feat(charts)!: Update Helm release postgresql to 15.5.9 #2437

renovate · 2024-03-18T18:29:31Z

This PR contains the following updates:

Package	Update	Change
postgresql (source)	major	`11.9.8` -> `15.5.9`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

bitnami/charts (postgresql)

`v15.5.9`

[bitnami/postgresql] Remove deprecated (and removed) annotation (#27463)

`v15.5.8`

[bitnami/postgresql] Add pre-init scripts (#26467)

`v15.5.7`

[bitnami/postgresql] Release 15.5.7 (#27401)

`v15.5.6`

[bitnami/postgresql] Release 15.5.6 (#27293)

`v15.5.5`

[bitnami/postgresql] Release 15.5.5 (#27096)

`v15.5.4`

[bitnami/postgresql] Release 15.5.4 (#27006) (613a7a4), closes #27006

`v15.5.3`

[bitnami/postgresql] Release 15.5.3 (#26914) (f7df496), closes #26914

`v15.5.1`

[bitnami/postgresql] Release 15.5.1 (#26546) (99f0841), closes #26546

`v15.5.0`

[bitnami/postgresql] Enable PodDisruptionBudgets (#26530) (c6b2f1c), closes #26530

`v15.4.2`

[bitnami/postgresql] Release 15.4.2 (#26475) (748b515), closes #26475

`v15.4.1`

[bitnami/postgresql] Release 15.4.1 (#26451) (8852396), closes #26451

`v15.4.0`

[bitnami/postgresql] feat: ✨ 🔒 Add warning when original images are replaced (#26264)

`v15.3.5`

[bitnami/postgresql] Release 15.3.5 updating components versions (#26147) (0bafcd7), closes #26147

`v15.3.4`

[bitnami/postgresql] Release 15.3.4 updating components versions (#26142) (231e25b), closes #26142

`v15.3.3`

[bitnami/postgresql] Release 15.3.3 updating components versions (#26066) (21f932c), closes #26066

`v15.3.2`

[bitnami/postgresql] Release 15.3.2 updating components versions (#25812) (3f7c2cb), closes #25812

`v15.3.1`

[bitnami/postgresql] Release 15.3.1 updating components versions (#25723) (031d2cf), closes #25723

`v15.3.0`

[bitnami/postgresql] Allow loadBalancerClass to be customized (#25569) (e6fecf9), closes #25569

`v15.2.13`

[bitnami/postgresql] Allow backup pod to use DNS (#25534) (960550a), closes #25534

`v15.2.12`

[bitnami/postgresql] Release 15.2.12 updating components versions (#25678) (0fd1557), closes #25678

`v15.2.11`

[bitnami/postgresql] Release 15.2.11 updating components versions (#25672) (9b809c6), closes #25672

`v15.2.10`

[bitnami/*] Change non-root and rolling-tags doc URLs (#25628) (b067c94), closes #25628
[bitnami/*] Set new header/owner (#25558) (8d1dc11), closes #25558
[bitnami/postgresql] add backup.cronjob.tolerations options (#25664) (4a798ec), closes #25664

`v15.2.9`

[bitnami/postgresql] Remove unicode characters (#25546) (219d22f), closes #25546

`v15.2.8`

[bitnami/postgresql] Release 15.2.8 updating components versions (#25484) (d3084fc), closes #25484

`v15.2.7`

[bitnami/postgresql] Release 15.2.7 updating components versions (#25391) (0db34f6), closes #25391

`v15.2.6`

[bitnami/multiple charts] Fix typo: "NetworkPolice" vs "NetworkPolicy" (#25348) (6970c1b), closes #25348
[bitnami/postgresql] Remove RW emptyDir for postgresql logs (#25206) (8bae0c5), closes #25206
Replace VMware by Broadcom copyright text (#25306) (a5e4bd0), closes #25306

`v15.2.5`

[bitnami/postgresql] Release 15.2.5 updating components versions (#25099) (eba61bd), closes #25099

`v15.2.4`

[bitnami/postgresql] Release 15.2.4 updating components versions (#24972) (62e4683), closes #24972

`v15.2.3`

[bitnami/postgresql] Release 15.2.3 (#24924) (1f68239), closes #24924
Update resourcesPreset comments (#24467) (92e3e8a), closes #24467

`v15.2.2`

[bitnami/postgresql] Release 15.2.2 updating components versions (#24840) (34f94f3), closes #24840

`v15.2.1`

[bitnami/postgresql] Allow backup pod to use DNS (#25534) (960550a), closes #25534

`v15.2.0`

[bitnami/postgresql] Allow customizing primary persistence volume/claim (#24625) (79b5845), closes #24625

`v15.1.4`

[bitnami/postgresql] Release 15.1.4 updating components versions (#24641) (9fea6e0), closes #24641

`v15.1.3`

[bitnami/postgresql] Release 15.1.3 updating components versions (#24640) (a318638), closes #24640

`v15.1.2`

[bitnami/postgresql] feat: add parameter backup.cronjob.storage.existingVolume (#23979) (0a3ebd5), closes #23979
[bitnami/postgresql] fixing tls for cronjobs (#24468) (5e7f4e1), closes #24468

`v15.1.1`

[bitnami/postgres] don't include backup netpol when backup aren't enabled (#24572) (10584d1), closes #24572

`v15.1.0`

[bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary nodes (#24363) (dc93455), closes #24363

`v15.0.0`

[bitnami/*] Reorder Chart sections (#24455) (0cf4048), closes #24455
[bitnami/postgresql] feat!: 🔒 💥 Improve security defaults (#24171) (3911a57), closes #24171

`v14.3.3`

[bitnami/postgresql] Release 14.3.3 updating components versions (#24358) (239ba28), closes #24358

`v14.3.2`

[bitnami/postgresql] Fix TLS by removing faulty white trimming in cronjob.yaml (#24239) (1a67326), closes #24239
[bitnami/postgresql] Release 14.3.2 updating components versions (#24357) (17bcbcb), closes #24357

`v14.3.1`

[bitnami/postgresql] Release 14.3.1 updating components versions (#24237) (33b8e70), closes #24237

`v14.3.0`

[bitnami/postgresql] postgresql backup container adds resources parameter (#23955) (8da2a95), closes #23955
[bitnami/postgresql] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SC (1a2217f), closes #24141

`v14.2.4`

[bitnami/postgresql] Set allowExternalEgress=true by default (#24036) (cfa4d49), closes #24036

`v14.2.3`

Add missing version, kind to volumeClaimTemplates (#23862) (50b25b8), closes #23862

`v14.2.2`

[bitnami/postgresql] Release 14.2.2 updating components versions (#23820) (2da202b), closes #23820

`v14.2.1`

[bitnami/postgresql] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23565) (d96a96f), closes #23565
[bitnami/postgresql] Release 14.2.1 updating components versions (#23682) (60d8d72), closes #23682

`v14.1.3`

[bitnami/postgresql] Release 14.1.3 updating components versions (#23587) (0c94e7a), closes #23587

`v14.1.2`

[bitnami/postgresql] Release 14.1.2 updating components versions (#23585) (0f5b808), closes #23585

`v14.1.1`

[bitnami/postgresql] Do not create a NetworkPolicy for "read" instance when "standalone" (#23392) (7ef876c), closes #23392

`v14.1.0`

[bitnami/postgresql] feat: ✨ 🔒 Add resource preset support (#23509) (0c94e15), closes #23509

`v14.0.5`

[bitnami/postgresql] fix: 🐛 Set correct references in network policy (#23328) (e8c2230), closes #23328

`v14.0.4`

[bitnami/postgresql] Release 14.0.4 updating components versions (#23354) (81e3d65), closes #23354

`v14.0.3`

[bitnami/postgresql] Release 14.0.3 updating components versions (#23350) (60ea843), closes #23350

`v14.0.2`

[bitnami/postgresql] Release 14.0.2 updating components versions (#23333) (7f5a8e6), closes #23333

`v14.0.1`

[bitnami/postgresql] Release 14.0.1 updating components versions (#23129) (e81bc0c), closes #23129

`v14.0.0`

[bitnami/postgresql] feat!: 🔒 ♻️ Refactor and enable networkPolicy (#22750) (2508c4b), closes #22750

`v13.4.4`

[bitnami/postgresql] Release 13.4.4 updating components versions (#23002) (a87898d), closes #23002

`v13.4.3`

[bitnami/postgresql] Release 13.4.3 updating components versions (#22811) (fdc3ad4), closes #22811

`v13.4.2`

[bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#22203) (7564f36), closes #22203
[bitnami/postgresql] fix: 🐛 Set seLinuxOptions to null for Openshift compatibility (#22646) (b119bec), closes #22646
[bitnami/postgresql] Release 13.4.2 updating components versions (#22785) (6682e9c), closes #22785

`v13.4.1`

[bitnami/postgresql] Release 13.4.1 updating components versions (#22677) (0bb8b48), closes #22677

`v13.4.0`

[bitnami/postgresql] fix: 🔒 Move service-account token auto-mount to pod declaration (#22450) (002c752), closes #22450

`v13.3.1`

[bitnami/postgresql] Release 13.3.1 updating components versions (#22359) (361f7ab), closes #22359

`v13.3.0`

[bitnami/postgresql] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essent (fe72f51), closes #22177

`v13.2.30`

[bitnami/*] Fix ref links (in comments) (#21822) (e4fa296), closes #21822
[bitnami/postgresql] fix: 🔒 Do not use the default service account (#22026) (1b20745), closes #22026

`v13.2.29`

[bitnami/*] Fix docs.bitnami.com broken links (#21901) (f35506d), closes #21901
[bitnami/postgresql] Release 13.2.29 updating components versions (#21970) (dcfb216), closes #21970
fixed backup with autogenerated cert (#21888) (2d25138), closes #21888

`v13.2.28`

[bitnami/*] Update copyright: Year and company (#21815) (6c4bf75), closes #21815
[bitnami/postgresql] Release 13.2.28 updating components versions (#21902) (d0f6b90), closes #21902

`v13.2.27`

[bitnami/postgresql] Release 13.2.27 updating components versions (#21795) (26711f8), closes #21795

`v13.2.26`

[bitnami/postgresql] Release 13.2.26 updating components versions (#21774) (0f0f93b), closes #21774

`v13.2.25`

[bitnami/postgresql] Release 13.2.25 updating components versions (#21710) (813da6b), closes #21710

`v13.2.24`

[bitnami/postgresql] Replace deprecated pull secret partial (#21392) (cee371d), closes #21392

`v13.2.23`

[bitnami/postgresql] Release 13.2.23 updating components versions (#21336) (c3dc56f), closes #21336

`v13.2.22`

[bitnami/postgresql] Release 13.2.22 updating components versions (#21335) (f759303), closes #21335

`v13.2.21`

[bitnami/postgresql] Release 13.2.21 updating components versions (#21276) (46a4f54), closes #21276

`v13.2.20`

[bitnami/postgresql] Release 13.2.20 updating components versions (#21272) (6de0ade), closes #21272

`v13.2.19`

[bitnami/postgresql] Fix PostgreSQL password in metrics container (#21202) (a7b72aa), closes #21202

`v13.2.18`

[bitnami/postgresql] Release 13.2.18 updating components versions (#21256) (f4a4548), closes #21256

`v13.2.17`

[bitnami/postgresql] Release 13.2.17 updating components versions (#21255) (e395fd8), closes #21255

`v13.2.16`

[bitnami/postgresql] value to configure posgres_exporter collectors (#21162) (0ba581c), closes #21162
Update configmap.yaml (#21020) (b91e518), closes #21020

`v13.2.15`

[bitnami/*] Rename solutions to "Bitnami package for ..." (#21038) (b82f979), closes #21038
[bitnami/postgresql] Release 13.2.15 updating components versions (#21160) (e6ec2c2), closes #21160

`v13.2.14`

[bitnami/postgresql] Release 13.2.14 updating components versions (#21068) (576be48), closes #21068

`v13.2.13`

[bitnami/postgresql] Release 13.2.13 updating components versions (#21066) (54a372f), closes #21066

`v13.2.12`

[bitnami/postgresql] Release 13.2.12 updating components versions (#21057) (0cffbfe), closes #21057

`v13.2.11`

[bitnami/postgresql] Release 13.2.11 updating components versions (#21044) (17e4ada), closes #21044

`v13.2.10`

[bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR (1103633), closes #20967
[bitnami/postgresql] Release 13.2.10 updating components versions (#21039) (2b176c0), closes #21039

`v13.2.9`

[bitnami/postgresql] Release 13.2.9 updating components versions (#20930) (02dc5ff), closes #20930

`v13.2.8`

[bitnami/postgresql] Release 13.2.8 updating components versions (#20929) (129cbf1), closes #20929

`v13.2.7`

[bitnami/postgresql] Release 13.2.7 updating components versions (#20918) (860eb62), closes #20918

`v13.2.6`

[bitnami/postgresql] Release 13.2.6 updating components versions (#20908) (a942587), closes #20908

`v13.2.5`

[bitnami/postgresql] Release 13.2.5 updating components versions (#20889) (ca3f6a7), closes #20889

`v13.2.4`

[bitnami/postgresql] Release 13.2.4 updating components versions (#20876) (435c8af), closes #20876

`v13.2.3`

[bitnami/*] Fix ref links (in comments) (#21822) (e4fa296), closes #21822
[bitnami/postgresql] fix: 🔒 Do not use the default service account (#22026) (1b20745), closes #22026

`v13.2.2`

[bitnami/*] Fix docs.bitnami.com broken links (#21901) (f35506d), closes #21901
[bitnami/postgresql] Release 13.2.29 updating components versions (#21970) (dcfb216), closes #21970
fixed backup with autogenerated cert (#21888) (2d25138), closes #21888

`v13.2.1`

[bitnami/postgresql] Fix PostgreSQL password in metrics container (#21202) (a7b72aa), closes #21202

`v13.2.0`

[bitnami/*] Rename VMware Application Catalog (#20361) (3acc734), closes #20361
[bitnami/*] Skip image's tag in the README files of the Bitnami Charts (#19841) (bb9a01b), closes #19841
[bitnami/*] Standardize documentation (#19835) (af5f753), closes #19835
[bitnami/postgresql] feat: ✨ Add support for PSA restricted policy (#20527) (8da833a), closes #20527

`v13.1.5`

[bitnami/postgresql] Release 13.1.5 (#20212) (0272334), closes #20212

`v13.1.4`

[bitnami/postgresql] Release 13.1.4 (#20187) (477cb86), closes #20187

`v13.1.2`

[bitnami/postgresql] Release 13.1.2 (#19882) (5758fb2), closes #19882

`v13.1.1`

[bitnami/*] Update Helm charts prerequisites (#19745) (eb755dd), closes #19745
[bitnami/postgresql] Release 13.1.1 (#19775) (f783262), closes #19775

`v13.1.0`

[bitnami/postgresql] Add TimeZone to CronJob of backup (#19516) (94d976d), closes #19516

`v13.0.0`

[bitnami/postgresql] Release 13.0.0 (#19587) (ed70b64), closes #19587

`v12.12.10`

[bitnami/postgresql] Fix port used by backup's CronJob (#19517) (d278c2b), closes #19517

`v12.12.9`

[bitnami/postgresql] Release 12.12.9 updating components versions (#19530) (70ca410), closes #19530
bitnami/postgresql Added ImagePullSecrets and ImagePullPolicy to be passed through to backup-cronjo (29dbf3a), closes #19509

`v12.12.7`

[bitnami/postgresql] Release 12.12.7 (#19506) (f8d9491), closes #19506

`v12.12.5`

[bitnami/postgresql] Add SecurityContext to CronJob of backup (#19238) (8edeb93), closes #19238

`v12.12.4`

[bitnami/postgresql] Release 12.12.4 (#19430) (f8b45dc), closes #19430

`v12.11.2`

Autogenerate schema files (#19194) (a2c2090), closes #19194
Fix global secretkeys usage (#19281) (3c468cb), closes #19281

`v12.11.1`

[bitnami/postgresql] chore: 🔖 Bump version (26ddfc4)

`v12.11.0`

[bitnami/postgresql] Version the helper functions (#17847) (c1a1349), closes #17847

`v12.10.2`

[bitnami/postgresql] chore: 🔖 Bump version (b46e94e)

`v12.10.1`

[bitnami/postgresql: Use merge helper]: (#19093) (8eaef88), closes #19093

`v12.10.0`

[bitnami/postgresql] Add Persistent Volume Claim Retention Policy to Postgresql Statefulsets (#18276 (85635f4), closes #18276

`v12.9.0`

[bitnami/postgresql] Support for customizing standard labels (#18408) (bf18e4b), closes #18408

`v12.8.5`

[bitnami/postgresql] Release 12.8.5 (#18771) (85ffc53), closes #18771

`v12.8.4`

[bitnami/postgresql] fix annotation typo (#18557) (9748b69), closes #18557

`v12.8.3`

[bitnami/postgresql] Release 12.8.3 (#18576) (6c950c1), closes #18576

`v12.8.2`

[bitnami/postgresql] Release 12.8.2 (#18364) (f34b599), closes #18364

`v12.8.1`

[bitnami/postgresql] Release 12.8.1 (#18287) (5887a90), closes #18287

`v12.8.0`

[bitnami/postgresql] Add trivial backup cronjob (#17852) (56b223b), closes #17852

`v12.7.3`

[bitnami/postgresql] Release 12.7.3 (#18068) (0186212), closes #18068

`v12.7.2`

[bitnami/postgresql] Remove multi-line conditional (#17711) (e7acf10), closes #17711

`v12.7.1`

[bitnami/postgresql] Release 12.7.1 (#17986) (a071516), closes #17986

`v12.7.0`

[bitnami/postgresql] set some bits compatible with pss restricted (#17388) (beb65fa), closes #17388

`v12.6.9`

[bitnami/postgresql] Release 12.6.9 (#17840) (5141c42), closes #17840

`v12.6.8`

[bitnami/postgresl] Remove the password in text of the statefulset (#17780) (3bfcc08), closes #17780

`v12.6.7`

Fixes usePasswordFiles (#17773) (14d2b9a), closes #17773

`v12.6.6`

[bitnami/postgresql] Release 12.6.6 (#17705) (3e6c481), closes #17705

`v12.6.5`

[bitnami/postgresql] fix invalid indentation for replica metrics extra envs (#17553) (39b5188), closes #17553

`v12.6.4`

[bitnami/postgresql] Fix postgres random password generation (#17502) (afa4649), closes #17502

`v12.6.3`

[bitnami/postgresql] Fix multi-element array for primary.service.loadBalancerSourceRanges (#17461) (dc59153), closes #17461 #17450

`v12.6.2`

[bitnami/postgresql] Fix postgres password if customUser is empty (#17473) (d6234d8), closes #17473

`v12.6.1`

[bitnami/postgresql] Fix issues when using enablePostgresUser=false (#17398) (262f4f1), closes #17398

`v12.6.0`

[bitnami/postgresql] checksum only data part of the ConfigMap (#17302) (f5c4b4e), closes #17302

`v12.5.9`

[bitnami/postgresql] Release 12.5.9 (#17392) (06ab2db), closes #17392
Add copyright header (#17300) ([

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

github-actions · 2024-03-18T18:29:58Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.0.0

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Z0lOSmM4SWNwVA=="
+  postgres-password: "UTBSWDh3TUlWTw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-20T12:05:41Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.0

@@ -1,3 +1,66 @@
+# Source: postgresql/templates/backup/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql-pgdumpall
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: pg_dumpall
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: pg_dumpall
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - port: 5432
+          protocol: TCP
+---
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +68,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "c3hoc1Y4U3NwTg=="
+  postgres-password: "Vk9SNkpXYTloMA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +84,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +99,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +110,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +132,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +156,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +167,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +179,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +197,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +206,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +248,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +312,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +385,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +422,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-21T11:04:01Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.1

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "c1lyMEh2elVkUg=="
+  postgres-password: "enl5MzZ1N2lSUw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-21T13:04:36Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.2

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cElHRjZtbHQ1Yg=="
+  postgres-password: "bHZ2cTZjVFZEdg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-03-25T08:17:47Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.1.4

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "SWVSUFp5bTBZVA=="
+  postgres-password: "RE5zNGx1T0o2Ug=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-01T10:18:25Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.0

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eFdoQnBOM2x4eg=="
+  postgres-password: "c2pIM1hOdnh0bg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-02T13:37:43Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.1

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dVRlWUx4dHo4bQ=="
+  postgres-password: "SkZLS043MFFmbA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-02T22:36:08Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.2

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Tm5BSVo3clk1Zg=="
+  postgres-password: "MFY0NDdnMGFrSw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r15
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-05T04:02:23Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.3

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "TzJHY1ZVdmVZMQ=="
+  postgres-password: "MDJObUhGMVh6aw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r16
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-04-07T05:43:18Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.2.4

@@ -1,3 +1,42 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +44,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eUprYlJsdWt0TA=="
+  postgres-password: "OHgzR2FNZXM0Vg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +60,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +75,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +86,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +108,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +119,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +132,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +143,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +155,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +173,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +182,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +224,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +288,47 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/logs
+              subPath: app-logs-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r16
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +361,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +398,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-05-29T16:25:40Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "NENtRVIyaU9NbA=="
+  postgres-password: "ZXkySVc2WU05cw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r32
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-06T16:27:47Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.3

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "M05ibTg5QnQ0Qg=="
+  postgres-password: "RlN1VjlKT2JEcw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-06T22:12:48Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.4

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "bkZ4c1ZmWnBsag=="
+  postgres-password: "STdvaE5PdFVxaQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-07T09:38:29Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "bk1mMGhIUFNLMQ=="
+  postgres-password: "NmNNYVlPc2NSVg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r32
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-07T12:54:15Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.4

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y21yMEJnVDc0Vg=="
+  postgres-password: "Qm5zbG8xZWJOOA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-11T21:35:40Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.5

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y3RBUnhMU0JDUg=="
+  postgres-password: "ZE5haXpvcFFmUg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-17T15:57:35Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.6

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dHRFZFdzNVBJNQ=="
+  postgres-password: "cWpucjAxRUc0Qw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-18T14:28:58Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.7

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "VnMyRmFCaFdRcA=="
+  postgres-password: "UE52a1dVMVpHeg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

github-actions · 2024-06-20T10:39:14Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.8

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dTR4V2VBbXpZSA=="
+  postgres-password: "TFN0VDFIV0Q1Ng=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,10 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
+  annotations:
     # Use this annotation in addition to the actual publishNotReadyAddresses
     # field below because the annotation will stop being respected soon but the
     # field is broken in some versions of Kubernetes:
@@ -68,8 +127,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +138,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +151,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +162,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +174,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +192,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +201,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +243,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +307,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +377,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +414,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

Signed-off-by: Danny Froberg <[email protected]>

github-actions · 2024-06-20T13:11:57Z

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 15.5.9

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "OEVuUGVQMHBtRg=="
+  postgres-password: "MXFKQTFlWVhHWg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,17 +238,17 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
             # Replication
             # Initdb
@@ -238,21 +302,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r33
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -285,15 +372,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +409,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

renovate bot requested a review from dfroberg as a code owner March 18, 2024 18:29

renovate bot added the renovate/helm label Mar 18, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 2fabaa8 to c476421 Compare March 20, 2024 12:05

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.0.0~~ feat(charts)!: Update Helm release postgresql to 15.1.0 Mar 20, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from c476421 to 2eeaa29 Compare March 21, 2024 11:03

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.0~~ feat(charts)!: Update Helm release postgresql to 15.1.1 Mar 21, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 2eeaa29 to db76b43 Compare March 21, 2024 13:04

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.1~~ feat(charts)!: Update Helm release postgresql to 15.1.2 Mar 21, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from db76b43 to b13d384 Compare March 25, 2024 08:17

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.2~~ feat(charts)!: Update Helm release postgresql to 15.1.4 Mar 25, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from b13d384 to a2238a0 Compare April 1, 2024 10:17

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.1.4~~ feat(charts)!: Update Helm release postgresql to 15.2.0 Apr 1, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from a2238a0 to 9b5bdc4 Compare April 2, 2024 13:37

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.0~~ feat(charts)!: Update Helm release postgresql to 15.2.1 Apr 2, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 9b5bdc4 to e87036b Compare April 2, 2024 22:35

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.1~~ feat(charts)!: Update Helm release postgresql to 15.2.2 Apr 2, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from e87036b to e3f62e7 Compare April 5, 2024 04:01

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.2~~ feat(charts)!: Update Helm release postgresql to 15.2.3 Apr 5, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from e3f62e7 to 5a206ef Compare April 7, 2024 05:42

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.2.3~~ feat(charts)!: Update Helm release postgresql to 15.2.4 Apr 7, 2024

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.0~~ feat(charts)!: Update Helm release postgresql to 15.5.1 May 29, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 987a323 to d3e17fb Compare June 6, 2024 16:27

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.1~~ feat(charts)!: Update Helm release postgresql to 15.5.3 Jun 6, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from d3e17fb to 96a95c8 Compare June 6, 2024 22:12

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.3~~ feat(charts)!: Update Helm release postgresql to 15.5.4 Jun 6, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 96a95c8 to adee853 Compare June 7, 2024 09:37

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.4~~ feat(charts)!: Update Helm release postgresql to 15.5.1 Jun 7, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from adee853 to 41bfbbd Compare June 7, 2024 12:53

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.1~~ feat(charts)!: Update Helm release postgresql to 15.5.4 Jun 7, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 41bfbbd to afdf911 Compare June 11, 2024 21:34

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.4~~ feat(charts)!: Update Helm release postgresql to 15.5.5 Jun 11, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from afdf911 to f372251 Compare June 17, 2024 15:57

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.5~~ feat(charts)!: Update Helm release postgresql to 15.5.6 Jun 17, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from f372251 to 8107994 Compare June 18, 2024 14:28

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.6~~ feat(charts)!: Update Helm release postgresql to 15.5.7 Jun 18, 2024

renovate bot force-pushed the renovate/postgresql-15.x branch from 8107994 to 1f1184a Compare June 20, 2024 10:38

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.7~~ feat(charts)!: Update Helm release postgresql to 15.5.8 Jun 20, 2024

feat(charts)!: Update Helm release postgresql to 15.5.9

a7e4ca2

Signed-off-by: Danny Froberg <[email protected]>

renovate bot force-pushed the renovate/postgresql-15.x branch from 1f1184a to a7e4ca2 Compare June 20, 2024 13:11

renovate bot changed the title ~~feat(charts)!: Update Helm release postgresql to 15.5.8~~ feat(charts)!: Update Helm release postgresql to 15.5.9 Jun 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(charts)!: Update Helm release postgresql to 15.5.9 #2437

feat(charts)!: Update Helm release postgresql to 15.5.9 #2437

renovate bot commented Mar 18, 2024 •

edited

github-actions bot commented Mar 18, 2024

github-actions bot commented Mar 20, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 25, 2024

github-actions bot commented Apr 1, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 2, 2024

github-actions bot commented Apr 5, 2024

github-actions bot commented Apr 7, 2024

github-actions bot commented May 29, 2024

github-actions bot commented Jun 6, 2024

github-actions bot commented Jun 6, 2024

github-actions bot commented Jun 7, 2024

github-actions bot commented Jun 7, 2024

github-actions bot commented Jun 11, 2024

github-actions bot commented Jun 17, 2024

github-actions bot commented Jun 18, 2024

github-actions bot commented Jun 20, 2024

github-actions bot commented Jun 20, 2024

feat(charts)!: Update Helm release postgresql to 15.5.9 #2437

Are you sure you want to change the base?

feat(charts)!: Update Helm release postgresql to 15.5.9 #2437

Conversation

renovate bot commented Mar 18, 2024 • edited

Release Notes

Configuration

github-actions bot commented Mar 18, 2024

github-actions bot commented Mar 20, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 21, 2024

github-actions bot commented Mar 25, 2024

renovate bot commented Mar 18, 2024 •

edited