Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(charts)!: Update Helm release postgresql to 16.6.0 #2496

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(charts)!: Update Helm release postgresql to 16.6.0 #2496

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2024
edited
Loading

This PR contains the following updates:

Package Update Change
postgresql (source) major 11.9.8 -> 16.6.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

bitnami/charts (postgresql)

v16.6.0

  • [bitnami/postgresql] Set usePasswordFiles=true by default (#​32115)

v16.5.6

v16.5.5

v16.5.4

v16.5.3

v16.5.2

v16.5.1

v16.5.0

  • [bitnami/postgresql] Add secretAnnotation value (#​31984)

v16.4.16

v16.4.15

v16.4.14

v16.4.13

v16.4.11

v16.4.9

v16.4.8

v16.4.7

  • [bitnami/postgresql] use adminPassword for metrics user when custom user is not set on primary (#​318 (ca8f930), closes #​31840

v16.4.6

v16.4.5

v16.4.4

v16.4.3

  • bitnami/postgresql Fix missing dot in include statement for passwordUpdate job template (#​31364) (901b26c), closes #​31364

v16.4.2

v16.4.1

  • [bitnami/postgresql] Release 16.4.16 (#​32250)

v16.3.5

v16.3.4

v16.3.3

v16.3.2

v16.3.1

v16.3.0

v16.2.5

v16.2.4

v16.2.3

v16.2.2

v16.2.1

v16.2.0

v16.1.2

v16.1.1

v16.1.0

v16.0.6

v16.0.5

v16.0.4

v16.0.3

v16.0.2

v16.0.1

v16.0.0

v15.5.38

v15.5.37

v15.5.36

v15.5.35

v15.5.34

v15.5.33

v15.5.32

v15.5.31

v15.5.30

v15.5.29

v15.5.28

v15.5.27

v15.5.26

v15.5.25

v15.5.24

v15.5.23

v15.5.22

v15.5.21

v15.5.20

v15.5.19

v15.5.18

v15.5.17

v15.5.16

v15.5.15

v15.5.14

v15.5.13

v15.5.12

v15.5.11

v15.5.10

v15.5.9

v15.5.8

v15.5.7

v15.5.6

v15.5.5

v15.5.4

v15.5.3

v15.5.2

v15.5.1

v15.5.0

v15.4.2

v15.4.1

v15.4.0

v15.3.5

v15.3.4

v15.3.3

v15.3.2

v15.3.1

v15.3.0

v15.2.13

v15.2.12

v15.2.11

v15.2.10

v15.2.9

v15.2.8

v15.2.7

v15.2.6

v15.2.5

v15.2.4

v15.2.3

v15.2.2

v15.2.1

v15.2.0

v15.1.4

v15.1.3

v15.1.2

v15.1.1

v15.1.0

  • [bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary nodes (#​24363) (dc93455), closes #​24363

v15.0.0

v14.3.3

v14.3.2

v14.3.1

v14.3.0

  • [bitnami/postgresql] postgresql backup container adds resources parameter (#​23955) (8da2a95), closes #​23955
  • [bitnami/postgresql] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SC (1a2217f), closes #​24141

v14.2.4

v14.2.3

v14.2.2

  • [bitnami/postgresql] Release 14.2

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from dfroberg as a code owner October 3, 2024 05:47
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 3, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cnVKOGxJTENzQQ=="
+  postgres-password: "eDJyM3NCTzhFTg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 443ca84 to 51a9ee3 Compare October 4, 2024 13:39
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.0 feat(charts)!: Update Helm release postgresql to 16.0.1 Oct 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 4, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "bVlKbDJCalN1Sw=="
+  postgres-password: "VEpXaUMxRmRESw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 51a9ee3 to d23f0e0 Compare October 16, 2024 17:18
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.3

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "NXNMVzB3SGY1bA=="
+  postgres-password: "WHF6bkRRdTNraQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.1 feat(charts)!: Update Helm release postgresql to 16.0.3 Oct 16, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from d23f0e0 to c0c0c81 Compare October 21, 2024 13:08
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.3 feat(charts)!: Update Helm release postgresql to 16.0.4 Oct 21, 2024
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.4

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y1J5aXZwVjlIVw=="
+  postgres-password: "R0xPbHVINDM3eg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from c0c0c81 to 7d541c4 Compare October 22, 2024 22:24
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.4 feat(charts)!: Update Helm release postgresql to 16.0.5 Oct 22, 2024
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.5

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "VVNhYWRmdkNmbg=="
+  postgres-password: "QmVRcDhhVGt5RQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 7d541c4 to 0af258d Compare October 24, 2024 11:05
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.5 feat(charts)!: Update Helm release postgresql to 16.0.6 Oct 24, 2024
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.6

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "UkdUdWk4NVdGUw=="
+  postgres-password: "NEZWeXRvdkthRg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 0af258d to f29e325 Compare October 30, 2024 16:57
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.6 feat(charts)!: Update Helm release postgresql to 16.1.0 Oct 30, 2024
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "M1YyTlNQQ2Jwbw=="
+  postgres-password: "d2xpakxTYjFrSg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from f29e325 to fd6ad7f Compare November 4, 2024 11:12
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.0 feat(charts)!: Update Helm release postgresql to 16.1.1 Nov 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eTZBNHpWOXFrQg=="
+  postgres-password: "SDRHQzlJbkxHOA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from fd6ad7f to f78940b Compare November 6, 2024 21:21
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.1 feat(charts)!: Update Helm release postgresql to 16.1.2 Nov 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 6, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.2

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y2JFZzV0NHA3cQ=="
+  postgres-password: "Q2VESXpSSHJvWg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r45
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from f78940b to 914030c Compare November 14, 2024 09:50
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.2 feat(charts)!: Update Helm release postgresql to 16.2.0 Nov 14, 2024
@github-actions GitHub Actions
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "VkhzTkVsaW1VRg=="
+  postgres-password: "WlV6dm4yaWRxbA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r45
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 420fa24 to 07fdcfa Compare February 14, 2025 22:29
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.8 feat(charts)!: Update Helm release postgresql to 16.4.9 Feb 14, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 07fdcfa to 11b09c9 Compare February 20, 2025 21:56
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.9 feat(charts)!: Update Helm release postgresql to 16.4.11 Feb 20, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 11b09c9 to 9624ade Compare February 21, 2025 06:53
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.11 feat(charts)!: Update Helm release postgresql to 16.4.13 Feb 21, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 9624ade to 7aac044 Compare February 21, 2025 22:17
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.13 feat(charts)!: Update Helm release postgresql to 16.4.14 Feb 21, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 7aac044 to 24fa00e Compare March 3, 2025 19:41
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.14 feat(charts)!: Update Helm release postgresql to 16.4.15 Mar 3, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 24fa00e to 6f1eaf4 Compare March 4, 2025 02:37
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.15 feat(charts)!: Update Helm release postgresql to 16.4.16 Mar 4, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 6f1eaf4 to 9656632 Compare March 10, 2025 14:28
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.4.16 feat(charts)!: Update Helm release postgresql to 16.5.0 Mar 10, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 9656632 to ceb81ce Compare March 17, 2025 20:24
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.0 feat(charts)!: Update Helm release postgresql to 16.5.1 Mar 17, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from ceb81ce to ebc8c12 Compare March 18, 2025 03:30
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.1 feat(charts)!: Update Helm release postgresql to 16.5.2 Mar 18, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from ebc8c12 to 5759e03 Compare March 20, 2025 03:33
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.2 feat(charts)!: Update Helm release postgresql to 16.5.3 Mar 20, 2025
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 5759e03 to a23f59d Compare March 20, 2025 18:40
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.3 feat(charts)!: Update Helm release postgresql to 16.5.4 Mar 20, 2025
@qodo-merge-pro Qodo Merge Pro
Copy link

qodo-merge-pro bot commented Mar 20, 2025
edited
Loading

CI Feedback 🧐

(Feedback updated until commit 01d0f78)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Template Helm Releases (cluster/core/databases/postgresql/helm-release.yaml)

Failed stage: Run hr_live_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' live/cluster/core/databases/postgresql/helm-release.yaml) [❌]

Failure summary:

The action failed during Helm chart deployment because it detected unrecognized container images.
Specifically:

  • The chart is trying to use quay.io/bitnami/postgresql:14.1.0 which is not recognized as a
    standard/approved container
  • This triggers a security verification failure at line 121 in the postgresql/templates/NOTES.txt file
  • The error indicates this could cause "degraded security and performance, broken chart features, and
    missing environment variables"

    • Relevant error logs: 
    1:  ##[group]Operating System
2:  Ubuntu
...

1300:  value: "no"
1301:  # TLS
1302:  - name: POSTGRESQL_ENABLE_TLS
1303:  value: "no"
1304:  # Audit
1305:  - name: POSTGRESQL_LOG_HOSTNAME
1306:  value: "false"
1307:  - name: POSTGRESQL_LOG_CONNECTIONS
1308:  value: "false"
1309:  - name: POSTGRESQL_LOG_DISCONNECTIONS
1310:  value: "false"
1311:  - name: POSTGRESQL_PGAUDIT_LOG_CATALOG
1312:  value: "off"
1313:  # Others
1314:  - name: POSTGRESQL_CLIENT_MIN_MESSAGES
1315:  value: "error"
1316:  - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
...

1420:  app.kubernetes.io/instance: postgresql
1421:  app.kubernetes.io/managed-by: Helm
1422:  app.kubernetes.io/component: metrics
1423:  spec:
1424:  selector:
1425:  matchLabels:
1426:  app.kubernetes.io/name: postgresql
1427:  app.kubernetes.io/instance: postgresql
1428:  app.kubernetes.io/component: metrics
1429:  endpoints:
1430:  - port: http-metrics
1431:  namespaceSelector:
1432:  matchNames:
1433:  - "default"
1434:  #####################################################
1435:  Error: execution error at (postgresql/templates/NOTES.txt:121:4): 
1436:  ⚠ ERROR: Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.
1437:  Unrecognized images:
1438:  - quay.io/bitnami/postgresql:14.1.0
1439:  If you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true.
1440:  Further information can be obtained at https://github.com/bitnami/charts/issues/30850
1441:  Use --debug flag to render out invalid YAML
1442:  ##[error]Process completed with exit code 1.
1443:  Post job cleanup.

    @renovate renovate bot force-pushed the renovate/postgresql-16.x branch from a23f59d to 85f7103 Compare March 20, 2025 22:56
    @renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.4 feat(charts)!: Update Helm release postgresql to 16.5.5 Mar 20, 2025
    @renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 85f7103 to 80e9856 Compare March 24, 2025 02:52
    @renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.5 feat(charts)!: Update Helm release postgresql to 16.5.6 Mar 24, 2025
    @renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 80e9856 to 01d0f78 Compare March 28, 2025 11:08
    @renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.5.6 feat(charts)!: Update Helm release postgresql to 16.6.0 Mar 28, 2025
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @dfroberg dfroberg Awaiting requested review from dfroberg dfroberg is a code owner

    Assignees
    No one assigned
    Labels
    renovate/helm
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    0 participants