diff --git a/charts/postgres/Chart.yaml b/charts/postgres/Chart.yaml
index bbe7e8d483f73a22e0daec4efedad7b64e018be4..8683d453e2ea6d8dbe5ecc744d9e89e2159312b0 100644
--- a/charts/postgres/Chart.yaml
+++ b/charts/postgres/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: "0.5.3"
+version: "1.0.0"
-appVersion: "16.2"
+appVersion: "12.18"
diff --git a/charts/postgres/README.md b/charts/postgres/README.md
index 427fc6dcfb9c2ac3c2b8ae515c861da7b09faf1b..8768f7edec21e118e7f3512566ed3ffda17b7ca4 100644
--- a/charts/postgres/README.md
+++ b/charts/postgres/README.md
@@ -125,6 +125,9 @@ The policyTypes will be automatically set
| storage.keepPvc | bool | `false` | Keep a created Persistent volume claim when uninstalling the helm chart (only for option `useDeployment: true`) |
| storage.annotations | object | `{}` | Additional storage annotations |
| storage.labels | object | `{}` | Additional storage labels |
+| extraStorage[].name | string | `nil` | Internal name of the volume |
+| extraStorage[].pvcName | string | `nil` | Name of the existing PVC |
+| extraStorage[].mountPath | string | `nil` | Mount path where the PVC should be mounted into the container |
## PostgreSQL parameters
@@ -133,12 +136,17 @@ The policyTypes will be automatically set
| useDeployment | bool | `false` | Use Kubernetes Deployment instead of StatefulSet |
| settings.authMethod | string | `nil` | Postgres database authentication method |
| settings.initDbArgs | string | `nil` | Optional init database arguments |
-| settings.superuser | string | `nil` | Superuser name |
-| settings.superuserPassword | string | `nil` | Password of superuser |
-| userDatabase | object | `{}` | Optional PostgreSQL user database |
-| userDatabase.name | string | `nil` | Name of the user database |
-| userDatabase.user | string | `nil` | User name with full access to user database|
-| userDatabase.password | string | `nil` | Password of created user |
+| settings.superuser.secretKey | string | `nil` | Key of existingSecret for the Superuser name |
+| settings.superuser.value | string | `nil` | Superuser name (if no existingSecret was specified) - defaults to "postgres" |
+| settings.superuserPassword.secretKey | string | `nil` | Key of existingSecret for the Superuser password |
+| settings.superuserPassword.value | string | `nil` | Password of Superuser (if no existingSecret was specified) |
+| userDatabase.existingSecret | string | `nil` | Optional existing secret with database name, user and password |
+| userDatabase.name.secretKey | string | `""` | Key of the existingSecret with database name |
+| userDatabase.name.value | string | `""` | Name of the user database (if no existingSecret was specified) |
+| userDatabase.user.secretKey | string | `""` | Key of the existingSecret with database user |
+| userDatabase.user.value | string | `""` | User name with full access to user database (if no existingSecret was specified) |
+| userDatabase.password.secretKey | string | `""` | Key of the existingSecret with password of created user |
+| userDatabase.password.value | string | `""` | Password of created user (if no existingSecret was specified) |
| customConfig | string | `nil` | Optional custom configuration block that will be mounted as file in `/etc/postgresql/postgresql.conf` |
| extraEnvSecrets | list | `[]` | A list of existing secrets that will be mounted into the container as environment variables |
| extraSecretConfigs | string | `nil` | An existing secret with files that will be added to the postgres configuration in addition to `/etc/postgresql/postgresql.conf` |
@@ -146,4 +154,8 @@ The policyTypes will be automatically set
| extraScripts | string | `nil` | An existing configMap with files that will be mounted into the container as script files (`*.sql`, `*.sh`) in `/docker-entrypoint-initdb.d` |
| extraSecrets | list | `[]` | A list of additional existing secrets that will be mounted into the container |
| extraSecrets[].name | string | `nil` | Name of the existing K8s secret |
+| extraSecrets[].defaultMode | int | `0440` | Mount default access mode |
| extraSecrets[].mountPath | string | `nil` | Mount path where the secret should be mounted into the container (f.e. /mysecretfolder) |
+| extraConfigs[].name | string | `nil` | Name of the existing K8s configMap |
+| extraConfigs[].defaultMode | int | `0440` | Mount default access mode |
+| extraConfigs[].mountPath | string | `nil` | Mount path where the configMap should be mounted into the container (f.e. /myconfigfolder) |
diff --git a/charts/postgres/RELEASENOTES.md b/charts/postgres/RELEASENOTES.md
index 7ba79205a1433eb1169a33e98d1b2cb4b96a6349..b104bd7d4a82aac91d4f3827860a46d3bf60a538 100644
--- a/charts/postgres/RELEASENOTES.md
+++ b/charts/postgres/RELEASENOTES.md
@@ -44,4 +44,5 @@
| 0.5.1 | 16.1 | Upgraded to Postgres 16.1 |
| 0.5.2 | 16.1 | Added support for network policies and additional labels and annotations |
| 0.5.3 | 16.2 | Upgraded to Postgres 16.2 |
+| 1.0.0 | 12.8 | Final version with configuration secret, extra config and extra volume support |
| | | |
diff --git a/charts/postgres/templates/_helpers.tpl b/charts/postgres/templates/_helpers.tpl
index 95ede84ef26964fddd340a2247376d8d473e52bf..d0bfd03696835dc25c6a2276a9786b2132afd9d9 100644
--- a/charts/postgres/templates/_helpers.tpl
+++ b/charts/postgres/templates/_helpers.tpl
@@ -60,12 +60,3 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
-
-{{/*
-Generate secret with configuration
-*/}}
-{{- define "postgres.createSecureConfig" -}}
- {{- if or (or (.Values.settings.superuserPassword) (.Values.settings.superuser)) (.Values.userDatabase) }}
-true
- {{- end }}
-{{- end }}
diff --git a/charts/postgres/templates/secureconfig.yaml b/charts/postgres/templates/secureconfig.yaml
index 8c3f5bf33daba46aa7856817d84d061652e6fe46..590a3cc53ab6419c09eeddd8ab6144f2f619c6de 100644
--- a/charts/postgres/templates/secureconfig.yaml
+++ b/charts/postgres/templates/secureconfig.yaml
@@ -1,4 +1,6 @@
-{{- if include "postgres.createSecureConfig" . }}
+{{- $rootSet := and (not .Values.settings.existingSecret) ((.Values.settings.superuserPassword).value) }}
+{{- $userDatabaseSet := and (.Values.userDatabase) (not .Values.userDatabase.existingSecret) }}
+{{- if or ($rootSet) ($userDatabaseSet) }}
apiVersion: v1
kind: Secret
metadata:
@@ -8,18 +10,22 @@ metadata:
type: Opaque
data:
{{- with .Values.settings }}
- {{- if .superuser }}
- POSTGRES_USER: {{ .superuser | b64enc }}
+ {{- if (.superuser).value }}
+ POSTGRES_USER: {{ .superuser.value | b64enc }}
{{- end }}
- {{- if .superuserPassword }}
- POSTGRES_PASSWORD: {{ .superuserPassword | b64enc }}
+ {{- if (.superuserPassword).value }}
+ POSTGRES_PASSWORD: {{ .superuserPassword.value | b64enc }}
{{- end }}
{{- end }}
{{- with .Values.userDatabase }}
- POSTGRES_DB: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." .name | b64enc }}
- {{- if .user }}
- USERDB_USER: {{ .user | b64enc }}
- USERDB_PASSWORD: {{ required "Values: userDatabase.password is mandatory if userDatabase.user is specified." .password | b64enc }}
+ {{- if not .existingSecret }}
+ {{- $_ := required "Values: userDatabase.name is mandatory if userDatabase is specified without existing secret" .name }}
+ POSTGRES_DB: {{ required "Values: userDatabase.name.value is mandatory if userDatabase is specified without existingSecret." .name.value | b64enc }}
+ {{- if (.user).value}}
+ USERDB_USER: {{ .user.value | b64enc }}
+ {{- $_ := required "Values: userDatabase.password is mandatory if userDatabase is specified without existing secret" .password }}
+ USERDB_PASSWORD: {{ required "Values: userDatabase.password.value is mandatory if userDatabase.user is specified without existingSecret." .password.value | b64enc }}
+ {{- end }}
{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/postgres/templates/statefulset.yaml b/charts/postgres/templates/statefulset.yaml
index 89bb6469d9096104793be0ebb4c4039b19190a30..d82c569c3f98a77e7469f40a3bf4b3d9c2a3fe52 100644
--- a/charts/postgres/templates/statefulset.yaml
+++ b/charts/postgres/templates/statefulset.yaml
@@ -107,6 +107,37 @@ spec:
containerPort: 5432
protocol: TCP
env:
+ {{- if or (and (.Values.settings.existingSecret) ((.Values.settings.superuser).secretKey)) ((.Values.settings.superuser).value) }}
+ - name: POSTGRES_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "postgres.fullname" .) .Values.settings.existingSecret }}
+ key: {{ default "POSTGRES_USER" (.Values.settings.superuser).secretKey }}
+ {{- end }}
+ {{- if or (.Values.settings.existingSecret) ((.Values.settings.superuserPassword).value) }}
+ - name: POSTGRES_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "postgres.fullname" .) .Values.settings.existingSecret }}
+ key: {{ default "POSTGRES_PASSWORD" (.Values.settings.superuserPassword).secretKey }}
+ {{- end }}
+ {{- with .Values.userDatabase }}
+ - name: POSTGRES_DB
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "postgres.fullname" $) .existingSecret }}
+ key: {{ default "POSTGRES_DB" .name.secretKey }}
+ - name: USERDB_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "postgres.fullname" $) .existingSecret }}
+ key: {{ default "USERDB_USER" .user.secretKey }}
+ - name: USERDB_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ default (include "postgres.fullname" $) .existingSecret }}
+ key: {{ default "USERDB_PASSWORD" .password.secretKey }}
+ {{- end }}
- name: PGDATA
value: "/var/lib/postgresql/data/pg"
{{- if .Values.settings.authMethod }}
@@ -120,11 +151,6 @@ spec:
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
- envFrom:
- {{- if include "postgres.createSecureConfig" . }}
- - secretRef:
- name: {{ $fullname }}
- {{- end }}
{{- range .Values.extraEnvSecrets }}
- secretRef:
name: {{ . }}
@@ -214,6 +240,14 @@ spec:
- name: {{ $secret.name }}
mountPath: {{ $secret.mountPath }}
{{- end }}
+ {{- range $config := .Values.extraConfigs }}
+ - name: {{ $config.name }}
+ mountPath: {{ $config.mountPath }}
+ {{- end }}
+ {{- range $storage := .Values.extraStorage }}
+ - name: {{ $storage.name }}
+ mountPath: {{ $storage.mountPath }}
+ {{- end }}
{{- with .Values.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -272,7 +306,18 @@ spec:
- name: {{ $secret.name }}
secret:
secretName: {{ $secret.name }}
- defaultMode: 0440
+ defaultMode: {{ $secret.defaultMode | default 0440 }}
+ {{- end }}
+ {{- range $config := .Values.extraConfigs }}
+ - name: {{ $config.name }}
+ configMap:
+ name: {{ $config.name }}
+ defaultMode: {{ $config.defaultMode | default 0440 }}
+ {{- end }}
+ {{- range $storage := .Values.extraStorage }}
+ - name: {{ $storage.name }}
+ persistentVolumeClaim:
+ claimName: {{ $storage.pvcName }}
{{- end }}
{{- with .Values.storage }}
{{- $createPvc := and (empty .persistentVolumeClaimName) .requestedSize }}
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
index 68052c1072556fbf60d22744952d7336f37f2f08..45d474ea4e795eefee4c04f710bbf3b441d52b2b 100644
--- a/charts/postgres/values.yaml
+++ b/charts/postgres/values.yaml
@@ -151,11 +151,18 @@ useDeployment: false
## Database configuration
settings:
+ ## Optional existing secret for the Postgrest superuser
+ existingSecret:
+
## The default postgres superuser (default when nothing is set: "postgres")
superuser:
+ # secretKey:
+ # value:
## The superuser password
superuserPassword:
+ # secretKey:
+ # value:
## Postgres database authentication method
## For example: "md5"
@@ -167,14 +174,23 @@ settings:
## Optional user database which is created during first startup with user and password
userDatabase: {}
+ ## Optional existing secret with database name, user and password
+ # existingSecret:
## Name of the user database
# name:
-
+ ## Use secretKey when existingSecret was specified otherwise value
+ # secretKey:
+ # value:
## Database user with full access rights
+ ## Use secretKey when existingSecret was specified otherwise value
# user:
-
+ # secretKey:
+ # value:
## Password of the database user
+ ## Use secretKey when existingSecret was specified otherwise value
# password:
+ # secretKey:
+ # value:
## Optional custom configuration block that will be mounted as file in /etc/postgresql/postgresql.conf
## For more flexible options see extraSecretConfigs: section
@@ -204,9 +220,20 @@ extraScripts:
extraSecrets: []
## Name of the existing K8s secret
# - name:
+ ## Mount default mode (0440 if parameter is omitted)
+# defaultMode: 0440
## Mount path where the secret should be mounted into the container (f.e. /mysecretfolder)
# mountPath:
+## A list of additional existing configMaps that will be mounted into the container
+extraConfigs: []
+ ## Name of the existing K8s configMap
+# - name:
+ ## Mount default mode (0440 if parameter is omitted)
+# defaultMode: 0440
+ ## Mount path where the configMap should be mounted into the container (f.e. /mysecretfolder)
+# mountPath:
+
## Storage parameters
storage:
## Set persistentVolumenClaimName to reference an existing PVC
@@ -234,6 +261,15 @@ storage:
## Additional storage labels
labels: {}
+## Mount existing extra PVC
+extraStorage: {}
+ ## Internal volume name
+# - name:
+ ## Container mount path
+# mountPath:
+ ## Name of existing PVC
+# pvcName:
+
## Network policies
networkPolicy: {}
## Ingress and Egress policies