Skip to content

Commit 1a2217f

Browse files
javsalgarjavsalgar
authoredMar 5, 2024··
[bitnami/postgresql] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SCC (#24141)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
1 parent 8d96934 commit 1a2217f

File tree

7 files changed

+37
-27
lines changed

7 files changed

+37
-27
lines changed
 

‎bitnami/postgresql/Chart.lock

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
dependencies:
22
- name: common
33
repository: oci://registry-1.docker.io/bitnamicharts
4-
version: 2.16.1
5-
digest: sha256:f808a6fdc9c374d158ad7ff2f2c53a6c409e41da778d768b232dd20f86ef8b47
6-
generated: "2024-02-21T14:25:43.74084307Z"
4+
version: 2.18.0
5+
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
6+
generated: "2024-03-05T15:22:27.636008468+01:00"

‎bitnami/postgresql/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -35,4 +35,4 @@ maintainers:
3535
name: postgresql
3636
sources:
3737
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
38-
version: 14.2.4
38+
version: 14.3.0

‎bitnami/postgresql/README.md

+15-14
Original file line numberDiff line numberDiff line change
@@ -66,20 +66,21 @@ kubectl delete pvc -l release=my-release
6666

6767
### Global parameters
6868

69-
| Name | Description | Value |
70-
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
71-
| `global.imageRegistry` | Global Docker image registry | `""` |
72-
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
73-
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
74-
| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
75-
| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
76-
| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
77-
| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
78-
| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
79-
| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
80-
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
81-
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
82-
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
69+
| Name | Description | Value |
70+
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
71+
| `global.imageRegistry` | Global Docker image registry | `""` |
72+
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
73+
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
74+
| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
75+
| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
76+
| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
77+
| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
78+
| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
79+
| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
80+
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
81+
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
82+
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
83+
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
8384

8485
### Common parameters
8586

‎bitnami/postgresql/templates/backup/cronjob.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ spec:
9393
mountPath: /tmp
9494
subPath: tmp-dir
9595
{{- if .Values.backup.cronjob.containerSecurityContext.enabled }}
96-
securityContext: {{- omit .Values.backup.cronjob.containerSecurityContext "enabled" | toYaml | nindent 14 }}
96+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }}
9797
{{- end }}
9898
{{- if .Values.backup.cronjob.resources }}
9999
resources: {{- toYaml .Values.backup.cronjob.resources | nindent 14 }}

‎bitnami/postgresql/templates/primary/statefulset.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ spec:
8080
terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }}
8181
{{- end }}
8282
{{- if .Values.primary.podSecurityContext.enabled }}
83-
securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }}
83+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.podSecurityContext "context" $) | nindent 8 }}
8484
{{- end }}
8585
hostNetwork: {{ .Values.primary.hostNetwork }}
8686
hostIPC: {{ .Values.primary.hostIPC }}
@@ -97,7 +97,7 @@ spec:
9797
{{- end }}
9898
# We don't require a privileged container in this case
9999
{{- if .Values.primary.containerSecurityContext.enabled }}
100-
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
100+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
101101
{{- end }}
102102
command:
103103
- /bin/sh
@@ -187,7 +187,7 @@ spec:
187187
image: {{ include "postgresql.v1.image" . }}
188188
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
189189
{{- if .Values.primary.containerSecurityContext.enabled }}
190-
securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }}
190+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }}
191191
{{- end }}
192192
{{- if .Values.diagnosticMode.enabled }}
193193
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -513,7 +513,7 @@ spec:
513513
image: {{ include "postgresql.v1.metrics.image" . }}
514514
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
515515
{{- if .Values.metrics.containerSecurityContext.enabled }}
516-
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
516+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
517517
{{- end }}
518518
{{- if .Values.diagnosticMode.enabled }}
519519
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

‎bitnami/postgresql/templates/read/statefulset.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ spec:
7878
terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }}
7979
{{- end }}
8080
{{- if .Values.readReplicas.podSecurityContext.enabled }}
81-
securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }}
81+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.podSecurityContext "context" $) | nindent 8 }}
8282
{{- end }}
8383
hostNetwork: {{ .Values.readReplicas.hostNetwork }}
8484
hostIPC: {{ .Values.readReplicas.hostIPC }}
@@ -95,7 +95,7 @@ spec:
9595
{{- end }}
9696
# We don't require a privileged container in this case
9797
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
98-
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
98+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
9999
{{- end }}
100100
command:
101101
- /bin/sh
@@ -185,7 +185,7 @@ spec:
185185
image: {{ include "postgresql.v1.image" . }}
186186
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
187187
{{- if .Values.readReplicas.containerSecurityContext.enabled }}
188-
securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }}
188+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.readReplicas.containerSecurityContext "context" $) | nindent 12 }}
189189
{{- end }}
190190
{{- if .Values.diagnosticMode.enabled }}
191191
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -428,7 +428,7 @@ spec:
428428
image: {{ include "postgresql.v1.metrics.image" . }}
429429
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
430430
{{- if .Values.metrics.containerSecurityContext.enabled }}
431-
securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
431+
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
432432
{{- end }}
433433
{{- if .Values.diagnosticMode.enabled }}
434434
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}

‎bitnami/postgresql/values.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,15 @@ global:
4242
service:
4343
ports:
4444
postgresql: ""
45+
## Compatibility adaptations for Kubernetes platforms
46+
##
47+
compatibility:
48+
## Compatibility adaptations for Openshift
49+
##
50+
openshift:
51+
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
52+
##
53+
adaptSecurityContext: disabled
4554
## @section Common parameters
4655
##
4756

0 commit comments

Comments
 (0)
Please sign in to comment.