public_git
/
ckotzbauer_helm-charts
mirror of https://github.com/ckotzbauer/helm-charts.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update postgres-operator to 1.8.0 (#103) 

* update postgres-operator to 1.8.0

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix version

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* update kind version

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
This commit is contained in:
Christian Kotzbauer 2022-04-27 09:39:07 +02:00 committed by GitHub
parent 4f4ea6d4cd
commit d678e1dee2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 419 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/lint-test.yaml vendored
View File

@ -35,8 +35,10 @@ jobs:
run: ct lint --target-branch main run: ct lint --target-branch main
- name: Create kind cluster - name: Create kind cluster
uses: helm/kind-action@v1.2.0
if: steps.list-changed.outputs.changed == 'true' if: steps.list-changed.outputs.changed == 'true'
uses: helm/kind-action@v1.2.0
with:
version: v0.12.0
- name: Run chart-testing (install) - name: Run chart-testing (install)
run: ct install --target-branch main run: ct install --target-branch main

4
charts/postgres-operator/Chart.yaml
View File

@ -1,8 +1,8 @@
apiVersion: v2 apiVersion: v2
name: postgres-operator name: postgres-operator
description: Postgres Operator creates and manages PostgreSQL clusters running in Kubernetes description: Postgres Operator creates and manages PostgreSQL clusters running in Kubernetes
version: 1.7.3 version: 1.8.0
appVersion: 1.7.1 appVersion: 1.8.0
home: https://github.com/zalando/postgres-operator home: https://github.com/zalando/postgres-operator
sources: sources:
- https://github.com/zalando/postgres-operator - https://github.com/zalando/postgres-operator

257
charts/postgres-operator/README.md
View File

@ -34,132 +34,145 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the Postgres-operator chart and their default values. The following table lists the configurable parameters of the Postgres-operator chart and their default values.
| Parameter | Description | Default | | Key | Type | Default | Description |
| ------------------------ | ----------------------- | -------------- | |-----|------|---------|-------------|
| `image.registry` | | `"registry.opensource.zalan.do"` | | image.registry | string | `"registry.opensource.zalan.do"` | |
| `image.repository` | | `"acid/postgres-operator"` | | image.repository | string | `"acid/postgres-operator"` | |
| `image.tag` | | `"v1.7.1"` | | image.tag | string | `"v1.8.0"` | |
| `image.pullPolicy` | | `"IfNotPresent"` | | image.pullPolicy | string | `"IfNotPresent"` | |
| `podAnnotations` | | `{}` | | podAnnotations | object | `{}` | |
| `podLabels` | | `{}` | | podLabels | object | `{}` | |
| `enableJsonLogging` | | `false` | | enableJsonLogging | bool | `false` | |
| `configGeneral.enable_crd_validation` | | `true` | | configGeneral.enable_crd_registration | bool | `true` | |
| `configGeneral.enable_lazy_spilo_upgrade` | | `false` | | configGeneral.crd_categories[0] | string | `"all"` | |
| `configGeneral.enable_pgversion_env_var` | | `true` | | configGeneral.enable_lazy_spilo_upgrade | bool | `false` | |
| `configGeneral.enable_shm_volume` | | `true` | | configGeneral.enable_pgversion_env_var | bool | `true` | |
| `configGeneral.enable_spilo_wal_path_compat` | | `false` | | configGeneral.enable_shm_volume | bool | `true` | |
| `configGeneral.etcd_host` | | `""` | | configGeneral.enable_spilo_wal_path_compat | bool | `false` | |
| `configGeneral.docker_image` | | `"registry.opensource.zalan.do/acid/spilo-14:2.1-p4"` | | configGeneral.etcd_host | string | `""` | |
| `configGeneral.min_instances` | | `-1` | | configGeneral.docker_image | string | `"registry.opensource.zalan.do/acid/spilo-14:2.1-p5"` | |
| `configGeneral.max_instances` | | `-1` | | configGeneral.min_instances | int | `-1` | |
| `configGeneral.repair_period` | | `"5m"` | | configGeneral.max_instances | int | `-1` | |
| `configGeneral.resync_period` | | `"30m"` | | configGeneral.repair_period | string | `"5m"` | |
| `configGeneral.workers` | | `8` | | configGeneral.resync_period | string | `"30m"` | |
| `configUsers.replication_username` | | `"standby"` | | configGeneral.workers | int | `8` | |
| `configUsers.super_username` | | `"postgres"` | | configUsers.enable_password_rotation | bool | `false` | |
| `configMajorVersionUpgrade.major_version_upgrade_mode` | | `"off"` | | configUsers.password_rotation_interval | int | `90` | |
| `configMajorVersionUpgrade.minimal_major_version` | | `"9.6"` | | configUsers.password_rotation_user_retention | int | `180` | |
| `configMajorVersionUpgrade.target_major_version` | | `"14"` | | configUsers.replication_username | string | `"standby"` | |
| `configKubernetes.cluster_domain` | | `"cluster.local"` | | configUsers.super_username | string | `"postgres"` | |
| `configKubernetes.cluster_labels.application` | | `"spilo"` | | configMajorVersionUpgrade.major_version_upgrade_mode | string | `"off"` | |
| `configKubernetes.cluster_name_label` | | `"cluster-name"` | | configMajorVersionUpgrade.minimal_major_version | string | `"9.6"` | |
| `configKubernetes.enable_cross_namespace_secret` | | `false` | | configMajorVersionUpgrade.target_major_version | string | `"14"` | |
| `configKubernetes.enable_init_containers` | | `true` | | configKubernetes.cluster_domain | string | `"cluster.local"` | |
| `configKubernetes.enable_pod_antiaffinity` | | `false` | | configKubernetes.cluster_labels.application | string | `"spilo"` | |
| `configKubernetes.enable_pod_disruption_budget` | | `true` | | configKubernetes.cluster_name_label | string | `"cluster-name"` | |
| `configKubernetes.enable_sidecars` | | `true` | | configKubernetes.enable_cross_namespace_secret | bool | `false` | |
| `configKubernetes.pdb_name_format` | | `"postgres-{cluster}-pdb"` | | configKubernetes.enable_init_containers | bool | `true` | |
| `configKubernetes.pod_antiaffinity_topology_key` | | `"kubernetes.io/hostname"` | | configKubernetes.enable_pod_antiaffinity | bool | `false` | |
| `configKubernetes.pod_management_policy` | | `"ordered_ready"` | | configKubernetes.enable_pod_disruption_budget | bool | `true` | |
| `configKubernetes.pod_role_label` | | `"spilo-role"` | | configKubernetes.enable_sidecars | bool | `true` | |
| `configKubernetes.pod_terminate_grace_period` | | `"5m"` | | configKubernetes.pdb_name_format | string | `"postgres-{cluster}-pdb"` | |
| `configKubernetes.secret_name_template` | | `"{username}.{cluster}.credentials.{tprkind}.{tprgroup}"` | | configKubernetes.pod_antiaffinity_topology_key | string | `"kubernetes.io/hostname"` | |
| `configKubernetes.spilo_privileged` | | `false` | | configKubernetes.pod_management_policy | string | `"ordered_ready"` | |
| `configKubernetes.spilo_allow_privilege_escalation` | | `true` | | configKubernetes.pod_role_label | string | `"spilo-role"` | |
| `configKubernetes.storage_resize_mode` | | `"pvc"` | | configKubernetes.pod_terminate_grace_period | string | `"5m"` | |
| `configKubernetes.watched_namespace` | listen to all namespaces | `"*"` | | configKubernetes.secret_name_template | string | `"{username}.{cluster}.credentials.{tprkind}.{tprgroup}"` | |
| `configPostgresPodResources.default_cpu_limit` | | `"1"` | | configKubernetes.spilo_privileged | bool | `false` | |
| `configPostgresPodResources.default_cpu_request` | | `"100m"` | | configKubernetes.spilo_allow_privilege_escalation | bool | `true` | |
| `configPostgresPodResources.default_memory_limit` | | `"500Mi"` | | configKubernetes.storage_resize_mode | string | `"pvc"` | |
| `configPostgresPodResources.default_memory_request` | | `"100Mi"` | | configKubernetes.watched_namespace | string | `"*"` | |
| `configPostgresPodResources.min_cpu_limit` | | `"250m"` | | configPostgresPodResources.default_cpu_limit | string | `"1"` | |
| `configPostgresPodResources.min_memory_limit` | | `"250Mi"` | | configPostgresPodResources.default_cpu_request | string | `"100m"` | |
| `configTimeouts.pod_deletion_wait_timeout` | | `"10m"` | | configPostgresPodResources.default_memory_limit | string | `"500Mi"` | |
| `configTimeouts.pod_label_wait_timeout` | | `"10m"` | | configPostgresPodResources.default_memory_request | string | `"100Mi"` | |
| `configTimeouts.ready_wait_interval` | | `"3s"` | | configPostgresPodResources.min_cpu_limit | string | `"250m"` | |
| `configTimeouts.ready_wait_timeout` | | `"30s"` | | configPostgresPodResources.min_memory_limit | string | `"250Mi"` | |
| `configTimeouts.resource_check_interval` | | `"3s"` | | configTimeouts.patroni_api_check_interval | string | `"1s"` | |
| `configTimeouts.resource_check_timeout` | | `"10m"` | | configTimeouts.patroni_api_check_timeout | string | `"5s"` | |
| `configLoadBalancer.db_hosted_zone` | | `"db.example.com"` | | configTimeouts.pod_deletion_wait_timeout | string | `"10m"` | |
| `configLoadBalancer.enable_master_load_balancer` | | `false` | | configTimeouts.pod_label_wait_timeout | string | `"10m"` | |
| `configLoadBalancer.enable_replica_load_balancer` | | `false` | | configTimeouts.ready_wait_interval | string | `"3s"` | |
| `configLoadBalancer.external_traffic_policy` | | `"Cluster"` | | configTimeouts.ready_wait_timeout | string | `"30s"` | |
| `configLoadBalancer.master_dns_name_format` | | `"{cluster}.{team}.{hostedzone}"` | | configTimeouts.resource_check_interval | string | `"3s"` | |
| `configLoadBalancer.replica_dns_name_format` | | `"{cluster}-repl.{team}.{hostedzone}"` | | configTimeouts.resource_check_timeout | string | `"10m"` | |
| `configDebug.debug_logging` | | `true` | | configLoadBalancer.db_hosted_zone | string | `"db.example.com"` | |
| `configDebug.enable_database_access` | | `true` | | configLoadBalancer.enable_master_load_balancer | bool | `false` | |
| `configLoggingRestApi.api_port` | | `8080` | | configLoadBalancer.enable_master_pooler_load_balancer | bool | `false` | |
| `configLoggingRestApi.cluster_history_entries` | | `1000` | | configLoadBalancer.enable_replica_load_balancer | bool | `false` | |
| `configLoggingRestApi.ring_log_lines` | | `100` | | configLoadBalancer.enable_replica_pooler_load_balancer | bool | `false` | |
| `configAwsOrGcp.aws_region` | | `"eu-central-1"` | | configLoadBalancer.external_traffic_policy | string | `"Cluster"` | |
| `configAwsOrGcp.enable_ebs_gp3_migration` | | `false` | | configLoadBalancer.master_dns_name_format | string | `"{cluster}.{team}.{hostedzone}"` | |
| `configLogicalBackup.logical_backup_docker_image` | | `"registry.opensource.zalan.do/acid/logical-backup:v1.7.1"` | | configLoadBalancer.replica_dns_name_format | string | `"{cluster}-repl.{team}.{hostedzone}"` | |
| `configLogicalBackup.logical_backup_job_prefix` | | `"logical-backup-"` | | configDebug.debug_logging | bool | `true` | |
| `configLogicalBackup.logical_backup_provider` | | `"s3"` | | configDebug.enable_database_access | bool | `true` | |
| `configLogicalBackup.logical_backup_s3_access_key_id` | | `""` | | configLoggingRestApi.api_port | int | `8080` | |
| `configLogicalBackup.logical_backup_s3_bucket` | | `"my-bucket-url"` | | configLoggingRestApi.cluster_history_entries | int | `1000` | |
| `configLogicalBackup.logical_backup_s3_region` | | `""` | | configLoggingRestApi.ring_log_lines | int | `100` | |
| `configLogicalBackup.logical_backup_s3_endpoint` | | `""` | | configAwsOrGcp.aws_region | string | `"eu-central-1"` | |
| `configLogicalBackup.logical_backup_s3_secret_access_key` | | `""` | | configAwsOrGcp.enable_ebs_gp3_migration | bool | `false` | |
| `configLogicalBackup.logical_backup_s3_sse` | | `"AES256"` | | configLogicalBackup.logical_backup_docker_image | string | `"registry.opensource.zalan.do/acid/logical-backup:v1.8.0"` | |
| `configLogicalBackup.logical_backup_schedule` | | `"30 00 * * *"` | | configLogicalBackup.logical_backup_job_prefix | string | `"logical-backup-"` | |
| `configTeamsApi.enable_admin_role_for_users` | | `true` | | configLogicalBackup.logical_backup_provider | string | `"s3"` | |
| `configTeamsApi.enable_postgres_team_crd` | | `false` | | configLogicalBackup.logical_backup_s3_access_key_id | string | `""` | |
| `configTeamsApi.enable_postgres_team_crd_superusers` | | `false` | | configLogicalBackup.logical_backup_s3_bucket | string | `"my-bucket-url"` | |
| `configTeamsApi.enable_team_member_deprecation` | | `false` | | configLogicalBackup.logical_backup_s3_region | string | `""` | |
| `configTeamsApi.enable_team_superuser` | | `false` | | configLogicalBackup.logical_backup_s3_endpoint | string | `""` | |
| `configTeamsApi.enable_teams_api` | | `false` | | configLogicalBackup.logical_backup_s3_secret_access_key | string | `""` | |
| `configTeamsApi.pam_role_name` | | `"zalandos"` | | configLogicalBackup.logical_backup_s3_sse | string | `"AES256"` | |
| `configTeamsApi.postgres_superuser_teams` | | `["postgres_superusers"]` | | configLogicalBackup.logical_backup_s3_retention_time | string | `""` | |
| `configTeamsApi.protected_role_names` | | `["admin"]` | | configLogicalBackup.logical_backup_schedule | string | `"30 00 * * *"` | |
| `configTeamsApi.role_deletion_suffix` | | `"_deleted"` | | configTeamsApi.enable_admin_role_for_users | bool | `true` | |
| `configTeamsApi.team_admin_role` | | `"admin"` | | configTeamsApi.enable_postgres_team_crd | bool | `false` | |
| `configTeamsApi.team_api_role_configuration.log_statement` | | `"all"` | | configTeamsApi.enable_postgres_team_crd_superusers | bool | `false` | |
| `configConnectionPooler.connection_pooler_schema` | | `"pooler"` | | configTeamsApi.enable_team_member_deprecation | bool | `false` | |
| `configConnectionPooler.connection_pooler_user` | | `"pooler"` | | configTeamsApi.enable_team_superuser | bool | `false` | |
| `configConnectionPooler.connection_pooler_image` | | `"registry.opensource.zalan.do/acid/pgbouncer:master-19"` | | configTeamsApi.enable_teams_api | bool | `false` | |
| `configConnectionPooler.connection_pooler_max_db_connections` | | `60` | | configTeamsApi.pam_role_name | string | `"zalandos"` | |
| `configConnectionPooler.connection_pooler_mode` | | `"transaction"` | | configTeamsApi.postgres_superuser_teams[0] | string | `"postgres_superusers"` | |
| `configConnectionPooler.connection_pooler_number_of_instances` | | `2` | | configTeamsApi.protected_role_names[0] | string | `"admin"` | |
| `configConnectionPooler.connection_pooler_default_cpu_request` | | `"500m"` | | configTeamsApi.protected_role_names[1] | string | `"cron_admin"` | |
| `configConnectionPooler.connection_pooler_default_memory_request` | | `"100Mi"` | | configTeamsApi.role_deletion_suffix | string | `"_deleted"` | |
| `configConnectionPooler.connection_pooler_default_cpu_limit` | | `"1"` | | configTeamsApi.team_admin_role | string | `"admin"` | |
| `configConnectionPooler.connection_pooler_default_memory_limit` | | `"100Mi"` | | configTeamsApi.team_api_role_configuration.log_statement | string | `"all"` | |
| `rbac.create` | | `true` | | configConnectionPooler.connection_pooler_schema | string | `"pooler"` | |
| `crd.create` | | `true` | | configConnectionPooler.connection_pooler_user | string | `"pooler"` | |
| `serviceAccount.create` | | `true` | | configConnectionPooler.connection_pooler_image | string | `"registry.opensource.zalan.do/acid/pgbouncer:master-22"` | |
| `serviceAccount.name` | | `null` | | configConnectionPooler.connection_pooler_max_db_connections | int | `60` | |
| `podServiceAccount.name` | | `"postgres-pod"` | | configConnectionPooler.connection_pooler_mode | string | `"transaction"` | |
| `priorityClassName` | | `""` | | configConnectionPooler.connection_pooler_number_of_instances | int | `2` | |
| `podPriorityClassName` | | `""` | | configConnectionPooler.connection_pooler_default_cpu_request | string | `"500m"` | |
| `resources.limits.cpu` | | `"500m"` | | configConnectionPooler.connection_pooler_default_memory_request | string | `"100Mi"` | |
| `resources.limits.memory` | | `"500Mi"` | | configConnectionPooler.connection_pooler_default_cpu_limit | string | `"1"` | |
| `resources.requests.cpu` | | `"100m"` | | configConnectionPooler.connection_pooler_default_memory_limit | string | `"100Mi"` | |
| `resources.requests.memory` | | `"250Mi"` | | enableStreams | bool | `false` | |
| `securityContext.runAsUser` | | `1000` | | rbac.create | bool | `true` | |
| `securityContext.runAsNonRoot` | | `true` | | rbac.createAggregateClusterRoles | bool | `false` | |
| `securityContext.readOnlyRootFilesystem` | | `true` | | serviceAccount.create | bool | `true` | |
| `securityContext.allowPrivilegeEscalation` | | `false` | | serviceAccount.name | string | `nil` | |
| `affinity` | | `{}` | | podServiceAccount.name | string | `"postgres-pod"` | |
| `nodeSelector` | | `{}` | | priorityClassName | string | `""` | |
| `tolerations` | | `[]` | | podPriorityClassName | string | `""` | |
| `controllerID.create` | | `false` | | resources.limits.cpu | string | `"500m"` | |
| `controllerID.name` | | `null` | | resources.limits.memory | string | `"500Mi"` | |
| `pod_environment_config` | | `{}` | | resources.requests.cpu | string | `"100m"` | |
| resources.requests.memory | string | `"250Mi"` | |
| securityContext.runAsUser | int | `1000` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| affinity | object | `{}` | |
| nodeSelector | object | `{}` | |
| tolerations | list | `[]` | |
| controllerID.create | bool | `false` | |
| controllerID.name | string | `nil` | |
| pod_environment_config | object | `{}` | |
## Changes compared to the [official chart](https://github.com/zalando/postgres-operator/tree/master/charts/postgres-operator) ## Changes compared to the [official chart](https://github.com/zalando/postgres-operator/tree/master/charts/postgres-operator)
- No `ConfigMap` config-target. - No `ConfigMap` config-target.
- `pod_environment_configmap` is created automatically. Contents can be configured via `pod_environment_config`. - `pod_environment_configmap` is created automatically. Contents can be configured via `pod_environment_config`.
- Enhanced security (dropped ALL capabilities for the operator-pod).

75
charts/postgres-operator/crds/operatorconfigurations.yaml
View File

@ -4,8 +4,6 @@ metadata:
name: operatorconfigurations.acid.zalan.do name: operatorconfigurations.acid.zalan.do
labels: labels:
app.kubernetes.io/name: postgres-operator app.kubernetes.io/name: postgres-operator
annotations:
"helm.sh/hook": crd-install
spec: spec:
group: acid.zalan.do group: acid.zalan.do
names: names:
@ -63,11 +61,20 @@ spec:
configuration: configuration:
type: object type: object
properties: properties:
crd_categories:
type: array
nullable: true
items:
type: string
docker_image: docker_image:
type: string type: string
default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p4" default: "registry.opensource.zalan.do/acid/spilo-14:2.1-p5"
enable_crd_registration:
type: boolean
default: true
enable_crd_validation: enable_crd_validation:
type: boolean type: boolean
description: deprecated
default: true default: true
enable_lazy_spilo_upgrade: enable_lazy_spilo_upgrade:
type: boolean type: boolean
@ -89,11 +96,13 @@ spec:
default: false default: false
max_instances: max_instances:
type: integer type: integer
minimum: -1 # -1 = disabled description: "-1 = disabled"
minimum: -1
default: -1 default: -1
min_instances: min_instances:
type: integer type: integer
minimum: -1 # -1 = disabled description: "-1 = disabled"
minimum: -1
default: -1 default: -1
resync_period: resync_period:
type: string type: string
@ -121,6 +130,20 @@ spec:
users: users:
type: object type: object
properties: properties:
additional_owner_roles:
type: array
nullable: true
items:
type: string
enable_password_rotation:
type: boolean
default: false
password_rotation_interval:
type: integer
default: 90
password_rotation_user_retention:
type: integer
default: 180
replication_username: replication_username:
type: string type: string
default: standby default: standby
@ -133,6 +156,10 @@ spec:
major_version_upgrade_mode: major_version_upgrade_mode:
type: string type: string
default: "off" default: "off"
major_version_upgrade_team_allow_list:
type: array
items:
type: string
minimal_major_version: minimal_major_version:
type: string type: string
default: "9.6" default: "9.6"
@ -170,12 +197,12 @@ spec:
type: array type: array
items: items:
type: string type: string
enable_init_containers:
type: boolean
default: true
enable_cross_namespace_secret: enable_cross_namespace_secret:
type: boolean type: boolean
default: false default: false
enable_init_containers:
type: boolean
default: true
enable_pod_antiaffinity: enable_pod_antiaffinity:
type: boolean type: boolean
default: false default: false
@ -185,6 +212,10 @@ spec:
enable_sidecars: enable_sidecars:
type: boolean type: boolean
default: true default: true
ignored_annotations:
type: array
items:
type: string
infrastructure_roles_secret_name: infrastructure_roles_secret_name:
type: string type: string
infrastructure_roles_secrets: infrastructure_roles_secrets:
@ -228,6 +259,11 @@ spec:
type: object type: object
additionalProperties: additionalProperties:
type: string type: string
node_readiness_label_merge:
type: string
enum:
- "AND"
- "OR"
oauth_token_secret_name: oauth_token_secret_name:
type: string type: string
default: "postgresql-operator" default: "postgresql-operator"
@ -322,6 +358,12 @@ spec:
timeouts: timeouts:
type: object type: object
properties: properties:
patroni_api_check_interval:
type: string
default: "1s"
patroni_api_check_timeout:
type: string
default: "5s"
pod_label_wait_timeout: pod_label_wait_timeout:
type: string type: string
default: "10m" default: "10m"
@ -353,9 +395,15 @@ spec:
enable_master_load_balancer: enable_master_load_balancer:
type: boolean type: boolean
default: true default: true
enable_master_pooler_load_balancer:
type: boolean
default: false
enable_replica_load_balancer: enable_replica_load_balancer:
type: boolean type: boolean
default: false default: false
enable_replica_pooler_load_balancer:
type: boolean
default: false
external_traffic_policy: external_traffic_policy:
type: string type: string
enum: enum:
@ -391,18 +439,18 @@ spec:
type: string type: string
log_s3_bucket: log_s3_bucket:
type: string type: string
wal_az_storage_account:
type: string
wal_gs_bucket: wal_gs_bucket:
type: string type: string
wal_s3_bucket: wal_s3_bucket:
type: string type: string
wal_az_storage_account:
type: string
logical_backup: logical_backup:
type: object type: object
properties: properties:
logical_backup_docker_image: logical_backup_docker_image:
type: string type: string
default: "registry.opensource.zalan.do/acid/logical-backup:v1.7.1" default: "registry.opensource.zalan.do/acid/logical-backup:v1.8.0"
logical_backup_google_application_credentials: logical_backup_google_application_credentials:
type: string type: string
logical_backup_job_prefix: logical_backup_job_prefix:
@ -423,6 +471,8 @@ spec:
type: string type: string
logical_backup_s3_sse: logical_backup_s3_sse:
type: string type: string
logical_backup_s3_retention_time:
type: string
logical_backup_schedule: logical_backup_schedule:
type: string type: string
pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$' pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'
@ -473,6 +523,7 @@ spec:
type: string type: string
default: default:
- admin - admin
- cron_admin
role_deletion_suffix: role_deletion_suffix:
type: string type: string
default: "_deleted" default: "_deleted"
@ -537,7 +588,7 @@ spec:
default: "pooler" default: "pooler"
connection_pooler_image: connection_pooler_image:
type: string type: string
default: "registry.opensource.zalan.do/acid/pgbouncer:master-19" default: "registry.opensource.zalan.do/acid/pgbouncer:master-22"
connection_pooler_max_db_connections: connection_pooler_max_db_connections:
type: integer type: integer
default: 60 default: 60

111
charts/postgres-operator/crds/postgresqls.yaml
View File

@ -4,8 +4,6 @@ metadata:
name: postgresqls.acid.zalan.do name: postgresqls.acid.zalan.do
labels: labels:
app.kubernetes.io/name: postgres-operator app.kubernetes.io/name: postgres-operator
annotations:
"helm.sh/hook": crd-install
spec: spec:
group: acid.zalan.do group: acid.zalan.do
names: names:
@ -149,18 +147,12 @@ spec:
- "transaction" - "transaction"
numberOfInstances: numberOfInstances:
type: integer type: integer
minimum: 2 minimum: 1
resources: resources:
type: object type: object
required:
- requests
- limits
properties: properties:
limits: limits:
type: object type: object
required:
- cpu
- memory
properties: properties:
cpu: cpu:
type: string type: string
@ -170,9 +162,6 @@ spec:
pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$'
requests: requests:
type: object type: object
required:
- cpu
- memory
properties: properties:
cpu: cpu:
type: string type: string
@ -199,16 +188,27 @@ spec:
type: boolean type: boolean
enableMasterLoadBalancer: enableMasterLoadBalancer:
type: boolean type: boolean
enableMasterPoolerLoadBalancer:
type: boolean
enableReplicaLoadBalancer: enableReplicaLoadBalancer:
type: boolean type: boolean
enableReplicaPoolerLoadBalancer:
type: boolean
enableShmVolume: enableShmVolume:
type: boolean type: boolean
init_containers: # deprecated env:
type: array type: array
nullable: true nullable: true
items: items:
type: object type: object
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
init_containers:
type: array
description: deprecated
nullable: true
items:
type: object
x-kubernetes-preserve-unknown-fields: true
initContainers: initContainers:
type: array type: array
nullable: true nullable: true
@ -231,8 +231,8 @@ spec:
items: items:
type: object type: object
required: required:
- weight
- preference - preference
- weight
properties: properties:
preference: preference:
type: object type: object
@ -344,14 +344,17 @@ spec:
type: boolean type: boolean
synchronous_mode_strict: synchronous_mode_strict:
type: boolean type: boolean
synchronous_node_count:
type: integer
ttl: ttl:
type: integer type: integer
podAnnotations: podAnnotations:
type: object type: object
additionalProperties: additionalProperties:
type: string type: string
pod_priority_class_name: # deprecated pod_priority_class_name:
type: string type: string
description: deprecated
podPriorityClassName: podPriorityClassName:
type: string type: string
postgresql: postgresql:
@ -395,19 +398,14 @@ spec:
type: boolean type: boolean
secretNamespace: secretNamespace:
type: string type: string
replicaLoadBalancer: # deprecated replicaLoadBalancer:
type: boolean type: boolean
description: deprecated
resources: resources:
type: object type: object
required:
- requests
- limits
properties: properties:
limits: limits:
type: object type: object
required:
- cpu
- memory
properties: properties:
cpu: cpu:
type: string type: string
@ -436,9 +434,6 @@ spec:
# than the corresponding limit. # than the corresponding limit.
requests: requests:
type: object type: object
required:
- cpu
- memory
properties: properties:
cpu: cpu:
type: string type: string
@ -466,11 +461,55 @@ spec:
type: integer type: integer
standby: standby:
type: object type: object
required:
- s3_wal_path
properties: properties:
s3_wal_path: s3_wal_path:
type: string type: string
gs_wal_path:
type: string
standby_host:
type: string
standby_port:
type: string
oneOf:
- required:
- s3_wal_path
- required:
- gs_wal_path
- required:
- standby_host
streams:
type: array
nullable: true
items:
type: object
required:
- applicationId
- database
- tables
properties:
applicationId:
type: string
batchSize:
type: integer
database:
type: string
filter:
type: object
additionalProperties:
type: string
tables:
type: object
additionalProperties:
type: object
required:
- eventType
properties:
eventType:
type: string
idColumn:
type: string
payloadColumn:
type: string
teamId: teamId:
type: string type: string
tls: tls:
@ -492,10 +531,6 @@ spec:
type: array type: array
items: items:
type: object type: object
required:
- key
- operator
- effect
properties: properties:
key: key:
type: string type: string
@ -514,14 +549,14 @@ spec:
- PreferNoSchedule - PreferNoSchedule
tolerationSeconds: tolerationSeconds:
type: integer type: integer
useLoadBalancer: # deprecated useLoadBalancer:
type: boolean type: boolean
description: deprecated
users: users:
type: object type: object
additionalProperties: additionalProperties:
type: array type: array
nullable: true nullable: true
description: "Role flags specified here must not contradict each other"
items: items:
type: string type: string
enum: enum:
@ -553,6 +588,16 @@ spec:
- SUPERUSER - SUPERUSER
- nosuperuser - nosuperuser
- NOSUPERUSER - NOSUPERUSER
usersWithPasswordRotation:
type: array
nullable: true
items:
type: string
usersWithInPlacePasswordRotation:
type: array
nullable: true
items:
type: string
volume: volume:
type: object type: object
required: required:

2
charts/postgres-operator/crds/postgresteams.yaml
View File

@ -4,8 +4,6 @@ metadata:
name: postgresteams.acid.zalan.do name: postgresteams.acid.zalan.do
labels: labels:
app.kubernetes.io/name: postgres-operator app.kubernetes.io/name: postgres-operator
annotations:
"helm.sh/hook": crd-install
spec: spec:
group: acid.zalan.do group: acid.zalan.do
names: names:

8
charts/postgres-operator/templates/clusterrole-postgres-pod.yaml
View File

@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
rules: rules:
# Patroni needs to watch and manage endpoints # Patroni needs to watch and manage config maps or endpoints
{{- if toString .Values.configGeneral.kubernetes_use_configmaps | eq "true" }} {{- if toString .Values.configGeneral.kubernetes_use_configmaps | eq "true" }}
- apiGroups: - apiGroups:
- "" - ""
@ -24,12 +24,6 @@ rules:
- patch - patch
- update - update
- watch - watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- else }} {{- else }}
- apiGroups: - apiGroups:
- "" - ""

26
charts/postgres-operator/templates/clusterrole.yaml
View File

@ -34,16 +34,34 @@ rules:
- get - get
- list - list
- watch - watch
# all verbs allowed for event streams
{{- if .Values.enableStreams }}
- apiGroups:
- zalando.org
resources:
- fabriceventstreams
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
{{- end }}
# to create or get/update CRDs when starting up # to create or get/update CRDs when starting up
- apiGroups: - apiGroups:
- apiextensions.k8s.io - apiextensions.k8s.io
resources: resources:
- customresourcedefinitions - customresourcedefinitions
verbs: verbs:
- create
- get - get
{{- if toString .Values.configGeneral.enable_crd_registration | eq "true" }}
- create
- patch - patch
- update - update
{{- end }}
# to send events to the CRs # to send events to the CRs
- apiGroups: - apiGroups:
- "" - ""
@ -71,12 +89,6 @@ rules:
- patch - patch
- update - update
- watch - watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- else }} {{- else }}
# to read configuration from ConfigMaps # to read configuration from ConfigMaps
- apiGroups: - apiGroups:

6
charts/postgres-operator/templates/crds.yaml
View File

@ -1,6 +0,0 @@
{{ if .Values.crd.create }}
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

71
charts/postgres-operator/templates/user-facing-clusterroles.yaml Normal file
View File

@ -0,0 +1,71 @@
{{ if .Values.rbac.createAggregateClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
helm.sh/chart: {{ template "postgres-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: {{ template "postgres-operator.fullname" . }}:users:admin
rules:
- apiGroups:
- acid.zalan.do
resources:
- postgresqls
- postgresqls/status
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
helm.sh/chart: {{ template "postgres-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: {{ template "postgres-operator.fullname" . }}:users:edit
rules:
- apiGroups:
- acid.zalan.do
resources:
- postgresqls
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
helm.sh/chart: {{ template "postgres-operator.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: {{ template "postgres-operator.fullname" . }}:users:view
rules:
- apiGroups:
- acid.zalan.do
resources:
- postgresqls
- postgresqls/status
verbs:
- get
- list
- watch
{{ end }}

58
charts/postgres-operator/values.yaml
View File

@ -1,7 +1,7 @@
image: image:
registry: registry.opensource.zalan.do registry: registry.opensource.zalan.do
repository: acid/postgres-operator repository: acid/postgres-operator
tag: v1.7.1 tag: v1.8.0
pullPolicy: "IfNotPresent" pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets. # Optionally specify an array of imagePullSecrets.
@ -18,8 +18,11 @@ enableJsonLogging: false
# general configuration parameters # general configuration parameters
configGeneral: configGeneral:
# choose if deployment creates/updates CRDs with OpenAPIV3Validation # the deployment should create/update the CRDs
enable_crd_validation: true enable_crd_registration: true
# specify categories under which crds should be listed
crd_categories:
- "all"
# update only the statefulsets without immediately doing the rolling update # update only the statefulsets without immediately doing the rolling update
enable_lazy_spilo_upgrade: false enable_lazy_spilo_upgrade: false
# set the PGVERSION env var instead of providing the version via postgresql.bin_dir in SPILO_CONFIGURATION # set the PGVERSION env var instead of providing the version via postgresql.bin_dir in SPILO_CONFIGURATION
@ -33,7 +36,7 @@ configGeneral:
# Select if setup uses endpoints (default), or configmaps to manage leader (DCS=k8s) # Select if setup uses endpoints (default), or configmaps to manage leader (DCS=k8s)
# kubernetes_use_configmaps: false # kubernetes_use_configmaps: false
# Spilo docker image # Spilo docker image
docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p4 docker_image: registry.opensource.zalan.do/acid/spilo-14:2.1-p5
# min number of instances in Postgres cluster. -1 = no limit # min number of instances in Postgres cluster. -1 = no limit
min_instances: -1 min_instances: -1
# max number of instances in Postgres cluster. -1 = no limit # max number of instances in Postgres cluster. -1 = no limit
@ -54,6 +57,16 @@ configGeneral:
# parameters describing Postgres users # parameters describing Postgres users
configUsers: configUsers:
# roles to be granted to database owners
# additional_owner_roles:
# - cron_admin
# enable password rotation for app users that are not database owners
enable_password_rotation: false
# rotation interval for updating credentials in K8s secrets of app users
password_rotation_interval: 90
# retention interval to keep rotation users
password_rotation_user_retention: 180
# postgres username used for replication between instances # postgres username used for replication between instances
replication_username: standby replication_username: standby
# postgres superuser name to be created by initdb # postgres superuser name to be created by initdb
@ -62,6 +75,10 @@ configUsers:
configMajorVersionUpgrade: configMajorVersionUpgrade:
# "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too # "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too
major_version_upgrade_mode: "off" major_version_upgrade_mode: "off"
# upgrades will only be carried out for clusters of listed teams when mode is "off"
# major_version_upgrade_team_allow_list:
# - acid
# minimal Postgres major version that will not automatically be upgraded # minimal Postgres major version that will not automatically be upgraded
minimal_major_version: "9.6" minimal_major_version: "9.6"
# target Postgres major version when upgrading clusters automatically # target Postgres major version when upgrading clusters automatically
@ -105,6 +122,11 @@ configKubernetes:
enable_pod_disruption_budget: true enable_pod_disruption_budget: true
# enables sidecar containers to run alongside Spilo in the same pod # enables sidecar containers to run alongside Spilo in the same pod
enable_sidecars: true enable_sidecars: true
# annotations to be ignored when comparing statefulsets, services etc.
# ignored_annotations:
# - k8s.v1.cni.cncf.io/network-status
# namespaced name of the secret containing infrastructure roles names and passwords # namespaced name of the secret containing infrastructure roles names and passwords
# infrastructure_roles_secret_name: postgresql-infrastructure-roles # infrastructure_roles_secret_name: postgresql-infrastructure-roles
@ -124,6 +146,9 @@ configKubernetes:
# node_readiness_label: # node_readiness_label:
# status: ready # status: ready
# defines how nodeAffinity from manifest should be merged with node_readiness_label
# node_readiness_label_merge: "OR"
# namespaced name of the secret containing the OAuth2 token to pass to the teams API # namespaced name of the secret containing the OAuth2 token to pass to the teams API
# oauth_token_secret_name: postgresql-operator # oauth_token_secret_name: postgresql-operator
@ -190,6 +215,10 @@ configPostgresPodResources:
# timeouts related to some operator actions # timeouts related to some operator actions
configTimeouts: configTimeouts:
# interval between consecutive attempts of operator calling the Patroni API
patroni_api_check_interval: 1s
# timeout when waiting for successful response from Patroni API
patroni_api_check_timeout: 5s
# timeout when waiting for the Postgres pods to be deleted # timeout when waiting for the Postgres pods to be deleted
pod_deletion_wait_timeout: 10m pod_deletion_wait_timeout: 10m
# timeout when waiting for pod role and cluster labels # timeout when waiting for pod role and cluster labels
@ -214,8 +243,12 @@ configLoadBalancer:
# toggles service type load balancer pointing to the master pod of the cluster # toggles service type load balancer pointing to the master pod of the cluster
enable_master_load_balancer: false enable_master_load_balancer: false
# toggles service type load balancer pointing to the master pooler pod of the cluster
enable_master_pooler_load_balancer: false
# toggles service type load balancer pointing to the replica pod of the cluster # toggles service type load balancer pointing to the replica pod of the cluster
enable_replica_load_balancer: false enable_replica_load_balancer: false
# toggles service type load balancer pointing to the replica pooler pod of the cluster
enable_replica_pooler_load_balancer: false
# define external traffic policy for the load balancer # define external traffic policy for the load balancer
external_traffic_policy: "Cluster" external_traffic_policy: "Cluster"
# defines the DNS name string template for the master load balancer cluster # defines the DNS name string template for the master load balancer cluster
@ -276,7 +309,7 @@ configAwsOrGcp:
# configure K8s cron job managed by the operator # configure K8s cron job managed by the operator
configLogicalBackup: configLogicalBackup:
# image for pods of the logical backup job (example runs pg_dumpall) # image for pods of the logical backup job (example runs pg_dumpall)
logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup:v1.7.1" logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup:v1.8.0"
# path of google cloud service account json file # path of google cloud service account json file
# logical_backup_google_application_credentials: "" # logical_backup_google_application_credentials: ""
@ -296,6 +329,8 @@ configLogicalBackup:
logical_backup_s3_secret_access_key: "" logical_backup_s3_secret_access_key: ""
# S3 server side encryption # S3 server side encryption
logical_backup_s3_sse: "AES256" logical_backup_s3_sse: "AES256"
# S3 retention time for stored backups for example "2 week" or "7 days"
logical_backup_s3_retention_time: ""
# backup schedule in the cron format # backup schedule in the cron format
logical_backup_schedule: "30 00 * * *" logical_backup_schedule: "30 00 * * *"
@ -324,6 +359,7 @@ configTeamsApi:
# List of roles that cannot be overwritten by an application, team or infrastructure role # List of roles that cannot be overwritten by an application, team or infrastructure role
protected_role_names: protected_role_names:
- admin - admin
- cron_admin
# Suffix to add if members are removed from TeamsAPI or PostgresTeam CRD # Suffix to add if members are removed from TeamsAPI or PostgresTeam CRD
role_deletion_suffix: "_deleted" role_deletion_suffix: "_deleted"
# role name to grant to team members created from the Teams API # role name to grant to team members created from the Teams API
@ -341,7 +377,7 @@ configConnectionPooler:
# db user for pooler to use # db user for pooler to use
connection_pooler_user: "pooler" connection_pooler_user: "pooler"
# docker image # docker image
connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-19" connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-22"
# max db connections the pooler should hold # max db connections the pooler should hold
connection_pooler_max_db_connections: 60 connection_pooler_max_db_connections: 60
# default pooling mode # default pooling mode
@ -354,14 +390,14 @@ configConnectionPooler:
connection_pooler_default_cpu_limit: "1" connection_pooler_default_cpu_limit: "1"
connection_pooler_default_memory_limit: 100Mi connection_pooler_default_memory_limit: 100Mi
# Zalando's internal CDC stream feature
enableStreams: false
rbac: rbac:
# Specifies whether RBAC resources should be created # Specifies whether RBAC resources should be created
create: true create: true
# Specifies whether ClusterRoles that are aggregated into the K8s default roles should be created. (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings)
crd: createAggregateClusterRoles: false
# Specifies whether custom resource definitions should be created
# When using helm3, this is ignored; instead use "--skip-crds" to skip.
create: true
serviceAccount: serviceAccount:
# Specifies whether a ServiceAccount should be created # Specifies whether a ServiceAccount should be created