diff --git a/charts/mariadb/Chart.yaml b/charts/mariadb/Chart.yaml
index be65d6f1e3f41be64304dd9ef1f5be44b8c02dca..8758404d97911ff0bb74cb4db348f9aee46f5de6 100644
--- a/charts/mariadb/Chart.yaml
+++ b/charts/mariadb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: 0.4.1
+version: 0.2.18
-appVersion: "10.7.1"
+appVersion: "10.5.13"
diff --git a/charts/mariadb/README.md b/charts/mariadb/README.md
index 8386bc055f4b3d91ec275f2ba5ffee8c0602b770..ac52cad26f80014435e4e9f498d0ed2225f3c847 100644
--- a/charts/mariadb/README.md
+++ b/charts/mariadb/README.md
@@ -1,6 +1,6 @@
# MariaDB
-  
+  
## Changelog
@@ -96,6 +96,7 @@ helm uninstall my-release
|-----|------|---------|-------------|
| storage.accessModes[0] | string | `"ReadWriteOnce"` | Storage access mode |
| storage.persistentVolumeClaimName | string | `nil` | PVC name when existing storage volume should be used |
+| storage.volumeName | string | `"db-volume"` | Internal volume name and prefix of a created PVC |
| storage.requestedSize | string | `nil` | Size for new PVC, when no existing PVC is used |
| storage.className | string | `nil` | Storage class name |
@@ -106,7 +107,15 @@ helm uninstall my-release
| userDatabase | object | `{}` | Optional MariaDB user database |
| userDatabase.name | string | `""` | Name of the user database |
| userDatabase.user | string | `""` | User name with full access to user database|
-| userDatabase.password | string | `""` | Password of created user (Random value if not specified) |
-| settings.rootPassword | string | `nil` | MariaDB root password (Random value if not specified) |
+| userDatabase.password | string | `""` | Password of created user |
+| settings.rootPassword | string | `nil` | MariaDB root password |
+| settings.allowEmptyRootPassword | bool | `false` | Set true to allow an empty root password |
+| settings.skipTZInfo | bool | `false` | Set true to skip loading timezone data during init |
| settings.arguments | list | `[]` | Additional arguments for mysqld (entrypoint process) |
-| customConfig | string | `nil` | Additional MariaDB custom configuration mounted as custom.cnf |
+| customConfig | string | `nil` | Additional MariaDB custom configuration mounted as `/etc/mysql/custom.cnf` |
+| extraEnvSecrets | list | `[]` | A list of existing secrets that will be mounted into the container as environment variables |
+| extraSecretConfigs | string | `nil` | An existing secret with files that will be mounted into the container as custom MariaDB configuration files (`*.cnf`) in `/etc/mysql/conf.d` |
+| extraScripts | string | `nil` | An existing configMap with files that will be mounted into the container as script files (`*.sql`, `*.sh`) in `/docker-entrypoint-initdb.d` |
+| extraSecrets | list | `[]` | A list of additional existing secrets that will be mounted into the container |
+| extraSecrets[].name | string | `nil` | Name of the existing K8s secret |
+| extraSecrets[].mountPath | string | `nil` | Mount path where the secret should be mounted into the container (f.e. /mysecretfolder) |
diff --git a/charts/mariadb/RELEASENOTES.md b/charts/mariadb/RELEASENOTES.md
index 9b8d1b8cf9289141ac70771ff7d31fccb5ce6dd8..2370d0203b4bde3ed6d6d717b2828f85ad5e5981 100644
--- a/charts/mariadb/RELEASENOTES.md
+++ b/charts/mariadb/RELEASENOTES.md
@@ -3,6 +3,7 @@
| Chart version | App version | Change description |
| :------------ | :---------- | :----------------- |
| 0.2.17 | 10.5.13 | Implemented startupProbe support |
+| 0.2.18 | 10.5.13 | Implemented support for extra secrets and advanced configuration capabilites |
| 0.3.1 | 10.6.5 | Implemented startupProbe support |
| 0.4.1 | 10.7.1 | Implemented startupProbe support |
| | | |
diff --git a/charts/mariadb/templates/_helpers.tpl b/charts/mariadb/templates/_helpers.tpl
index b5cd7d6ceb1e22019f59411da756d06b7df53357..57d99ab4964d3213636640277511a2e8eb34b06d 100644
--- a/charts/mariadb/templates/_helpers.tpl
+++ b/charts/mariadb/templates/_helpers.tpl
@@ -61,3 +61,12 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Generate secret with configuration
+*/}}
+{{- define "mariadb.createSecureConfig" -}}
+ {{- if or (.Values.settings.rootPassword) (.Values.userDatabase) }}
+true
+ {{- end }}
+{{- end }}
diff --git a/charts/mariadb/templates/customconfig.yaml b/charts/mariadb/templates/customconfig.yaml
index a8248ae43a3ad8561e15610955ed5c18ac3ce52d..d97b93031e4cd27909bbbe89ff3c0efdee670898 100644
--- a/charts/mariadb/templates/customconfig.yaml
+++ b/charts/mariadb/templates/customconfig.yaml
@@ -6,6 +6,6 @@ metadata:
labels:
{{- include "mariadb.labels" . | nindent 4 }}
data:
- custom.cnf: |-
+ custom.cnf: |
{{- .Values.customConfig | nindent 4 }}
{{- end }}
diff --git a/charts/mariadb/templates/scripts.yaml b/charts/mariadb/templates/scripts.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..369c753fb0ea0b31d73132eb0b9009f4ad563f34
--- /dev/null
+++ b/charts/mariadb/templates/scripts.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "mariadb.fullname" . }}-scripts
+ labels:
+ {{- include "mariadb.labels" . | nindent 4 }}
+data:
+ init.sh: |
+ #!/bin/sh
+ echo "Start initialization"
+ if [ -d /extrascripts ]; then
+ echo "Copy extra scripts"
+ cp /extrascripts/* /scripts
+ fi
+ if [ -d /extraconfigs ]; then
+ echo "Copy extra configs"
+ cp /extraconfigs/* /configs
+ fi
+ if [ -d /customconfig ]; then
+ echo "Copy custom config"
+ cp /customconfig/* /configs
+ fi
+ echo "Initialization done."
diff --git a/charts/mariadb/templates/secureconfig.yaml b/charts/mariadb/templates/secureconfig.yaml
index 7c94303798ec70e0bb0f24344fad277d565af94c..30340c7ecf710a028eed504a47c5f3a22865cca3 100644
--- a/charts/mariadb/templates/secureconfig.yaml
+++ b/charts/mariadb/templates/secureconfig.yaml
@@ -1,14 +1,4 @@
-{{- $existingRootPassword := "" }}
-{{- $existingUserDbName := "" }}
-{{- $existingUserDbUser := "" }}
-{{- $existingUserDbPassword := "" }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "mariadb.fullname" .) ) }}
-{{- if $secret }}
-{{- $existingRootPassword = index $secret.data "MYSQL_ROOT_PASSWORD" }}
-{{- $existingUserDbName = index $secret.data "MYSQL_DATABASE" }}
-{{- $existingUserDbUser = index $secret.data "MYSQL_USER" }}
-{{- $existingUserDbPassword = index $secret.data "MYSQL_PASSWORD" }}
-{{- end -}}
+{{- if include "mariadb.createSecureConfig" . }}
apiVersion: v1
kind: Secret
metadata:
@@ -17,12 +7,16 @@ metadata:
{{- include "mariadb.labels" . | nindent 4 }}
type: Opaque
data:
- {{- $rootPassword := coalesce (.Values.settings.rootPassword | default "" | b64enc) $existingRootPassword (randAlphaNum 10 | b64enc) }}
- MYSQL_ROOT_PASSWORD: {{ $rootPassword }}
+ {{- with .Values.settings }}
+ {{- if .rootPassword }}
+ MARIADB_ROOT_PASSWORD: {{ .rootPassword | b64enc }}
+ {{- end }}
+ {{- end }}
{{- with .Values.userDatabase }}
- {{- $userDbName := coalesce (.name | default "" | b64enc) $existingUserDbName }}
- {{- $userDbUser := coalesce (.user | default "" | b64enc) $existingUserDbUser }}
- MYSQL_DATABASE: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." $userDbName }}
- MYSQL_USER: {{ required "Values: userDatabase.user is mandatory if userDatabase is specified." $userDbUser }}
- MYSQL_PASSWORD: {{ coalesce (.password | default "" | b64enc) $existingUserDbPassword (randAlphaNum 10 | b64enc) }}
+ MARIADB_DATABASE: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." .name | b64enc }}
+ {{- if .user }}
+ MARIADB_USER: {{ .user | b64enc }}
+ MARIADB_PASSWORD: {{ required "Values: userDatabase.password is mandatory if userDatabase.user is specified." .password | b64enc }}
+ {{- end }}
{{- end }}
+{{- end }}
diff --git a/charts/mariadb/templates/statefulset.yaml b/charts/mariadb/templates/statefulset.yaml
index ee056c9f925ef0241c62a6f186c03eae33ec9b4f..159ce9c87df61197b01f42758ef301ac53699082 100644
--- a/charts/mariadb/templates/statefulset.yaml
+++ b/charts/mariadb/templates/statefulset.yaml
@@ -20,6 +20,8 @@ spec:
metadata:
annotations:
checksum/customconfig: {{ include (print $.Template.BasePath "/customconfig.yaml") . | sha256sum }}
+ checksum/secureconfig: {{ include (print $.Template.BasePath "/secureconfig.yaml") . | sha256sum }}
+ checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -35,6 +37,34 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ {{- if .Values.extraScripts }}
+ - mountPath: /extrascripts
+ name: extrascripts-volume
+ {{- end }}
+ {{- if .Values.extraSecretConfigs }}
+ - mountPath: /extraconfigs
+ name: extraconfigs-volume
+ {{- end }}
+ {{- if .Values.customConfig }}
+ - mountPath: /customconfig
+ name: customconfig-volume
+ {{- end }}
+ - mountPath: /initscripts
+ name: initscripts
+ - mountPath: /scripts
+ name: scripts
+ - mountPath: /configs
+ name: configs
+ command: [ "/initscripts/init.sh" ]
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
@@ -57,7 +87,7 @@ spec:
command:
- bash
- -c
- - mysqladmin status -uroot -p$MYSQL_ROOT_PASSWORD
+ - mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
{{- with .Values.startupProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -77,7 +107,7 @@ spec:
command:
- bash
- -c
- - mysqladmin status -uroot -p$MYSQL_ROOT_PASSWORD
+ - mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
{{- with .Values.livenessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -97,7 +127,7 @@ spec:
command:
- bash
- -c
- - mysqladmin status -uroot -p$MYSQL_ROOT_PASSWORD
+ - mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
{{- with .Values.readinessProbe }}
initialDelaySeconds: {{ .initialDelaySeconds }}
timeoutSeconds: {{ .timeoutSeconds }}
@@ -113,14 +143,18 @@ spec:
{{- end }}
volumeMounts:
- mountPath: /var/lib/mysql
- name: db-volume
+ name: {{ .Values.storage.volumeName }}
- mountPath: /tmp
name: tmp-volume
- mountPath: /var/run/mysqld
- name: tmp-volume
- {{- if .Values.customConfig }}
+ name: tmp-volume
- mountPath: /etc/mysql/conf.d
- name: customConfig-volume
+ name: configs
+ - mountPath: /docker-entrypoint-initdb.d
+ name: scripts
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ mountPath: {{ $secret.mountPath }}
{{- end }}
{{- if .Values.settings.arguments }}
args:
@@ -128,13 +162,27 @@ spec:
- {{ . }}
{{- end }}
{{- end }}
- {{- with .Values.env }}
env:
+ {{- if .Values.settings.skipTZInfo }}
+ - name: MARIADB_INITDB_SKIP_TZINFO
+ value: "yes"
+ {{- end }}
+ {{- if .Values.settings.allowEmptyRootPassword }}
+ - name: MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
+ value: "yes"
+ {{- end }}
+ {{- with .Values.env }}
{{- toYaml . | nindent 12 }}
- {{- end }}
+ {{- end }}
envFrom:
+ {{- if include "mariadb.createSecureConfig" . }}
- secretRef:
name: {{ include "mariadb.fullname" . }}
+ {{- end }}
+ {{- range .Values.extraEnvSecrets }}
+ - secretRef:
+ name: {{ . }}
+ {{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
@@ -150,16 +198,41 @@ spec:
volumes:
- name: tmp-volume
emptyDir: {}
+ - name: configs
+ emptyDir: {}
+ - name: scripts
+ emptyDir: {}
+ - name: initscripts
+ configMap:
+ name: {{ include "mariadb.fullname" . }}-scripts
+ defaultMode: 0555
+ {{- if .Values.extraSecretConfigs }}
+ - name: extraconfigs-volume
+ secret:
+ secretName: {{ .Values.extraSecretConfigs }}
+ {{- end }}
{{- if .Values.customConfig }}
- - name: customConfig-volume
+ - name: customconfig-volume
configMap:
name: {{ include "mariadb.fullname" . }}
{{- end }}
+ {{- if .Values.extraScripts }}
+ - name: extrascripts-volume
+ configMap:
+ name: {{ .Values.extraScripts }}
+ defaultMode: 0555
+ {{- end }}
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ secret:
+ secretName: {{ $secret.name }}
+ defaultMode: 0440
+ {{- end }}
{{- $fullname := include "mariadb.fullname" . }}
{{- with .Values.storage }}
{{- $createPvc := and (empty .persistentVolumeClaimName) .requestedSize }}
{{- if not $createPvc }}
- - name: db-volume
+ - name: {{ .volumeName }}
{{- if .persistentVolumeClaimName }}
persistentVolumeClaim:
claimName: {{ .persistentVolumeClaimName }}
@@ -169,7 +242,7 @@ spec:
{{- else }}
volumeClaimTemplates:
- metadata:
- name: db-volume
+ name: {{ .volumeName }}
spec:
{{- with .accessModes }}
accessModes:
diff --git a/charts/mariadb/values.yaml b/charts/mariadb/values.yaml
index 0fee20d6838bd2cd1a03361efb240caa3e49d7bc..c14ac50e1d1191d1593d52707a646ec6f2d31547 100644
--- a/charts/mariadb/values.yaml
+++ b/charts/mariadb/values.yaml
@@ -122,9 +122,15 @@ settings:
# - --character-set-server=utf8mb4
# - --collation-server=utf8mb4_unicode_ci
- ## The root user password (default: a 10 char. alpahnumerical random password will be generated)
+ ## The root user password
rootPassword:
+ ## Set true to allow an empty root password
+ allowEmptyRootPassword: false
+
+ ## Set true to skip loading timezone data during init
+ skipTZInfo: false
+
## Optional user database which is created during first startup with user and password
userDatabase: {}
## Name of the user database
@@ -133,18 +139,43 @@ userDatabase: {}
## Database user with full access rights
# user:
- ## Password of the database user (default: a 10 char. alpahnumerical random password will be generated)
+ ## Password of the database user
# password:
## Optional custom configuration block that will be mounted as file in /etc/mysql/conf.d/custom.cnf
-customConfig: |-
+## For more flexible options see extraSecretConfigs: section
+customConfig: |
+
+## A list of existing secrets that will be mounted into the container as environment variables
+## As an alternative these secrets can set the database root password or optional user database when userDatabase: and rootPassword: were not specified
+## For example: Setting MARIADB_DATABASE, MARIADB_USER, MARIADB_PASSWORD will allow creating a user database and grant access for the given user
+extraEnvSecrets: []
+
+## An existing secret with files that will be mounted into the container as custom MariaDB configuration files (*.cnf) in /etc/mysql/conf.d
+## For more details see https://hub.docker.com/_/mariadb
+extraSecretConfigs:
+
+## An existing configMap with files that will be mounted into the container as script files (*.sql, *.sh) in /docker-entrypoint-initdb.d
+## For more details see https://hub.docker.com/_/mariadb
+extraScripts:
+
+## A list of additional existing secrets that will be mounted into the container
+## The mounted files of the secrets can be used for advanced configuration - f.e. TLS
+extraSecrets: []
+ ## Name of the existing K8s secret
+# - name:
+ ## Mount path where the secret should be mounted into the container (f.e. /mysecretfolder)
+# mountPath:
## Storage parameters
storage:
## Set persistentVolumenClaimName to reference an existing PVC
persistentVolumeClaimName:
- ## Alternative set requestedSize to define a size for a dynmaically created PVC
+ ## Internal volume name and prefix of a created PVC
+ volumeName: "db-volume"
+
+ ## Alternative set requestedSize to define a size for a dynamically created PVC
requestedSize:
## the storage class name
diff --git a/charts/mongodb/Chart.yaml b/charts/mongodb/Chart.yaml
index 0734b406e527bdad4554991323bf23680a8896b7..d5267066225c02f233ba62c1080ba1844782d170 100644
--- a/charts/mongodb/Chart.yaml
+++ b/charts/mongodb/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: 0.4.2
+version: 0.2.16
-appVersion: "5.0.6"
+appVersion: "4.2.18"
diff --git a/charts/mongodb/README.md b/charts/mongodb/README.md
index 2cd6428a38b099085f07ed93d63e9cf9f7897e0b..27632b46f31245ab88ec735da09e210bf2f7f2ce 100644
--- a/charts/mongodb/README.md
+++ b/charts/mongodb/README.md
@@ -1,6 +1,6 @@
# MongoDB
-  
+  
## Changelog
@@ -97,6 +97,7 @@ helm uninstall my-release
|-----|------|---------|-------------|
| storage.accessModes[0] | string | `"ReadWriteOnce"` | Storage access mode |
| storage.persistentVolumeClaimName | string | `nil` | PVC name when existing storage volume should be used |
+| storage.volumeName | string | `"mongodb-volume"` | Internal volume name and prefix of a created PVC |
| storage.requestedSize | string | `nil` | Size for new PVC, when no existing PVC is used |
| storage.className | string | `nil` | Storage class name |
@@ -104,10 +105,16 @@ helm uninstall my-release
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| customConfig | string | `nil` | Custom MongoDB configuration block that will be mounted as file in /etc/mongo/custom.conf |
| settings.rootUsername | string | `admin` | The root username |
| settings.rootPassword | string | `{}` | The root users password (Random value if not specified) |
| userDatabase | object | `{}` | Optional MongoDB user database |
| userDatabase.name | string | `nil` | Name of the user database |
| userDatabase.user | string | `nil` | User name with full access to user database|
| userDatabase.password | string | `nil` | Password of created user (Random value if not specified) |
+| customConfig | string | `nil` | Custom MongoDB configuration block that will be mounted as file in `/etc/mongo/custom.conf` |
+| extraEnvSecrets | list | `[]` | A list of existing secrets that will be mounted into the container as environment variables |
+| extraSecretConfigs | string | `nil` | An existing secret with files that will be added to the mongodb configuration in addition to `/etc/mongo/custom.conf` |
+| extraScripts | string | `nil` | An existing configMap with files that will be mounted into the container as script files (`*.js`, `*.sh`) in `/docker-entrypoint-initdb.d` |
+| extraSecrets | list | `[]` | A list of additional existing secrets that will be mounted into the container |
+| extraSecrets[].name | string | `nil` | Name of the existing K8s secret |
+| extraSecrets[].mountPath | string | `nil` | Mount path where the secret should be mounted into the container (f.e. /mysecretfolder) |
diff --git a/charts/mongodb/RELEASENOTES.md b/charts/mongodb/RELEASENOTES.md
index 5f482b02095345591fab1fbe992ce848041aa718..1b9a813e6c86c9992b7effcd56ba533ed228733d 100644
--- a/charts/mongodb/RELEASENOTES.md
+++ b/charts/mongodb/RELEASENOTES.md
@@ -4,6 +4,7 @@
| :------------ | :---------- | :----------------- |
| 0.2.14 | 4.2.14 | Implemented startupProbe support |
| 0.2.15 | 4.2.18 | Upgraded to MongoDB 4.2.18 |
+| 0.2.16 | 4.2.18 | Implemented support for extra secrets and advanced configuration capabilites |
| 0.3.8 | 4.4.11 | Implemented startupProbe support |
| 0.3.9 | 4.4.12 | Upgraded to MongoDB 4.4.12 |
| 0.4.1 | 5.0.5 | Implemented startupProbe support |
diff --git a/charts/mongodb/templates/_helpers.tpl b/charts/mongodb/templates/_helpers.tpl
index 6b1b8c179763f0e33d880061629ea85c973f9e1f..036938151a1df305d1aa793d48cd38530a9ee3bb 100644
--- a/charts/mongodb/templates/_helpers.tpl
+++ b/charts/mongodb/templates/_helpers.tpl
@@ -60,3 +60,12 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Generate secret with configuration
+*/}}
+{{- define "mongodb.createSecureConfig" -}}
+ {{- if or (or (.Values.settings.rootPassword) (.Values.settings.rootUsername)) (.Values.userDatabase) }}
+true
+ {{- end }}
+{{- end }}
diff --git a/charts/mongodb/templates/customconfig.yaml b/charts/mongodb/templates/customconfig.yaml
index 4dce5ceb6c853d0fe077b28483a6466c2c665ed6..4c87cb2bf035077d65013ffdc1920b556545e291 100644
--- a/charts/mongodb/templates/customconfig.yaml
+++ b/charts/mongodb/templates/customconfig.yaml
@@ -6,6 +6,6 @@ metadata:
labels:
{{- include "mongodb.labels" . | nindent 4 }}
data:
- custom.conf: |-
+ custom.conf: |
{{- .Values.customConfig | nindent 4 }}
{{- end }}
diff --git a/charts/mongodb/templates/inituserdb.yaml b/charts/mongodb/templates/inituserdb.yaml
deleted file mode 100644
index 8f8d13c0127870baec697ede59ab9d2735e85db1..0000000000000000000000000000000000000000
--- a/charts/mongodb/templates/inituserdb.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if and .Values.userDatabase }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "mongodb.fullname" . }}-inituserdb
- labels:
- {{- include "mongodb.labels" . | nindent 4 }}
-data:
- init-user-db.sh: |-
- mongo -u $MONGO_INITDB_ROOT_USERNAME -p $MONGO_INITDB_ROOT_PASSWORD <<EOF
- var userdb = db.getSiblingDB('$MONGO_INITDB_DATABASE');
- userdb.createUser({user: '$USERDB_USER', pwd: '$USERDB_PASSWORD', roles: [ "readWrite", "dbAdmin" ]});
- EOF
-{{- end }}
diff --git a/charts/mongodb/templates/scripts.yaml b/charts/mongodb/templates/scripts.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..db04c5af645cdaa69036b69f1ef43b98f2788c1e
--- /dev/null
+++ b/charts/mongodb/templates/scripts.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "mongodb.fullname" . }}-scripts
+ labels:
+ {{- include "mongodb.labels" . | nindent 4 }}
+data:
+ 01-init-userdb.sh: |-
+ #!/bin/sh
+ create_user()
+ {
+ mongo -u $MONGO_INITDB_ROOT_USERNAME -p $MONGO_INITDB_ROOT_PASSWORD <<EOF
+ var userdb = db.getSiblingDB('$MONGO_INITDB_DATABASE');
+ userdb.createUser({user: '$USERDB_USER', pwd: '$USERDB_PASSWORD', roles: [ "readWrite", "dbAdmin" ]});
+ EOF
+ }
+ set -e
+ if [ ! -z "$MONGO_INITDB_ROOT_USERNAME" ] && [ ! -z "$MONGO_INITDB_ROOT_PASSWORD" ] && [ ! -z "$MONGO_INITDB_DATABASE" ] && [ ! -z "$USERDB_USER" ] && [ ! -z "$USERDB_PASSWORD" ]; then
+ create_user
+ fi
+ init.sh: |
+ #!/bin/sh
+ echo "Start initialization"
+ echo "Copy init-userdb script"
+ cp /initscripts/01-init-userdb.sh /scripts
+ if [ -d /extrascripts ]; then
+ echo "Copy extra scripts"
+ cp /extrascripts/* /scripts
+ fi
+ if [ -d /customconfig ]; then
+ echo "Create custom mongodb config"
+ cat /customconfig/* >>/configs/custom.conf
+ fi
+ if [ -d /extraconfigs ]; then
+ echo "Add extra configs to custom mongodb config"
+ cat /extraconfigs/* >>/configs/custom.conf
+ fi
+ echo "Initialization done."
diff --git a/charts/mongodb/templates/secureconfig.yaml b/charts/mongodb/templates/secureconfig.yaml
index 65d820cd01b4c16ce78924aa49443ff145fec547..dccba7eef839e033f16dc527066d7239d4815def 100644
--- a/charts/mongodb/templates/secureconfig.yaml
+++ b/charts/mongodb/templates/secureconfig.yaml
@@ -1,16 +1,4 @@
-{{- $existingRootPassword := "" }}
-{{- $existingRootUser := "" }}
-{{- $existingUserDbName := "" }}
-{{- $existingUserDbUser := "" }}
-{{- $existingUserDbPassword := "" }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "mongodb.fullname" .) ) }}
-{{- if $secret }}
-{{- $existingRootPassword = index $secret.data "MONGO_INITDB_ROOT_PASSWORD" }}
-{{- $existingRootUser = index $secret.data "MONGO_INITDB_ROOT_USERNAME" }}
-{{- $existingUserDbName = index $secret.data "MONGO_INITDB_DATABASE" }}
-{{- $existingUserDbUser = index $secret.data "USERDB_USER" }}
-{{- $existingUserDbPassword = index $secret.data "USERDB_PASSWORD" }}
-{{- end -}}
+{{- if include "mongodb.createSecureConfig" . }}
apiVersion: v1
kind: Secret
metadata:
@@ -20,14 +8,18 @@ metadata:
type: Opaque
data:
{{- with .Values.userDatabase }}
- {{- $userDbName := coalesce (.name | default "" | b64enc) $existingUserDbName }}
- {{- $userDbUser := coalesce (.user | default "" | b64enc) $existingUserDbUser }}
- MONGO_INITDB_DATABASE: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." $userDbName }}
- USERDB_USER: {{ required "Values: userDatabase.user is mandatory if userDatabase is specified." $userDbUser }}
- USERDB_PASSWORD: {{ coalesce (.password | default "" | b64enc) $existingUserDbPassword (randAlphaNum 10 | b64enc) }}
+ MONGO_INITDB_DATABASE: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." .name | b64enc }}
+ {{- if .user }}
+ USERDB_USER: {{ .user | b64enc }}
+ USERDB_PASSWORD: {{ required "Values: userDatabase.password is mandatory if userDatabase.user is specified." .password | b64enc }}
+ {{- end }}
{{- end }}
{{- with .Values.settings }}
- {{- $rootUser := coalesce (.rootUsername | default "" | b64enc) $existingRootUser }}
- MONGO_INITDB_ROOT_USERNAME: {{ required "Values: settings.rootUsername is mandatory." $rootUser }}
- MONGO_INITDB_ROOT_PASSWORD: {{ coalesce (.rootPassword | default "" | b64enc) $existingRootPassword (randAlphaNum 10 | b64enc) }}
+ {{- if .rootUsername }}
+ MONGO_INITDB_ROOT_USERNAME: {{ .rootUsername | b64enc }}
+ {{- end }}
+ {{- if .rootPassword }}
+ MONGO_INITDB_ROOT_PASSWORD: {{ .rootPassword | b64enc }}
+ {{- end }}
+{{- end }}
{{- end }}
diff --git a/charts/mongodb/templates/statefulset.yaml b/charts/mongodb/templates/statefulset.yaml
index 7f520613b4be322ea3cb58a5347c7ad865c81c3c..dcb4cb37fad272ce4b7894ba57a4cc4cca1eac28 100644
--- a/charts/mongodb/templates/statefulset.yaml
+++ b/charts/mongodb/templates/statefulset.yaml
@@ -20,6 +20,8 @@ spec:
metadata:
annotations:
checksum/customconfig: {{ include (print $.Template.BasePath "/customconfig.yaml") . | sha256sum }}
+ checksum/secureconfig: {{ include (print $.Template.BasePath "/secureconfig.yaml") . | sha256sum }}
+ checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -35,6 +37,34 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ {{- if .Values.extraScripts }}
+ - mountPath: /extrascripts
+ name: extrascripts-volume
+ {{- end }}
+ {{- if .Values.extraSecretConfigs }}
+ - mountPath: /extraconfigs
+ name: extraconfigs-volume
+ {{- end }}
+ {{- if .Values.customConfig }}
+ - mountPath: /customconfig
+ name: customconfig-volume
+ {{- end }}
+ - mountPath: /initscripts
+ name: initscripts
+ - mountPath: /scripts
+ name: scripts
+ - mountPath: /configs
+ name: configs
+ command: [ "/initscripts/init.sh" ]
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
@@ -112,8 +142,14 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
+ {{- if include "mongodb.createSecureConfig" . }}
- secretRef:
name: {{ include "mongodb.fullname" . }}
+ {{- end }}
+ {{- range .Values.extraEnvSecrets }}
+ - secretRef:
+ name: {{ . }}
+ {{- end }}
{{- with .Values.env }}
env:
{{- toYaml . | nindent 12 }}
@@ -129,17 +165,15 @@ spec:
volumeMounts:
- name: tmp
mountPath: /tmp
- - name: mongodb-volume
+ - name: {{ .Values.storage.volumeName }}
mountPath: /data/db
- {{- if .Values.customConfig }}
- - mountPath: /etc/mongo/custom.conf
- subPath: custom.conf
- name: customconfig
- {{- end }}
- {{- if .Values.userDatabase }}
- - mountPath: /docker-entrypoint-initdb.d/init-user-db.sh
- subPath: init-user-db.sh
- name: inituserdb
+ - mountPath: /docker-entrypoint-initdb.d
+ name: scripts
+ - mountPath: /etc/mongo
+ name: configs
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ mountPath: {{ $secret.mountPath }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
@@ -156,40 +190,61 @@ spec:
volumes:
- name: tmp
emptyDir: {}
+ - name: scripts
+ emptyDir: {}
+ - name: configs
+ emptyDir: {}
+ - name: initscripts
+ configMap:
+ name: {{ include "mongodb.fullname" . }}-scripts
+ defaultMode: 0555
+ {{- if .Values.extraScripts }}
+ - name: extrascripts-volume
+ configMap:
+ name: {{ .Values.extraScripts }}
+ defaultMode: 0555
+ {{- end }}
+ {{- if .Values.extraSecretConfigs }}
+ - name: extraconfigs-volume
+ secret:
+ secretName: {{ .Values.extraSecretConfigs }}
+ {{- end }}
{{- if .Values.customConfig }}
- - name: customconfig
+ - name: customconfig-volume
configMap:
name: {{ include "mongodb.fullname" . }}-customconfig
{{- end }}
- {{- if .Values.userDatabase }}
- - name: inituserdb
- configMap:
- name: {{ include "mongodb.fullname" . }}-inituserdb
- defaultMode: 0550
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ secret:
+ secretName: {{ $secret.name }}
+ defaultMode: 0440
{{- end }}
- {{- if .Values.storage.persistentVolumeClaimName }}
- - name: mongodb-volume
+{{- with .Values.storage }}
+ {{- $createPvc := and (empty .persistentVolumeClaimName) .requestedSize }}
+ {{- if not $createPvc }}
+ - name: {{ .volumeName }}
+ {{- if .persistentVolumeClaimName }}
persistentVolumeClaim:
- claimName: {{ .Values.storage.persistentVolumeClaimName }}
- {{- else }}
- {{- if not .Values.storage.requestedSize }}
- - name: mongodb-volume
+ claimName: {{ .persistentVolumeClaimName }}
+ {{- else }}
emptyDir: {}
+ {{- end }}
{{- else }}
volumeClaimTemplates:
- metadata:
- name: mongodb-volume
+ name: {{ .volumeName }}
spec:
- {{- with .Values.storage.accessModes }}
+ {{- with .accessModes }}
accessModes:
{{- toYaml . | nindent 10 }}
{{- end }}
- {{- if .Values.storage.className }}
- storageClassName: {{ .Values.storage.className }}
+ {{- if .className }}
+ storageClassName: {{ .className }}
{{- end }}
resources:
requests:
- storage: {{ .Values.storage.requestedSize }}
- {{- end }}
+ storage: {{ .requestedSize }}
{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/mongodb/values.yaml b/charts/mongodb/values.yaml
index e3127f03e1e82306e66d3866e64b72e76635b40c..c4c0da9611e1b7ccb4f2688c7aef6caa3d23d212 100644
--- a/charts/mongodb/values.yaml
+++ b/charts/mongodb/values.yaml
@@ -119,9 +119,9 @@ args: []
env: []
settings:
- ## The root username (default: admin)
- rootUsername: "admin"
- ## The root user password (default: a 10 char. alpahnumerical random password will be generated)
+ ## The root username
+ rootUsername:
+ ## The root user password
rootPassword:
## Optional user database which is created during first startup with user and password
@@ -132,20 +132,44 @@ userDatabase: {}
## Database user with full access rights
# user:
- ## Password of the database user (default: a 10 char. alpahnumerical random password will be generated)
+ ## Password of the database user
# password:
-## Custom configuration (use instead of command args)
+## Custom configuration that will be created as file in /etc/mongo/custom.conf (use instead of command args)
+## For more flexible options see extraSecretConfigs: section
customConfig: |
+## A list of existing secrets that will be mounted into the container as environment variables
+## As an alternative these secrets can set the database root user and password or other options when settings.rootUsername and settings.rootPassword was not specified
+## For example: Setting MONGO_INITDB_DATABASE, USERDB_USER, USERDB_PASSWORD will allow creating a user database and grant access for the given user
+extraEnvSecrets: []
+
+## An existing secret with files that will be added to the mongodb configuration in addition to /etc/mongo/custom.conf
+extraSecretConfigs:
+
+## An existing configMap with files that will be mounted into the container as script files (*.sql, *.sh) in /docker-entrypoint-initdb.d
+## For more details see https://hub.docker.com/_/mongo
+extraScripts:
+
+## A list of additional existing secrets that will be mounted into the container
+## The mounted files of the secrets can be used for advanced configuration - f.e. TLS
+extraSecrets: []
+ ## Name of the existing K8s secret
+# - name:
+ ## Mount path where the secret should be mounted into the container (f.e. /mysecretfolder)
+# mountPath:
+
# Storage parameters
# When a persistentVolumenClaimName is configured the requestedSize and accessModes will be ignored and the existing PVC based on the name will be used
# otherwise a dynamic persistent volume will be created with PVC name of this chart and the configured requestedSize and accessModes
-# If both parameters are missing a volatile emtpyDir volume will be used as RabbitMQ storage
+# If both parameters are missing a volatile emtpyDir volume will be used as storage
storage:
## Set persistentVolumenClaimName to reference an existing PVC
persistentVolumeClaimName:
+ ## Internal volume name and prefix of a created PVC
+ volumeName: "mongodb-volume"
+
## Alternative set requestedSize to define a size for a dynamically created PVC
requestedSize:
diff --git a/charts/postgres/Chart.yaml b/charts/postgres/Chart.yaml
index a478c4e8a1bfccb643bc560edf998643746c7027..c2cc4ab3454fff52cdf393ef8aba8400d7a3eca1 100644
--- a/charts/postgres/Chart.yaml
+++ b/charts/postgres/Chart.yaml
@@ -7,6 +7,6 @@ type: application
maintainers:
- name: groundhog2k
-version: 0.3.5
+version: 0.2.17
-appVersion: "14.1"
+appVersion: "13.5"
diff --git a/charts/postgres/README.md b/charts/postgres/README.md
index f2e316cea2ce5f856890f15501af999872211dda..6aa311ac2ec8eda6a23e82038b7453e44e8a57b1 100644
--- a/charts/postgres/README.md
+++ b/charts/postgres/README.md
@@ -1,6 +1,6 @@
# PostgreSQL
-  
+  
## Changelog
@@ -101,18 +101,25 @@ helm uninstall my-release
|-----|------|---------|-------------|
| storage.accessModes[0] | string | `"ReadWriteOnce"` | Storage access mode |
| storage.persistentVolumeClaimName | string | `nil` | PVC name when existing storage volume should be used |
+| storage.volumeName | string | `"postgres-data"` | Internal volume name and prefix of a created PVC |
| storage.requestedSize | string | `nil` | Size for new PVC, when no existing PVC is used |
| storage.className | string | `nil` | Storage class name |
-
## PostgreSQL parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| customConfig | string | `nil` | Optional custom configuration block that will be mounted as file in /etc/postgresql/postgresql.conf |
-| settings.authMethod | string | `"md5"` | Postgres database authentication method |
+| settings.authMethod | string | `nil` | Postgres database authentication method |
| settings.initDbArgs | string | `nil` | Optional init database arguments |
-| settings.superuserPassword | string | `nil` | Password of superuser (Random value if not specified) |
+| settings.superuser | string | `nil` | Superuser name |
+| settings.superuserPassword | string | `nil` | Password of superuser |
| userDatabase | object | `{}` | Optional PostgreSQL user database |
| userDatabase.name | string | `nil` | Name of the user database |
| userDatabase.user | string | `nil` | User name with full access to user database|
-| userDatabase.password | string | `nil` | Password of created user (Random value if not specified) |
+| userDatabase.password | string | `nil` | Password of created user |
+| customConfig | string | `nil` | Optional custom configuration block that will be mounted as file in `/etc/postgresql/postgresql.conf` |
+| extraEnvSecrets | list | `[]` | A list of existing secrets that will be mounted into the container as environment variables |
+| extraSecretConfigs | string | `nil` | An existing secret with files that will be added to the postgres configuration in addition to `/etc/postgresql/postgresql.conf` |
+| extraScripts | string | `nil` | An existing configMap with files that will be mounted into the container as script files (`*.sql`, `*.sh`) in `/docker-entrypoint-initdb.d` |
+| extraSecrets | list | `[]` | A list of additional existing secrets that will be mounted into the container |
+| extraSecrets[].name | string | `nil` | Name of the existing K8s secret |
+| extraSecrets[].mountPath | string | `nil` | Mount path where the secret should be mounted into the container (f.e. /mysecretfolder) |
diff --git a/charts/postgres/RELEASENOTES.md b/charts/postgres/RELEASENOTES.md
index 85afd8f2f821fc2e53e9caa17d9752ee58113ed2..e02dfa63f8246e775c34a9b595bd97e1ccd4f5b1 100644
--- a/charts/postgres/RELEASENOTES.md
+++ b/charts/postgres/RELEASENOTES.md
@@ -3,6 +3,7 @@
| Chart version | App version | Change description |
| :------------ | :---------- | :----------------- |
| 0.2.16 | 13.5 | Fixes bug with wrong mounted customConfig #811 |
+| 0.2.17 | 13.5 | Implemented support for extra secrets and advanced configuration capabilites |
| 0.3.4 | 14.1 | Fixes bug with wrong mounted customConfig #811 |
| 0.3.5 | 14.1 | Updated readme and release notes |
| | | |
diff --git a/charts/postgres/templates/_helpers.tpl b/charts/postgres/templates/_helpers.tpl
index d0bfd03696835dc25c6a2276a9786b2132afd9d9..95ede84ef26964fddd340a2247376d8d473e52bf 100644
--- a/charts/postgres/templates/_helpers.tpl
+++ b/charts/postgres/templates/_helpers.tpl
@@ -60,3 +60,12 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Generate secret with configuration
+*/}}
+{{- define "postgres.createSecureConfig" -}}
+ {{- if or (or (.Values.settings.superuserPassword) (.Values.settings.superuser)) (.Values.userDatabase) }}
+true
+ {{- end }}
+{{- end }}
diff --git a/charts/postgres/templates/customconfig.yaml b/charts/postgres/templates/customconfig.yaml
index 105328f2f01f02c507dd243530d796f2338137d8..0a7a209b5cb75b822832287deb155011268c1434 100644
--- a/charts/postgres/templates/customconfig.yaml
+++ b/charts/postgres/templates/customconfig.yaml
@@ -6,6 +6,6 @@ metadata:
labels:
{{- include "postgres.labels" . | nindent 4 }}
data:
- postgresql.conf: |-
+ postgresql.conf: |
{{- .Values.customConfig | nindent 4 }}
{{- end }}
diff --git a/charts/postgres/templates/inituserdb.yaml b/charts/postgres/templates/inituserdb.yaml
deleted file mode 100644
index eabd0c64da87467d10a272da77517f80becbab50..0000000000000000000000000000000000000000
--- a/charts/postgres/templates/inituserdb.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-{{- if .Values.userDatabase }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: {{ include "postgres.fullname" . }}-inituserdb
- labels:
- {{- include "postgres.labels" . | nindent 4 }}
-data:
-{{- with .Values.userDatabase }}
- init-user-db.sh: |-
- #!/bin/bash
- set -e
- psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" -v USERDBNAME="$USERDB_NAME" -v USERDBUSER="$USERDB_USER" -v USERDBPASSWORD="'$USERDB_PASSWORD'" <<-EOSQL
- CREATE USER :USERDBUSER WITH PASSWORD :USERDBPASSWORD;
- CREATE DATABASE :USERDBNAME;
- GRANT ALL PRIVILEGES ON DATABASE :USERDBNAME TO :USERDBUSER;
- EOSQL
-{{- end }}
-{{- end }}
diff --git a/charts/postgres/templates/scripts.yaml b/charts/postgres/templates/scripts.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f266349f7b23ebc7896409bcdeef0c5a01cd6e02
--- /dev/null
+++ b/charts/postgres/templates/scripts.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "postgres.fullname" . }}-scripts
+ labels:
+ {{- include "postgres.labels" . | nindent 4 }}
+data:
+ 01-init-userdb.sh: |
+ #!/bin/sh
+ create_user()
+ {
+ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" -v USERDBNAME="$POSTGRES_DB" -v USERDBUSER="$USERDB_USER" -v USERDBPASSWORD="'$USERDB_PASSWORD'" <<-EOSQL
+ CREATE USER :USERDBUSER WITH PASSWORD :USERDBPASSWORD;
+ GRANT ALL PRIVILEGES ON DATABASE :USERDBNAME TO :USERDBUSER;
+ EOSQL
+ }
+ set -e
+ if [ ! -z "$POSTGRES_DB" ] && [ ! -z "$USERDB_USER" ] && [ ! -z "$USERDB_PASSWORD" ]; then
+ create_user
+ fi
+ init.sh: |
+ #!/bin/sh
+ echo "Start initialization"
+ echo "Copy init-userdb script"
+ cp /initscripts/01-init-userdb.sh /scripts
+ if [ -d /extrascripts ]; then
+ echo "Copy extra scripts"
+ cp /extrascripts/* /scripts
+ fi
+ if [ -d /customconfig ]; then
+ echo "Create postgres config"
+ cat /customconfig/* >>/configs/postgresql.conf
+ fi
+ if [ -d /extraconfigs ]; then
+ echo "Add extra configs to postgres config"
+ cat /extraconfigs/* >>/configs/postgresql.conf
+ fi
+ echo "Initialization done."
diff --git a/charts/postgres/templates/secureconfig.yaml b/charts/postgres/templates/secureconfig.yaml
index 895b90e0b11d938e27b0d0e1b1fb069f7ee8e078..8c3f5bf33daba46aa7856817d84d061652e6fe46 100644
--- a/charts/postgres/templates/secureconfig.yaml
+++ b/charts/postgres/templates/secureconfig.yaml
@@ -1,14 +1,4 @@
-{{- $existingSuperuserPassword := "" }}
-{{- $existingUserDbName := "" }}
-{{- $existingUserDbUser := "" }}
-{{- $existingUserDbPassword := "" }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "postgres.fullname" .) ) }}
-{{- if $secret }}
-{{- $existingSuperuserPassword = index $secret.data "POSTGRES_PASSWORD" }}
-{{- $existingUserDbName = index $secret.data "USERDB_NAME" }}
-{{- $existingUserDbUser = index $secret.data "USERDB_USER" }}
-{{- $existingUserDbPassword = index $secret.data "USERDB_PASSWORD" }}
-{{- end -}}
+{{- if include "postgres.createSecureConfig" . }}
apiVersion: v1
kind: Secret
metadata:
@@ -18,13 +8,18 @@ metadata:
type: Opaque
data:
{{- with .Values.settings }}
- POSTGRES_PASSWORD: {{ coalesce (.superuserPassword | default "" | b64enc) $existingSuperuserPassword (randAlphaNum 10 | b64enc) }}
- POSTGRES_USER: {{ "postgres" | b64enc }}
+ {{- if .superuser }}
+ POSTGRES_USER: {{ .superuser | b64enc }}
+ {{- end }}
+ {{- if .superuserPassword }}
+ POSTGRES_PASSWORD: {{ .superuserPassword | b64enc }}
+ {{- end }}
{{- end }}
{{- with .Values.userDatabase }}
- {{- $userDbName := coalesce (.name | default "" | b64enc) $existingUserDbName }}
- {{- $userDbUser := coalesce (.user | default "" | b64enc) $existingUserDbUser }}
- USERDB_NAME: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." $userDbName }}
- USERDB_USER: {{ required "Values: userDatabase.user is mandatory if userDatabase is specified." $userDbUser }}
- USERDB_PASSWORD: {{ coalesce (.password | default "" | b64enc) $existingUserDbPassword (randAlphaNum 10 | b64enc) }}
+ POSTGRES_DB: {{ required "Values: userDatabase.name is mandatory if userDatabase is specified." .name | b64enc }}
+ {{- if .user }}
+ USERDB_USER: {{ .user | b64enc }}
+ USERDB_PASSWORD: {{ required "Values: userDatabase.password is mandatory if userDatabase.user is specified." .password | b64enc }}
+ {{- end }}
+{{- end }}
{{- end }}
diff --git a/charts/postgres/templates/statefulset.yaml b/charts/postgres/templates/statefulset.yaml
index 4b54ea18ade9e03f0f2ac9d7a97e9571de01f492..16ce700a960d47675fc9678a9d1033717f697b3e 100644
--- a/charts/postgres/templates/statefulset.yaml
+++ b/charts/postgres/templates/statefulset.yaml
@@ -20,6 +20,8 @@ spec:
metadata:
annotations:
checksum/customconfig: {{ include (print $.Template.BasePath "/customconfig.yaml") . | sha256sum }}
+ checksum/secureconfig: {{ include (print $.Template.BasePath "/secureconfig.yaml") . | sha256sum }}
+ checksum/scripts: {{ include (print $.Template.BasePath "/scripts.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -35,6 +37,34 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
+ initContainers:
+ - name: {{ .Chart.Name }}-init
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ {{- if .Values.extraScripts }}
+ - mountPath: /extrascripts
+ name: extrascripts-volume
+ {{- end }}
+ {{- if .Values.extraSecretConfigs }}
+ - mountPath: /extraconfigs
+ name: extraconfigs-volume
+ {{- end }}
+ {{- if .Values.customConfig }}
+ - mountPath: /customconfig
+ name: customconfig-volume
+ {{- end }}
+ - mountPath: /initscripts
+ name: initscripts
+ - mountPath: /scripts
+ name: scripts
+ - mountPath: /configs
+ name: configs
+ command: [ "/initscripts/init.sh" ]
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
@@ -62,8 +92,14 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
+ {{- if include "postgres.createSecureConfig" . }}
- secretRef:
name: {{ include "postgres.fullname" . }}
+ {{- end }}
+ {{- range .Values.extraEnvSecrets }}
+ - secretRef:
+ name: {{ . }}
+ {{- end }}
{{- if .Values.customStartupProbe }}
startupProbe:
{{- toYaml .Values.customStartupProbe | nindent 12 }}
@@ -140,15 +176,14 @@ spec:
- mountPath: /tmp
name: tmp
- mountPath: /var/lib/postgresql/data
- name: postgres-data
- {{- if .Values.customConfig }}
+ name: {{ .Values.storage.volumeName }}
+ - mountPath: /docker-entrypoint-initdb.d
+ name: scripts
- mountPath: /etc/postgresql
- name: customconfig
- {{- end }}
- {{- if .Values.userDatabase }}
- - mountPath: /docker-entrypoint-initdb.d/init-user-db.sh
- subPath: init-user-db.sh
- name: inituserdb
+ name: configs
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ mountPath: {{ $secret.mountPath }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
@@ -167,21 +202,40 @@ spec:
emptyDir: {}
- name: tmp
emptyDir: {}
+ - name: scripts
+ emptyDir: {}
+ - name: configs
+ emptyDir: {}
+ - name: initscripts
+ configMap:
+ name: {{ include "postgres.fullname" . }}-scripts
+ defaultMode: 0555
+ {{- if .Values.extraScripts }}
+ - name: extrascripts-volume
+ configMap:
+ name: {{ .Values.extraScripts }}
+ defaultMode: 0555
+ {{- end }}
+ {{- if .Values.extraSecretConfigs }}
+ - name: extraconfigs-volume
+ secret:
+ secretName: {{ .Values.extraSecretConfigs }}
+ {{- end }}
{{- if .Values.customConfig }}
- - name: customconfig
+ - name: customconfig-volume
configMap:
name: {{ include "postgres.fullname" . }}-customconfig
{{- end }}
- {{- if .Values.userDatabase }}
- - name: inituserdb
- configMap:
- name: {{ include "postgres.fullname" . }}-inituserdb
- defaultMode: 0555
+ {{- range $secret := .Values.extraSecrets }}
+ - name: {{ $secret.name }}
+ secret:
+ secretName: {{ $secret.name }}
+ defaultMode: 0440
{{- end }}
{{- with .Values.storage }}
{{- $createPvc := and (empty .persistentVolumeClaimName) .requestedSize }}
{{- if not $createPvc }}
- - name: postgres-data
+ - name: {{ .volumeName }}
{{- if .persistentVolumeClaimName }}
persistentVolumeClaim:
claimName: {{ .persistentVolumeClaimName }}
@@ -191,7 +245,7 @@ spec:
{{- else }}
volumeClaimTemplates:
- metadata:
- name: postgres-data
+ name: {{ .volumeName }}
spec:
{{- with .accessModes }}
accessModes:
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
index f1f499b4b54d33c90e99ab50d44fb53314fefdbb..daa0108895599de998129cb85599c5b0e5b23421 100644
--- a/charts/postgres/values.yaml
+++ b/charts/postgres/values.yaml
@@ -119,13 +119,18 @@ args: []
## Database configuration
settings:
- ## The superuser password (default: a 10 char. alpahnumerical random password will be generated)
+ ## The default postgres superuser (default when nothing is set: "postgres")
+ superuser:
+
+ ## The superuser password
superuserPassword:
- ## Postgres database authentication method (default: md5)
- authMethod: "md5"
+ ## Postgres database authentication method
+ ## For example: "md5"
+ authMethod:
## Optional init database arguments
+ ## For example: "--auth-local=md5"
initDbArgs:
## Optional user database which is created during first startup with user and password
@@ -136,17 +141,41 @@ userDatabase: {}
## Database user with full access rights
# user:
- ## Password of the database user (default: a 10 char. alpahnumerical random password will be generated)
+ ## Password of the database user
# password:
## Optional custom configuration block that will be mounted as file in /etc/postgresql/postgresql.conf
-customConfig: |-
+## For more flexible options see extraSecretConfigs: section
+customConfig: |
+
+## A list of existing secrets that will be mounted into the container as environment variables
+## As an alternative these secrets can set the database superuser password or other options when settings.superuserPassword was not specified
+## For example: Setting POSTGRES_DB, USERDB_USER, USERDB_PASSWORD will allow creating a user database and grant access for the given user
+extraEnvSecrets: []
+
+## An existing secret with files that will be added to the postgres configuration in addition to /etc/postgresql/postgresql.conf
+extraSecretConfigs:
+
+## An existing configMap with files that will be mounted into the container as script files (*.sql, *.sh) in /docker-entrypoint-initdb.d
+## For more details see https://hub.docker.com/_/postgres
+extraScripts:
+
+## A list of additional existing secrets that will be mounted into the container
+## The mounted files of the secrets can be used for advanced configuration - f.e. TLS
+extraSecrets: []
+ ## Name of the existing K8s secret
+# - name:
+ ## Mount path where the secret should be mounted into the container (f.e. /mysecretfolder)
+# mountPath:
## Storage parameters
storage:
## Set persistentVolumenClaimName to reference an existing PVC
persistentVolumeClaimName:
+ ## Internal volume name and prefix of a created PVC
+ volumeName: "postgres-data"
+
## Alternative set requestedSize to define a size for a dynmaically created PVC
requestedSize: