Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(charts)!: Update Helm release postgresql to 16.3.4 #2496

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2024

This PR contains the following updates:

Package Update Change
postgresql (source) major 11.9.8 -> 16.3.4

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

bitnami/charts (postgresql)

v16.3.4

  • [bitnami/postgresql] Release 16.3.4 (#​31143)

v16.3.3

v16.3.2

v16.3.1

v16.3.0

v16.2.5

v16.2.4

v16.2.3

v16.2.2

v16.2.1

  • [bitnami/postgresql] Release 16.2.1 (#​30463)

v16.2.0

v16.1.2

v16.1.1

v16.1.0

v16.0.6

v16.0.5

v16.0.4

v16.0.3

v16.0.2

v16.0.1

v16.0.0

v15.5.38

v15.5.37

v15.5.36

v15.5.35

v15.5.34

v15.5.33

v15.5.32

v15.5.31

v15.5.30

v15.5.29

v15.5.28

v15.5.27

v15.5.26

v15.5.25

v15.5.24

v15.5.23

v15.5.22

v15.5.21

v15.5.20

v15.5.19

v15.5.18

v15.5.17

v15.5.16

v15.5.15

v15.5.14

v15.5.13

v15.5.12

v15.5.11

v15.5.10

v15.5.9

v15.5.8

v15.5.7

v15.5.6

v15.5.5

v15.5.4

v15.5.3

v15.5.2

v15.5.1

v15.5.0

v15.4.2

v15.4.1

v15.4.0

v15.3.5

v15.3.4

v15.3.3

v15.3.2

v15.3.1

v15.3.0

v15.2.13

v15.2.12

v15.2.11

v15.2.10

v15.2.9

v15.2.8

v15.2.7

v15.2.6

v15.2.5

v15.2.4

v15.2.3

v15.2.2

v15.2.1

v15.2.0

v15.1.4

v15.1.3

v15.1.2

v15.1.1

v15.1.0

  • [bitnami/postgresql] Add a NetworkPolicy to allow backup pods to access primary nodes (#​24363) (dc93455), closes #​24363

v15.0.0

v14.3.3

v14.3.2

v14.3.1

v14.3.0

  • [bitnami/postgresql] postgresql backup container adds resources parameter (#​23955) (8da2a95), closes #​23955
  • [bitnami/postgresql] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SC (1a2217f), closes #​24141

v14.2.4

v14.2.3

v14.2.2

v14.2.1

v14.1.3

v14.1.2

v14.1.1

  • [bitnami/postgresql] Do not create a NetworkPolicy for "read" instance when "standalone" (#​23392) (7ef876c), closes #​23392

v14.1.0

v14.0.5

v14.0.4

v14.0.3

v14.0.2

v14.0.1

v14.0.0

v13.4.4

v13.4.3

v13.4.2

v13.4.1

v13.4.0

  • [bitnami/postgresql] fix: 🔒 Move service-account token auto-mount to pod declaration (#​22450) (002c752), closes #​22450

v13.3.1

v13.3.0

  • [bitnami/postgresql] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essent (fe72f51), closes #​22177

v13.2.30

v13.2.29

v13.2.28

v13.2.27

[v13.2.26](https://redirect.github.com/bitnami/charts/blob/HEAD/bit


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from dfroberg as a code owner October 3, 2024 05:47
Copy link

github-actions bot commented Oct 3, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cnVKOGxJTENzQQ=="
+  postgres-password: "eDJyM3NCTzhFTg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 443ca84 to 51a9ee3 Compare October 4, 2024 13:39
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.0 feat(charts)!: Update Helm release postgresql to 16.0.1 Oct 4, 2024
Copy link

github-actions bot commented Oct 4, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "bVlKbDJCalN1Sw=="
+  postgres-password: "VEpXaUMxRmRESw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 51a9ee3 to d23f0e0 Compare October 16, 2024 17:18
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.3

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "NXNMVzB3SGY1bA=="
+  postgres-password: "WHF6bkRRdTNraQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.1 feat(charts)!: Update Helm release postgresql to 16.0.3 Oct 16, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from d23f0e0 to c0c0c81 Compare October 21, 2024 13:08
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.3 feat(charts)!: Update Helm release postgresql to 16.0.4 Oct 21, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.4

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y1J5aXZwVjlIVw=="
+  postgres-password: "R0xPbHVINDM3eg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from c0c0c81 to 7d541c4 Compare October 22, 2024 22:24
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.4 feat(charts)!: Update Helm release postgresql to 16.0.5 Oct 22, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.5

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "VVNhYWRmdkNmbg=="
+  postgres-password: "QmVRcDhhVGt5RQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 7d541c4 to 0af258d Compare October 24, 2024 11:05
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.5 feat(charts)!: Update Helm release postgresql to 16.0.6 Oct 24, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.0.6

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "UkdUdWk4NVdGUw=="
+  postgres-password: "NEZWeXRvdkthRg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 0af258d to f29e325 Compare October 30, 2024 16:57
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.0.6 feat(charts)!: Update Helm release postgresql to 16.1.0 Oct 30, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "M1YyTlNQQ2Jwbw=="
+  postgres-password: "d2xpakxTYjFrSg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from f29e325 to fd6ad7f Compare November 4, 2024 11:12
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.0 feat(charts)!: Update Helm release postgresql to 16.1.1 Nov 4, 2024
Copy link

github-actions bot commented Nov 4, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "eTZBNHpWOXFrQg=="
+  postgres-password: "SDRHQzlJbkxHOA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r44
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from fd6ad7f to f78940b Compare November 6, 2024 21:21
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.1 feat(charts)!: Update Helm release postgresql to 16.1.2 Nov 6, 2024
Copy link

github-actions bot commented Nov 6, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.1.2

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "Y2JFZzV0NHA3cQ=="
+  postgres-password: "Q2VESXpSSHJvWg=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r45
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from f78940b to 914030c Compare November 14, 2024 09:50
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.1.2 feat(charts)!: Update Helm release postgresql to 16.2.0 Nov 14, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.0

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "VkhzTkVsaW1VRg=="
+  postgres-password: "WlV6dm4yaWRxbA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r45
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 914030c to 82f7eca Compare November 14, 2024 18:13
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.0 feat(charts)!: Update Helm release postgresql to 16.2.1 Nov 14, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.1

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "NXRaaG45TE9rRQ=="
+  postgres-password: "dkZFSXdMYUZWaA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.16.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 82f7eca to f7c104b Compare November 21, 2024 22:59
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.1 feat(charts)!: Update Helm release postgresql to 16.2.2 Nov 21, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.2

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "cmpBSGRwMTl1Uw=="
+  postgres-password: "Szl2V01SNTNpOQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.16.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from f7c104b to ac1c8ff Compare November 29, 2024 01:56
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.2 feat(charts)!: Update Helm release postgresql to 16.2.3 Nov 29, 2024
Copy link

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.3

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "SUllQVNhNXRzbQ=="
+  postgres-password: "aU1tYnVrb0N1bA=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.16.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from ac1c8ff to 1cd6df1 Compare December 3, 2024 17:48
Copy link

github-actions bot commented Dec 3, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.4

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "THBoNG9PZExIUQ=="
+  postgres-password: "eDVqQWxGNmhEUw=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.16.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.3 feat(charts)!: Update Helm release postgresql to 16.2.4 Dec 3, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 1cd6df1 to 048a413 Compare December 4, 2024 08:44
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.4 feat(charts)!: Update Helm release postgresql to 16.2.5 Dec 4, 2024
Copy link

github-actions bot commented Dec 4, 2024

Path: cluster/core/databases/postgresql/helm-release.yaml
Version: 11.9.8 -> 16.2.5

@@ -1,3 +1,61 @@
+# Source: postgresql/templates/primary/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 5432
+        - port: 9187
+---
+# Source: postgresql/templates/primary/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/component: primary
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/component: primary
+---
+# Source: postgresql/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgresql
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
+automountServiceAccountToken: false
+---
 # Source: postgresql/templates/secrets.yaml
 apiVersion: v1
 kind: Secret
@@ -5,12 +63,12 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
 type: Opaque
 data:
-  postgres-password: "dnVaMTZxckwwZg=="
+  postgres-password: "SnlGVTJ1NTFLcQ=="
   password: "JHtTRUNSRVRfUE9TVEdSRVNfUEFTU1dPUkR9"
   # We don't auto-generate LDAP password when it's not provided as we do for other passwords
 ---
@@ -21,12 +79,12 @@
   name: postgresql-metrics
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
   annotations:
-    prometheus.io/port: '9187'
+    prometheus.io/port: "9187"
     prometheus.io/scrape: "true"
 spec:
   type: ClusterIP
@@ -36,8 +94,8 @@
       port: 9187
       targetPort: http-metrics
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc-headless.yaml
@@ -47,15 +105,11 @@
   name: postgresql-hl
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-    # Use this annotation in addition to the actual publishNotReadyAddresses
-    # field below because the annotation will stop being respected soon but the
-    # field is broken in some versions of Kubernetes:
-    # https://github.com/kubernetes/kubernetes/issues/58662
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  annotations:
 spec:
   type: ClusterIP
   clusterIP: None
@@ -68,8 +122,8 @@
       port: 5432
       targetPort: tcp-postgresql
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/svc.yaml
@@ -79,11 +133,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   type: ClusterIP
   sessionAffinity: None
@@ -93,8 +146,8 @@
       targetPort: tcp-postgresql
       nodePort: null
   selector:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
 ---
 # Source: postgresql/templates/primary/statefulset.yaml
@@ -104,11 +157,10 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: primary
-  annotations:
 spec:
   replicas: 1
   serviceName: postgresql-hl
@@ -117,16 +169,16 @@
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: primary
   template:
     metadata:
       name: postgresql
       labels:
-        app.kubernetes.io/name: postgresql
         app.kubernetes.io/instance: postgresql
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: postgresql
         app.kubernetes.io/component: primary
       annotations:
         backup.velero.io/backup-volumes: data
@@ -135,7 +187,8 @@
         pre.hook.backup.velero.io/command: '["/sbin/fsfreeze", "--freeze", "/bitnami/postgresql"]'
         pre.hook.backup.velero.io/container: fsfreeze
     spec:
-      serviceAccountName: default
+      serviceAccountName: postgresql
+      automountServiceAccountToken: false
       affinity:
         podAffinity:
         podAntiAffinity:
@@ -143,25 +196,36 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/instance: postgresql
+                    app.kubernetes.io/name: postgresql
                     app.kubernetes.io/component: primary
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       hostNetwork: false
       hostIPC: false
-      initContainers:
       containers:
         - name: postgresql
           image: quay.io/bitnami/postgresql:14.1.0
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
+            runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: BITNAMI_DEBUG
               value: "false"
@@ -174,21 +238,18 @@
             # Authentication
             - name: POSTGRES_USER
               value: "${SECRET_POSTGRES_USERNAME}"
-            - name: POSTGRES_POSTGRES_PASSWORD
+            - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: postgres-password
-            - name: POSTGRES_PASSWORD
+                  key: password
+            - name: POSTGRES_POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
-            - name: POSTGRES_DB
+                  key: postgres-password
+            - name: POSTGRES_DATABASE
               value: "postgres"
-            # Replication
-            # Initdb
-            # Standby
             # LDAP
             - name: POSTGRESQL_ENABLE_LDAP
               value: "no"
@@ -238,21 +299,44 @@
                   exec pg_isready -U "${SECRET_POSTGRES_USERNAME}" -d "dbname=postgres" -h 127.0.0.1 -p 5432
                   [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
           resources:
-            limits: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
             requests:
-              cpu: 250m
-              memory: 256Mi
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/conf
+              subPath: app-conf-dir
+            - name: empty-dir
+              mountPath: /opt/bitnami/postgresql/tmp
+              subPath: app-tmp-dir
             - name: dshm
               mountPath: /dev/shm
             - name: data
               mountPath: /bitnami/postgresql
         - name: metrics
-          image: docker.io/bitnami/postgres-exporter:0.11.1-debian-11-r15
+          image: docker.io/bitnami/postgres-exporter:0.16.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: DATA_SOURCE_URI
               value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -260,9 +344,9 @@
               valueFrom:
                 secretKeyRef:
                   name: postgresql
-                  key: password
+                  key: postgres-password
             - name: DATA_SOURCE_USER
-              value: "${SECRET_POSTGRES_USERNAME}"
+              value: "postgres"
           ports:
             - name: http-metrics
               containerPort: 9187
@@ -285,15 +369,28 @@
               path: /
               port: http-metrics
           volumeMounts:
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
       volumes:
+        - name: empty-dir
+          emptyDir: {}
         - name: dshm
           emptyDir:
             medium: Memory
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -309,15 +406,15 @@
   name: postgresql
   namespace: "default"
   labels:
-    app.kubernetes.io/name: postgresql
     app.kubernetes.io/instance: postgresql
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: postgresql
     app.kubernetes.io/component: metrics
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: postgresql
       app.kubernetes.io/instance: postgresql
+      app.kubernetes.io/name: postgresql
       app.kubernetes.io/component: metrics
   endpoints:
     - port: http-metrics

@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 048a413 to c0a971a Compare December 11, 2024 06:22
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.2.5 feat(charts)!: Update Helm release postgresql to 16.3.0 Dec 11, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from c0a971a to c30da8b Compare December 13, 2024 14:49
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.3.0 feat(charts)!: Update Helm release postgresql to 16.3.1 Dec 13, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from c30da8b to 14f2da1 Compare December 16, 2024 21:30
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.3.1 feat(charts)!: Update Helm release postgresql to 16.3.2 Dec 16, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 14f2da1 to 3f5b20b Compare December 21, 2024 08:23
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.3.2 feat(charts)!: Update Helm release postgresql to 16.3.3 Dec 21, 2024
@renovate renovate bot force-pushed the renovate/postgresql-16.x branch from 3f5b20b to 4e9593d Compare December 23, 2024 10:02
@renovate renovate bot changed the title feat(charts)!: Update Helm release postgresql to 16.3.3 feat(charts)!: Update Helm release postgresql to 16.3.4 Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants