alteruser.html)
- Update the password secret with the new values (replace the SECRET_NAME, PASSWORD and POSTGRES_PASSWORD placeholders)
```shell
kubectl create secret generic SECRET_NAME --from-literal=password=PASSWORD --from-literal=postgres-password=POSTGRES_PASSWORD --dry-run -o yaml | kubectl apply -f -
```
### Automated update using a password update job
The Bitnami PostgreSQL provides a password update job that will automatically change the PostgreSQL passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires:
- The new passwords: this is configured using either `auth.postgresPassword`, `auth.password` and `auth.replicationPassword` (if applicable) or setting `auth.existingSecret`.
- The previous passwords: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdate.job.previousPasswords.postgresPassword`, `passwordUpdate.job.previousPasswords.password`, `passwordUpdate.job.previousPasswords.replicationPassword` (when applicable), or setting `passwordUpdateJob,previousPasswords.existingSecret`.
In the following example we update the password via values.yaml in a PostgreSQL installation with replication
```yaml
architecture: "replication"
auth:
user: "user"
postgresPassword: "newPostgresPassword123"
password: "newUserPassword123"
replicationPassword: "newReplicationPassword123"
passwordUpdateJob:
enabled: true
```
In this example we use two existing secrets (`new-password-secret` and `previous-password-secret`) to update the passwords:
```yaml
auth:
existingSecret: new-password-secret
passwordUpdateJob:
enabled: true
previousPasswords:
existingSecret: previous-password-secret
```
You can add extra update commands using the `passwordUpdateJob.extraCommands` value.
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
@@ -667,6 +716,51 @@ If you already have data in it, you will fail to sync to standby nodes for all c
| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` |
| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` |
### Password update job
| Name | Description | Value |
| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `passwordUpdateJob.enabled` | Enable password update job | `false` |
| `passwordUpdateJob.backoffLimit` | set backoff limit of the job | `10` |
| `passwordUpdateJob.command` | Override default container command on mysql Primary container(s) (useful when using custom images) | `[]` |
| `passwordUpdateJob.args` | Override default container args on mysql Primary container(s) (useful when using custom images) | `[]` |
| `passwordUpdateJob.extraCommands` | Extra commands to pass to the generation job | `""` |
| `passwordUpdateJob.previousPasswords.postgresPassword` | Previous postgres password (set if the password secret was already changed) | `""` |
| `passwordUpdateJob.previousPasswords.password` | Previous password (set if the password secret was already changed) | `""` |
| `passwordUpdateJob.previousPasswords.replicationPassword` | Previous replication password (set if the password secret was already changed) | `""` |
| `passwordUpdateJob.previousPasswords.existingSecret` | Name of a secret containing the previous passwords (set if the password secret was already changed) | `""` |
| `passwordUpdateJob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `passwordUpdateJob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `passwordUpdateJob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `passwordUpdateJob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `passwordUpdateJob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `passwordUpdateJob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `passwordUpdateJob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `passwordUpdateJob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `passwordUpdateJob.podSecurityContext.enabled` | Enabled credential init job pods' Security Context | `true` |
| `passwordUpdateJob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `passwordUpdateJob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `passwordUpdateJob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `passwordUpdateJob.podSecurityContext.fsGroup` | Set credential init job pod's Security Context fsGroup | `1001` |
| `passwordUpdateJob.extraEnvVars` | Array containing extra env vars to configure the credential init job | `[]` |
| `passwordUpdateJob.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the credential init job | `""` |
| `passwordUpdateJob.extraEnvVarsSecret` | Secret containing extra env vars to configure the credential init job (in case of sensitive data) | `""` |
| `passwordUpdateJob.extraVolumes` | Optionally specify extra list of additional volumes for the credential init job | `[]` |
| `passwordUpdateJob.extraVolumeMounts` | Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. | `[]` |
| `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` |
| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` |
| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `passwordUpdateJob.automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `passwordUpdateJob.hostAliases` | Add deployment host aliases | `[]` |
| `passwordUpdateJob.annotations` | Add annotations to the job | `{}` |
| `passwordUpdateJob.podLabels` | Additional pod labels | `{}` |
| `passwordUpdateJob.podAnnotations` | Additional pod annotations | `{}` |
### Volume Permissions parameters
| Name | Description | Value |

38
bitnami/postgresql/templates/_helpers.tpl
View File

@@ -166,6 +166,44 @@ Return true if a secret object should be created
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created for PostgreSQL
*/}}
{{- define "postgresql.v1.createPreviousSecret" -}}
{{- if and .Values.passwordUpdateJob.previousPasswords.postgresPassword (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with previous PostgreSQL credentials
*/}}
{{- define "postgresql.v1.update-job.previousSecretName" -}}
{{- if .Values.passwordUpdateJob.previousPasswords.existingSecret -}}
{{- /* The secret with the new password is managed externally */ -}}
{{- tpl .Values.passwordUpdateJob.previousPasswords.existingSecret $ -}}
{{- else if .Values.passwordUpdateJob.previousPasswords.postgresPassword -}}
{{- /* The secret with the new password is managed externally */ -}}
{{- printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- /* The secret with the new password is managed by the helm chart. We use the current secret name as it has the old password */ -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret with new PostgreSQL credentials
*/}}
{{- define "postgresql.v1.update-job.newSecretName" -}}
{{- if and (not .Values.passwordUpdateJob.previousPasswords.existingSecret) (not .Values.passwordUpdateJob.previousPasswords.postgresPassword) -}}
{{- /* The secret with the new password is managed by the helm chart. We create a new secret as the current one has the old password */ -}}
{{- printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- /* The secret with the new password is managed externally */ -}}
{{- include "postgresql.v1.secretName" . -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL service port
*/}}

5
bitnami/postgresql/templates/primary/statefulset.yaml
View File

@@ -31,7 +31,7 @@ spec:
name: {{ include "postgresql.v1.primary.fullname" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: primary
{{- if or (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
{{- if or .Values.passwordUpdateJob.enabled (include "postgresql.v1.primary.createConfigmap" .) (include "postgresql.v1.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }}
annotations:
{{- if (include "postgresql.v1.primary.createConfigmap" .) }}
checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
@@ -39,6 +39,9 @@ spec:
{{- if (include "postgresql.v1.primary.createExtendedConfigmap" .) }}
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
{{- end }}
{{- if .Values.passwordUpdateJob.enabled }}
charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }}
{{- end }}
{{- if .Values.primary.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }}
{{- end }}

5
bitnami/postgresql/templates/read/statefulset.yaml
View File

@@ -32,11 +32,14 @@ spec:
name: {{ include "postgresql.v1.readReplica.fullname" . }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: read
{{- if or (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
{{- if or .Values.passwordUpdateJob.enabled (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }}
annotations:
{{- if (include "postgresql.v1.readReplicas.createExtendedConfigmap" .) }}
checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }}
{{- end }}
{{- if .Values.passwordUpdateJob.enabled }}
charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }}
{{- end }}
{{- if .Values.readReplicas.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }}
{{- end }}

9
bitnami/postgresql/templates/secrets.yaml
View File

@@ -6,13 +6,16 @@ SPDX-License-Identifier: APACHE-2.0
{{- $host := include "postgresql.v1.primary.fullname" . }}
{{- $port := include "postgresql.v1.service.port" . }}
{{- $customUser := include "postgresql.v1.username" . }}
{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
{{- $postgresPassword := (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) }}
{{- if (not $postgresPassword) }}
{{- $postgresPassword = include "common.secrets.lookup" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.adminPasswordKey .Values.auth.secretKeys.adminPasswordKey) "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }}
{{- $postgresPassword = randAlphaNum 10 }}
{{- end }}
{{- $replicationPassword := "" }}
{{- if eq .Values.architecture "replication" }}
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }}
{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.replicationPasswordKey .Values.auth.secretKeys.replicationPasswordKey) "providedValues" (list "auth.replicationPassword") "honorProvidedValues" true "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- $ldapPassword := "" }}
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
@@ -20,7 +23,7 @@ SPDX-License-Identifier: APACHE-2.0
{{- end }}
{{- $password := "" }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }}
{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.v1.secretName" .) "key" (coalesce .Values.global.postgresql.auth.secretKeys.userPasswordKey .Values.auth.secretKeys.userPasswordKey) "providedValues" (list "global.postgresql.auth.password" "auth.password") "honorProvidedValues" true "context" $) | trimAll "\"" | b64dec }}
{{- end }}
{{- $database := include "postgresql.v1.database" . }}
{{- if (include "postgresql.v1.createSecret" .) }}

234
bitnami/postgresql/templates/update-password/job.yaml Normal file
View File

@@ -0,0 +1,234 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.passwordUpdateJob.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-password-update" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: postgresql
app.kubernetes.io/component: update-job
{{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
spec:
backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }}
template:
metadata:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.podLabels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/part-of: postgresql
app.kubernetes.io/component: update-job
{{- if .Values.passwordUpdateJob.podAnnotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
restartPolicy: OnFailure
{{- if .Values.passwordUpdateJob.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.passwordUpdateJob.automountServiceAccountToken }}
{{- if .Values.passwordUpdateJob.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.hostAliases "context" $) | nindent 8 }}
{{- end }}
initContainers:
{{- if .Values.passwordUpdateJob.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: update-credentials
image: {{ template "postgresql.v1.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.passwordUpdateJob.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.command "context" $) | nindent 12 }}
{{- else }}
command:
- /bin/bash
- -ec
{{- end }}
{{- if .Values.passwordUpdateJob.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.args "context" $) | nindent 12 }}
{{- else }}
args:
- |
{{- $customUser := include "postgresql.v1.username" . }}
{{- if .Values.usePasswordFiles }}
# We need to load all the secret env vars to the system
for file in $(find /bitnami/postgresql/secrets -type f); do
env_var_name="$(basename $file)"
echo "Exporting $env_var_name"
export $env_var_name="$(< $file)"
done
{{- end }}
. /opt/bitnami/scripts/postgresql-env.sh
. /opt/bitnami/scripts/libpostgresql.sh
. /opt/bitnami/scripts/liblog.sh
primary_host={{ include "postgresql.v1.primary.fullname" . }}-0.{{ include "postgresql.v1.primary.svc.headless" . }}
info "Starting password update job"
{{- if .Values.auth.enablePostgresUser }}
if [[ -f /job-status/postgres-password-changed ]]; then
info "Postgres password already updated. Skipping"
else
info "Updating postgres password"
echo "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_NEW_POSTGRES_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "" postgres $POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
touch /job-status/postgres-password-changed
info "Postgres password successfully updated"
fi
{{- end }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
if [[ -f /job-status/password-changed ]]; then
info "User password already updated. Skipping"
else
info "Updating user password"
echo "ALTER USER {{ $customUser }} WITH PASSWORD '$POSTGRESQL_NEW_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "postgres" $POSTGRESQL_USER $POSTGRESQL_PREVIOUS_PASSWORD
touch /job-status/password-changed
info "User password successfully updated"
fi
{{- end }}
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
if [[ -f /job-status/replication-password-changed ]]; then
info "Replication password already updated. Skipping"
else
info "Updating replication password"
echo "ALTER USER $POSTGRESQL_REPLICATION_USER WITH PASSWORD '$POSTGRESQL_NEW_REPLICATION_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "postgres" $POSTGRESQL_REPLICATION_USER $POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
touch /job-status/replication-password-changed
info "Replication password successfully updated"
fi
{{- end }}
{{- if .Values.passwordUpdateJob.extraCommands }}
info "Running extra commmands"
{{- include "common.tplValues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }}
{{- end }}
info "Password update job finished successfully"
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
{{- if not .Values.auth.usePasswordFiles }}
- name: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
key: {{ include "postgresql.v1.adminPasswordKey" . }}
- name: POSTGRESQL_NEW_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
key: {{ include "postgresql.v1.adminPasswordKey" . }}
{{- end }}
{{- if not (empty .Values.auth.username) }}
- name: POSTGRESQL_USER
value: {{ .Values.auth.username | quote }}
{{- if not .Values.auth.usePasswordFiles }}
- name: POSTGRESQL_PREVIOUS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
key: {{ include "postgresql.v1.userPasswordKey" . }}
- name: POSTGRESQL_NEW_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
key: {{ include "postgresql.v1.userPasswordKey" . }}
{{- end }}
{{- end }}
{{- if eq .Values.architecture "replication" }}
- name: POSTGRESQL_REPLICATION_USER
value: {{ .Values.auth.replicationUsername | quote }}
{{- if not .Values.auth.usePasswordFiles }}
- name: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
- name: POSTGRESQL_NEW_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
{{- end }}
{{- end }}
{{- if .Values.passwordUpdateJob.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.passwordUpdateJob.extraEnvVarsCM .Values.passwordUpdateJob.extraEnvVarsSecret }}
envFrom:
{{- if .Values.passwordUpdateJob.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.passwordUpdateJob.extraEnvVarsCM }}
{{- end }}
{{- if .Values.passwordUpdateJob.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.passwordUpdateJob.extraEnvVarsSecret }}
{{- end }}
{{- end }}
{{- if .Values.passwordUpdateJob.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.passwordUpdateJob.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.passwordUpdateJob.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.passwordUpdateJob.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /job-status
subPath: job-dir
{{- if .Values.usePasswordFiles }}
- name: postgresql-previous-credentials
mountPath: /bitnami/postgresql/secrets/previous
- name: postgresql-new-credentials
mountPath: /bitnami/postgresql/secrets/new
{{- end }}
{{- if .Values.passwordUpdateJob.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.passwordUpdateJob.resources }}
resources: {{- toYaml .Values.passwordUpdateJob.resources | nindent 12 }}
{{- else if ne .Values.passwordUpdateJob.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.passwordUpdateJob.resourcesPreset) | nindent 12 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if and .Values.auth.usePasswordFiles }}
- name: postgresql-previous-credentials
secret:
secretName: {{ template "postgresql.update-job.previousSecretName" . }}
items:
- key: postgresql-root-password
path: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
- key: postgresql-password
path: POSTGRESQL_PREVIOUS_PASSWORD
{{- if eq .Values.architecture "replication" }}
- key: postgresql-replication-password
path: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
{{- end }}
- name: postgresql-new-credentials
secret:
secretName: {{ template "postgresql.update-job.newSecretName" . }}
items:
- key: postgresql-root-password
path: POSTGRESQL_NEW_POSTGRES_PASSWORD
- key: postgresql-password
path: POSTGRESQL_NEW_PASSWORD
{{- if eq .Values.architecture "replication" }}
- key: postgresql-replication-password
path: POSTGRESQL_NEW_REPLICATION_PASSWORD
{{- end }}
{{- end }}
{{- if .Values.passwordUpdateJob.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

32
bitnami/postgresql/templates/update-password/new-secret.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.passwordUpdateJob.enabled (include "postgresql.v1.createSecret" .) (not ( include "postgresql.v1.createPreviousSecret" . )) (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }}
{{- $customUser := include "postgresql.v1.username" . }}
{{- $postgresPassword := (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) }}
{{- $password := coalesce .Values.global.postgresql.auth.password .Values.auth.password }}
{{- $replicationPassword := .Values.auth.replicationPassword }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: postgresql
{{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
type: Opaque
data:
{{- if .Values.auth.enablePostgresUser }}
postgres-password: {{ required "The new postgres password is required!" $postgresPassword | b64enc | quote }}
{{- end }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
password: {{ required "The new user password is required!" $password | b64enc | quote }}
{{- end }}
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
replication-password: {{ required "The new replication password is required!" $replicationPassword | b64enc | quote }}
{{- end }}
{{- end }}

32
bitnami/postgresql/templates/update-password/previous-secret.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.passwordUpdateJob.enabled (include "postgresql.v1.createPreviousSecret" .) }}
{{- $customUser := include "postgresql.v1.username" . }}
{{- $postgresPassword := .Values.passwordUpdateJob.previousPasswords.postgresPassword }}
{{- $password := .Values.passwordUpdateJob.previousPasswords.password }}
{{- $replicationPassword := .Values.passwordUpdateJob.previousPasswords.replicationPassword }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/part-of: postgresql
{{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
type: Opaque
data:
{{- if .Values.auth.enablePostgresUser }}
postgres-password: {{ required "The previous postgres password is required!" $postgresPassword | b64enc | quote }}
{{- end }}
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
password: {{ required "The previous user password is required!" $password | b64enc | quote }}
{{- end }}
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
replication-password: {{ required "The previous replication password is required!" $replicationPassword | b64enc | quote }}
{{- end }}
{{- end }}

136
bitnami/postgresql/values.yaml
View File

@@ -210,7 +210,6 @@ audit:
logTimezone: ""
## LDAP configuration
## @param ldap.enabled Enable LDAP support
## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead
## @param ldap.server IP address or name of the LDAP server.
## @param ldap.port Port number on the LDAP server to connect to
## @param ldap.prefix String to prepend to the user name when forming the DN to bind
@@ -1428,6 +1427,141 @@ backup:
## @param backup.cronjob.extraVolumes Optionally specify extra list of additional volumes for the backup container
##
extraVolumes: []
## @section Password update job
##
passwordUpdateJob:
## @param passwordUpdateJob.enabled Enable password update job
##
enabled: false
## @param passwordUpdateJob.backoffLimit set backoff limit of the job
##
backoffLimit: 10
## @param passwordUpdateJob.command Override default container command on mysql Primary container(s) (useful when using custom images)
##
command: []
## @param passwordUpdateJob.args Override default container args on mysql Primary container(s) (useful when using custom images)
##
args: []
## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job
##
extraCommands: ""
## @param passwordUpdateJob.previousPasswords.postgresPassword Previous postgres password (set if the password secret was already changed)
## @param passwordUpdateJob.previousPasswords.password Previous password (set if the password secret was already changed)
## @param passwordUpdateJob.previousPasswords.replicationPassword Previous replication password (set if the password secret was already changed)
## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed)
previousPasswords:
postgresPassword: ""
password: ""
replicationPassword: ""
existingSecret: ""
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context
## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged
## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context
## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job
## For example:
## extraEnvVars:
## - name: GF_DEFAULT_INSTANCE_NAME
## value: my-instance
##
extraEnvVars: []
## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job
##
extraEnvVarsCM: ""
## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data)
##
extraEnvVarsSecret: ""
## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job
##
extraVolumes: []
## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`.
##
extraVolumeMounts: []
## @param passwordUpdateJob.initContainers Add additional init containers for the mysql Primary pod(s)
##
initContainers: []
## Container resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "micro"
## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one
##
customLivenessProbe: {}
## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one
##
customReadinessProbe: {}
## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one
##
customStartupProbe: {}
## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: false
## @param passwordUpdateJob.hostAliases Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param passwordUpdateJob.annotations [object] Add annotations to the job
##
annotations: {}
## @param passwordUpdateJob.podLabels Additional pod labels
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param passwordUpdateJob.podAnnotations Additional pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @section Volume Permissions parameters
##