postgresql
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Please, note that this will override the parameters, including dependencies, configured to use the global value
12
##
13
global:
14
## @param global.imageRegistry Global Docker image registry
15
##
16
imageRegistry: ""
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## e.g.
19
## imagePullSecrets:
20
## - myRegistryKeySecretName
21
##
22
imagePullSecrets: []
23
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
24
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
25
##
26
defaultStorageClass: ""
27
storageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
postgresql:
34
## @param global.postgresql.fullnameOverride Full chart name (overrides `fullnameOverride`)
35
## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`)
36
## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
37
## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`)
38
## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
39
## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`).
40
## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
41
## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
42
## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
43
## @param global.postgresql.auth.secretKeys.metricsPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.metricsPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
44
##
45
fullnameOverride: ""
46
auth:
47
postgresPassword: ""
48
username: ""
49
password: ""
50
database: ""
51
existingSecret: ""
52
secretKeys:
53
adminPasswordKey: ""
54
userPasswordKey: ""
55
replicationPasswordKey: ""
56
metricsPasswordKey: ""
57
## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
58
##
59
service:
60
ports:
61
postgresql: ""
62
## Compatibility adaptations for Kubernetes platforms
63
##
64
compatibility:
65
## Compatibility adaptations for Openshift
66
##
67
openshift:
68
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
69
##
70
adaptSecurityContext: auto
71
org: ""
72
## @section Common parameters
73
##
74
75
## @param kubeVersion Override Kubernetes version
76
##
77
kubeVersion: ""
78
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
79
##
80
nameOverride: ""
81
## @param fullnameOverride String to fully override common.names.fullname template
82
##
83
fullnameOverride: ""
84
## @param namespaceOverride String to fully override common.names.namespace
85
##
86
namespaceOverride: ""
87
## @param clusterDomain Kubernetes Cluster Domain
88
##
89
clusterDomain: cluster.local
90
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template)
91
##
92
extraDeploy: []
93
## @param commonLabels Add labels to all the deployed resources
94
##
95
commonLabels: {}
96
## @param commonAnnotations Add annotations to all the deployed resources
97
##
98
commonAnnotations: {}
99
## @param secretAnnotations Add annotations to the secrets
100
##
101
secretAnnotations: {}
102
## Enable diagnostic mode in the statefulset
103
##
104
diagnosticMode:
105
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
106
##
107
enabled: false
108
## @param diagnosticMode.command Command to override all containers in the statefulset
109
##
110
command:
111
- sleep
112
## @param diagnosticMode.args Args to override all containers in the statefulset
113
##
114
args:
115
- infinity
116
## @section PostgreSQL common parameters
117
##
118
119
## Iamguarded PostgreSQL image version
120
## @param image.registry [default: REGISTRY_NAME] PostgreSQL image registry
121
## @param image.repository [default: REPOSITORY_NAME/postgresql] PostgreSQL image repository
122
## @skip image.tag PostgreSQL image tag (immutable tags are recommended)
123
## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
124
## @param image.pullPolicy PostgreSQL image pull policy
125
## @param image.pullSecrets Specify image pull secrets
126
## @param image.debug Specify if debug values should be set
127
##
128
image:
129
registry: cgr.dev
130
repository: chainguard-private/postgres-iamguarded
131
tag: 18.3-r2
132
digest: ""
133
## Specify a imagePullPolicy
134
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
135
##
136
pullPolicy: IfNotPresent
137
## Optionally specify an array of imagePullSecrets.
138
## Secrets must be manually created in the namespace.
139
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
140
## Example:
141
## pullSecrets:
142
## - myRegistryKeySecretName
143
##
144
pullSecrets: []
145
## Set to true if you would like to see extra information on logs
146
##
147
debug: false
148
## Authentication parameters
149
##
150
auth:
151
## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
152
##
153
enablePostgresUser: true
154
## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided
155
##
156
postgresPassword: ""
157
## @param auth.username Name for a custom user to create
158
##
159
username: ""
160
## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided
161
##
162
password: ""
163
## @param auth.database Name for a custom database to create
164
##
165
database: ""
166
## @param auth.replicationUsername Name of the replication user
167
##
168
replicationUsername: repl_user
169
## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided
170
##
171
replicationPassword: ""
172
## @param auth.metricsUsername Name of the metrics user used by postgresql exporter
173
##
174
metricsUsername: ""
175
## @param auth.metricsPassword Password for the metrics user used by postgresql exporter. Ignored if `auth.existingSecret` is provided
176
##
177
metricsPassword: ""
178
## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case.
179
##
180
existingSecret: ""
181
## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
182
## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
183
## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
184
## @param auth.secretKeys.metricsPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
185
##
186
secretKeys:
187
adminPasswordKey: postgres-password
188
userPasswordKey: password
189
replicationPasswordKey: replication-password
190
metricsPasswordKey: metrics-password
191
## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable
192
##
193
usePasswordFiles: true
194
## @param architecture PostgreSQL architecture (`standalone` or `replication`)
195
##
196
architecture: standalone
197
## Replication configuration
198
## Ignored if `architecture` is `standalone`
199
##
200
replication:
201
## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off`
202
## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`.
203
## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT
204
##
205
synchronousCommit: "off"
206
numSynchronousReplicas: 0
207
## @param replication.applicationName Cluster application name. Useful for advanced replication settings
208
##
209
applicationName: my_application
210
## @param containerPorts.postgresql PostgreSQL container port
211
##
212
containerPorts:
213
postgresql: 5432
214
## Audit settings
215
## @param audit.logHostname Log client hostnames
216
## @param audit.logConnections Add client log-in operations to the log file
217
## @param audit.logDisconnections Add client log-outs operations to the log file
218
## @param audit.pgAuditLog Add operations to log using the pgAudit extension
219
## @param audit.pgAuditLogCatalog Log catalog using pgAudit
220
## @param audit.clientMinMessages Message log level to share with the user
221
## @param audit.logLinePrefix Template for log line prefix (default if not set)
222
## @param audit.logTimezone Timezone for the log timestamps
223
##
224
audit:
225
logHostname: false
226
logConnections: false
227
logDisconnections: false
228
pgAuditLog: ""
229
pgAuditLogCatalog: "off"
230
clientMinMessages: error
231
logLinePrefix: ""
232
logTimezone: ""
233
## LDAP configuration
234
## @param ldap.enabled Enable LDAP support
235
## @param ldap.server IP address or name of the LDAP server.
236
## @param ldap.port Port number on the LDAP server to connect to
237
## @param ldap.prefix String to prepend to the user name when forming the DN to bind
238
## @param ldap.suffix String to append to the user name when forming the DN to bind
239
## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead
240
## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead
241
## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead
242
## @param ldap.basedn Root DN to begin the search for the user in
243
## @param ldap.binddn DN of user to bind to LDAP
244
## @param ldap.bindpw Password for the user to bind to LDAP
245
## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead
246
## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead
247
## @param ldap.searchAttribute Attribute to match against the user name in the search
248
## @param ldap.searchFilter The search filter to use when doing search+bind authentication
249
## @param ldap.scheme Set to `ldaps` to use LDAPS
250
## DEPRECATED ldap.tls as string is deprecated, please use 'ldap.tls.enabled' instead
251
## @param ldap.tls.enabled Se to true to enable TLS encryption
252
##
253
ldap:
254
enabled: false
255
server: ""
256
port: ""
257
prefix: ""
258
suffix: ""
259
basedn: ""
260
binddn: ""
261
bindpw: ""
262
searchAttribute: ""
263
searchFilter: ""
264
scheme: ""
265
tls:
266
enabled: false
267
## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored.
268
## Ref: https://www.postgresql.org/docs/current/auth-ldap.html
269
##
270
uri: ""
271
## @param postgresqlDataDir PostgreSQL data dir folder
272
##
273
postgresqlDataDir: /iamguarded/postgresql/data
274
## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list)
275
##
276
postgresqlSharedPreloadLibraries: "pgaudit"
277
## Start PostgreSQL pod(s) without limitations on shm memory.
278
## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M`
279
## ref: https://github.com/docker-library/postgres/issues/416
280
## ref: https://github.com/containerd/containerd/issues/3654
281
##
282
shmVolume:
283
## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s)
284
##
285
enabled: true
286
## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs
287
## Note: the size of the tmpfs counts against container's memory limit
288
## e.g:
289
## sizeLimit: 1Gi
290
##
291
sizeLimit: ""
292
## TLS configuration
293
##
294
tls:
295
## @param tls.enabled Enable TLS traffic support
296
##
297
enabled: false
298
## @param tls.autoGenerated Generate automatically self-signed TLS certificates
299
##
300
autoGenerated: false
301
## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's
302
##
303
preferServerCiphers: true
304
## @param tls.certificatesSecret Name of an existing secret that contains the certificates
305
##
306
certificatesSecret: ""
307
## @param tls.certFilename Certificate filename
308
##
309
certFilename: ""
310
## @param tls.certKeyFilename Certificate key filename
311
##
312
certKeyFilename: ""
313
## @param tls.certCAFilename CA Certificate filename
314
## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
315
## ref: https://www.postgresql.org/docs/9.6/auth-methods.html
316
##
317
certCAFilename: ""
318
## @param tls.crlFilename File containing a Certificate Revocation List
319
##
320
crlFilename: ""
321
## @section PostgreSQL Primary parameters
322
##
323
primary:
324
## @param primary.name Name of the primary database (eg primary, master, leader, ...)
325
##
326
name: primary
327
## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap
328
## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
329
##
330
configuration: ""
331
## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration
332
## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
333
## e.g:#
334
## pgHbaConfiguration: |-
335
## local all all trust
336
## host all all localhost trust
337
## host mydatabase mysuser 192.168.0.0/24 md5
338
##
339
pgHbaConfiguration: ""
340
## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration
341
## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored
342
##
343
existingConfigmap: ""
344
## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
345
##
346
extendedConfiguration: ""
347
## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration
348
## NOTE: `primary.extendedConfiguration` will be ignored
349
##
350
existingExtendedConfigmap: ""
351
## Initdb configuration
352
##
353
initdb:
354
## @param primary.initdb.args PostgreSQL initdb extra arguments
355
##
356
args: ""
357
## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log
358
##
359
postgresqlWalDir: ""
360
## @param primary.initdb.scripts Dictionary of initdb scripts
361
## Specify dictionary of scripts to be run at first boot
362
## e.g:
363
## scripts:
364
## my_init_script.sh: |
365
## #!/bin/sh
366
## echo "Do something."
367
##
368
scripts: {}
369
## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot
370
## NOTE: This will override `primary.initdb.scripts`
371
##
372
scriptsConfigMap: ""
373
## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information)
374
## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap`
375
##
376
scriptsSecret: ""
377
## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts
378
##
379
user: ""
380
## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts
381
##
382
password: ""
383
## Pre-init configuration
384
preInitDb:
385
## @param primary.preInitDb.scripts Dictionary of pre-init scripts
386
## Specify dictionary of shell scripts to be run before db boot
387
## e.g:
388
## scripts:
389
## my_pre_init_script.sh: |
390
## #!/bin/sh
391
## echo "Do something."
392
scripts: {}
393
## @param primary.preInitDb.scriptsConfigMap ConfigMap with pre-init scripts to be run
394
## NOTE: This will override `primary.preInitDb.scripts`
395
scriptsConfigMap: ""
396
## @param primary.preInitDb.scriptsSecret Secret with pre-init scripts to be run
397
## NOTE: This can work along `primary.preInitDb.scripts` or `primary.preInitDb.scriptsConfigMap`
398
scriptsSecret: ""
399
## Configure current cluster's primary server to be the standby server in other cluster.
400
## This will allow cross cluster replication and provide cross cluster high availability.
401
## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled.
402
## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not
403
## @param primary.standby.primaryHost The Host of replication primary in the other cluster
404
## @param primary.standby.primaryPort The Port of replication primary in the other cluster
405
##
406
standby:
407
enabled: false
408
primaryHost: ""
409
primaryPort: ""
410
## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes
411
## e.g:
412
## extraEnvVars:
413
## - name: FOO
414
## value: "bar"
415
##
416
extraEnvVars: []
417
## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes
418
##
419
extraEnvVarsCM: ""
420
## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes
421
##
422
extraEnvVarsSecret: ""
423
## @param primary.command Override default container command (useful when using custom images)
424
##
425
command: []
426
## @param primary.args Override default container args (useful when using custom images)
427
##
428
args: []
429
## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes
430
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
431
## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers
432
## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
433
## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe
434
## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
435
## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe
436
## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe
437
##
438
livenessProbe:
439
enabled: true
440
initialDelaySeconds: 30
441
periodSeconds: 10
442
timeoutSeconds: 5
443
failureThreshold: 6
444
successThreshold: 1
445
## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers
446
## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
447
## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe
448
## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
449
## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe
450
## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe
451
##
452
readinessProbe:
453
enabled: true
454
initialDelaySeconds: 5
455
periodSeconds: 10
456
timeoutSeconds: 5
457
failureThreshold: 6
458
successThreshold: 1
459
## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers
460
## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
461
## @param primary.startupProbe.periodSeconds Period seconds for startupProbe
462
## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe
463
## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe
464
## @param primary.startupProbe.successThreshold Success threshold for startupProbe
465
##
466
startupProbe:
467
enabled: false
468
initialDelaySeconds: 30
469
periodSeconds: 10
470
timeoutSeconds: 1
471
failureThreshold: 15
472
successThreshold: 1
473
## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one
474
##
475
customLivenessProbe: {}
476
## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one
477
##
478
customReadinessProbe: {}
479
## @param primary.customStartupProbe Custom startupProbe that overrides the default one
480
##
481
customStartupProbe: {}
482
## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup
483
##
484
lifecycleHooks: {}
485
## PostgreSQL Primary resource requests and limits
486
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
487
## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
488
##
489
resourcesPreset: "nano"
490
## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
491
## Example:
492
## resources:
493
## requests:
494
## cpu: 2
495
## memory: 512Mi
496
## limits:
497
## cpu: 3
498
## memory: 1024Mi
499
##
500
resources: {}
501
## Pod Security Context
502
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
503
## @param primary.podSecurityContext.enabled Enable security context
504
## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
505
## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface
506
## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups
507
## @param primary.podSecurityContext.fsGroup Group ID for the pod
508
##
509
podSecurityContext:
510
enabled: true
511
fsGroupChangePolicy: Always
512
sysctls: []
513
supplementalGroups: []
514
fsGroup: 1001
515
## Container Security Context
516
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
517
## @param primary.containerSecurityContext.enabled Enabled containers' Security Context
518
## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
519
## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
520
## @param primary.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
521
## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
522
## @param primary.containerSecurityContext.privileged Set container's Security Context privileged
523
## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
524
## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
525
## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped
526
## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
527
##
528
containerSecurityContext:
529
enabled: true
530
seLinuxOptions: {}
531
runAsUser: 1001
532
runAsGroup: 1001
533
runAsNonRoot: true
534
privileged: false
535
readOnlyRootFilesystem: true
536
allowPrivilegeEscalation: false
537
capabilities:
538
drop: ["ALL"]
539
seccompProfile:
540
type: "RuntimeDefault"
541
## @param primary.automountServiceAccountToken Mount Service Account token in pod
542
##
543
automountServiceAccountToken: false
544
## @param primary.hostAliases PostgreSQL primary pods host aliases
545
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
546
##
547
hostAliases: []
548
## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary)
549
##
550
hostNetwork: false
551
## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
552
##
553
hostIPC: false
554
## @param primary.labels Map of labels to add to the statefulset (postgresql primary)
555
##
556
labels: {}
557
## @param primary.annotations Annotations for PostgreSQL primary pods
558
##
559
annotations: {}
560
## @param primary.podLabels Map of labels to add to the pods (postgresql primary)
561
##
562
podLabels: {}
563
## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary)
564
##
565
podAnnotations: {}
566
## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
567
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
568
##
569
podAffinityPreset: ""
570
## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
571
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
572
##
573
podAntiAffinityPreset: soft
574
## PostgreSQL Primary node affinity preset
575
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
576
##
577
nodeAffinityPreset:
578
## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
579
##
580
type: ""
581
## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set.
582
## E.g.
583
## key: "kubernetes.io/e2e-az-name"
584
##
585
key: ""
586
## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set.
587
## E.g.
588
## values:
589
## - e2e-az1
590
## - e2e-az2
591
##
592
values: []
593
## @param primary.affinity Affinity for PostgreSQL primary pods assignment
594
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
595
## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
596
##
597
affinity: {}
598
## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment
599
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
600
##
601
nodeSelector: {}
602
## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment
603
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
604
##
605
tolerations: []
606
## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
607
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
608
##
609
topologySpreadConstraints: []
610
## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary)
611
##
612
priorityClassName: ""
613
## @param primary.schedulerName Use an alternate scheduler, e.g. "stork".
614
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
615
##
616
schedulerName: ""
617
## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully
618
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
619
##
620
terminationGracePeriodSeconds: ""
621
## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type
622
## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters
623
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
624
##
625
updateStrategy:
626
type: RollingUpdate
627
rollingUpdate: {}
628
## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s)
629
##
630
extraVolumeMounts: []
631
## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s)
632
##
633
extraVolumes: []
634
## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s)
635
## For example:
636
## sidecars:
637
## - name: your-image-name
638
## image: your-image
639
## imagePullPolicy: Always
640
## ports:
641
## - name: portname
642
## containerPort: 1234
643
##
644
sidecars: []
645
## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s)
646
## Example
647
##
648
## initContainers:
649
## - name: do-something
650
## image: busybox
651
## command: ['do', 'something']
652
##
653
initContainers: []
654
## Pod Disruption Budget configuration
655
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
656
## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation
657
## @param primary.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
658
## @param primary.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty.
659
##
660
pdb:
661
create: true
662
minAvailable: ""
663
maxUnavailable: ""
664
## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s)
665
##
666
extraPodSpec: {}
667
## Network Policies
668
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
669
##
670
networkPolicy:
671
## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
672
##
673
enabled: true
674
## @param primary.networkPolicy.allowExternal Don't require server label for connections
675
## The Policy model to apply. When set to false, only pods with the correct
676
## server label will have network access to the ports server is listening
677
## on. When true, server will accept connections from any source
678
## (with the correct destination port).
679
##
680
allowExternal: true
681
## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
682
##
683
allowExternalEgress: true
684
## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
685
## e.g:
686
## extraIngress:
687
## - ports:
688
## - port: 1234
689
## from:
690
## - podSelector:
691
## - matchLabels:
692
## - role: frontend
693
## - podSelector:
694
## - matchExpressions:
695
## - key: role
696
## operator: In
697
## values:
698
## - frontend
699
extraIngress: []
700
## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
701
## e.g:
702
## extraEgress:
703
## - ports:
704
## - port: 1234
705
## to:
706
## - podSelector:
707
## - matchLabels:
708
## - role: frontend
709
## - podSelector:
710
## - matchExpressions:
711
## - key: role
712
## operator: In
713
## values:
714
## - frontend
715
##
716
extraEgress: []
717
## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
718
## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
719
##
720
ingressNSMatchLabels: {}
721
ingressNSPodMatchLabels: {}
722
## PostgreSQL Primary service configuration
723
##
724
service:
725
## @param primary.service.enabled Enable/disable the PostgreSQL primary service
726
##
727
enabled: true
728
## @param primary.service.type Kubernetes Service type
729
##
730
type: ClusterIP
731
## @param primary.service.ports.postgresql PostgreSQL service port
732
##
733
ports:
734
postgresql: 5432
735
## Node ports to expose
736
## NOTE: choose port between <30000-32767>
737
## @param primary.service.nodePorts.postgresql Node port for PostgreSQL
738
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
739
##
740
nodePorts:
741
postgresql: ""
742
## @param primary.service.clusterIP Static clusterIP or None for headless services
743
## e.g:
744
## clusterIP: None
745
##
746
clusterIP: ""
747
## @param primary.service.labels Map of labels to add to the primary service
748
##
749
labels: {}
750
## @param primary.service.annotations Annotations for PostgreSQL primary service
751
##
752
annotations: {}
753
## @param primary.service.loadBalancerClass Load balancer class if service type is `LoadBalancer`
754
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
755
##
756
loadBalancerClass: ""
757
## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
758
## Set the LoadBalancer service type to internal only
759
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
760
##
761
loadBalancerIP: ""
762
## @param primary.service.externalTrafficPolicy Enable client source IP preservation
763
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
764
##
765
externalTrafficPolicy: Cluster
766
## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
767
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
768
##
769
## loadBalancerSourceRanges:
770
## - 10.10.10.0/24
771
##
772
loadBalancerSourceRanges: []
773
## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service
774
##
775
extraPorts: []
776
## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
777
## If "ClientIP", consecutive client requests will be directed to the same Pod
778
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
779
##
780
sessionAffinity: None
781
## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity
782
## sessionAffinityConfig:
783
## clientIP:
784
## timeoutSeconds: 300
785
##
786
sessionAffinityConfig: {}
787
## Headless service properties
788
##
789
headless:
790
## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service
791
##
792
annotations: {}
793
## PostgreSQL Primary persistence configuration
794
##
795
persistence:
796
## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC
797
##
798
enabled: true
799
## @param primary.persistence.volumeName Name to assign the volume
800
##
801
volumeName: "data"
802
## @param primary.persistence.existingClaim Name of an existing PVC to use
803
##
804
existingClaim: ""
805
## @param primary.persistence.mountPath The path the volume will be mounted at
806
## Note: useful when using custom PostgreSQL images
807
##
808
mountPath: /iamguarded/postgresql
809
## @param primary.persistence.subPath The subdirectory of the volume to mount to
810
## Useful in dev environments and one PV for multiple services
811
##
812
subPath: ""
813
## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume
814
## If defined, storageClassName: <storageClass>
815
## If set to "-", storageClassName: "", which disables dynamic provisioning
816
## If undefined (the default) or set to null, no storageClassName spec is
817
## set, choosing the default provisioner. (gp2 on AWS, standard on
818
## GKE, AWS & OpenStack)
819
##
820
storageClass: ""
821
## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume
822
##
823
accessModes:
824
- ReadWriteOnce
825
## @param primary.persistence.size PVC Storage Request for PostgreSQL volume
826
##
827
size: 8Gi
828
## @param primary.persistence.annotations Annotations for the PVC
829
##
830
annotations: {}
831
## @param primary.persistence.labels Labels for the PVC
832
##
833
labels: {}
834
## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
835
## selector:
836
## matchLabels:
837
## app: my-app
838
##
839
selector: {}
840
## @param primary.persistence.dataSource Custom PVC data source
841
##
842
dataSource: {}
843
## PostgreSQL Primary Persistent Volume Claim Retention Policy
844
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
845
##
846
persistentVolumeClaimRetentionPolicy:
847
## @param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary Statefulset
848
##
849
enabled: false
850
## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
851
##
852
whenScaled: Retain
853
## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
854
##
855
whenDeleted: Retain
856
## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
857
##
858
readReplicas:
859
## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...)
860
##
861
name: read
862
## @param readReplicas.replicaCount Number of PostgreSQL read only replicas
863
##
864
replicaCount: 1
865
## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration)
866
##
867
extendedConfiguration: ""
868
## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes
869
## e.g:
870
## extraEnvVars:
871
## - name: FOO
872
## value: "bar"
873
##
874
extraEnvVars: []
875
## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes
876
##
877
extraEnvVarsCM: ""
878
## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes
879
##
880
extraEnvVarsSecret: ""
881
## @param readReplicas.command Override default container command (useful when using custom images)
882
##
883
command: []
884
## @param readReplicas.args Override default container args (useful when using custom images)
885
##
886
args: []
887
## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes
888
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
889
## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers
890
## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
891
## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe
892
## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
893
## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe
894
## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe
895
##
896
livenessProbe:
897
enabled: true
898
initialDelaySeconds: 30
899
periodSeconds: 10
900
timeoutSeconds: 5
901
failureThreshold: 6
902
successThreshold: 1
903
## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers
904
## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
905
## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe
906
## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
907
## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe
908
## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe
909
##
910
readinessProbe:
911
enabled: true
912
initialDelaySeconds: 5
913
periodSeconds: 10
914
timeoutSeconds: 5
915
failureThreshold: 6
916
successThreshold: 1
917
## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers
918
## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
919
## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe
920
## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe
921
## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe
922
## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe
923
##
924
startupProbe:
925
enabled: false
926
initialDelaySeconds: 30
927
periodSeconds: 10
928
timeoutSeconds: 1
929
failureThreshold: 15
930
successThreshold: 1
931
## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one
932
##
933
customLivenessProbe: {}
934
## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one
935
##
936
customReadinessProbe: {}
937
## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one
938
##
939
customStartupProbe: {}
940
## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup
941
##
942
lifecycleHooks: {}
943
## PostgreSQL read only resource requests and limits
944
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
945
## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production).
946
##
947
resourcesPreset: "nano"
948
## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
949
## Example:
950
## resources:
951
## requests:
952
## cpu: 2
953
## memory: 512Mi
954
## limits:
955
## cpu: 3
956
## memory: 1024Mi
957
##
958
resources: {}
959
## Pod Security Context
960
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
961
## @param readReplicas.podSecurityContext.enabled Enable security context
962
## @param readReplicas.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
963
## @param readReplicas.podSecurityContext.sysctls Set kernel settings using the sysctl interface
964
## @param readReplicas.podSecurityContext.supplementalGroups Set filesystem extra groups
965
## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod
966
##
967
podSecurityContext:
968
enabled: true
969
fsGroupChangePolicy: Always
970
sysctls: []
971
supplementalGroups: []
972
fsGroup: 1001
973
## Container Security Context
974
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
975
## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context
976
## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
977
## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
978
## @param readReplicas.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
979
## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
980
## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged
981
## @param readReplicas.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
982
## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
983
## @param readReplicas.containerSecurityContext.capabilities.drop List of capabilities to be dropped
984
## @param readReplicas.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
985
##
986
containerSecurityContext:
987
enabled: true
988
seLinuxOptions: {}
989
runAsUser: 1001
990
runAsGroup: 1001
991
runAsNonRoot: true
992
privileged: false
993
readOnlyRootFilesystem: true
994
allowPrivilegeEscalation: false
995
capabilities:
996
drop: ["ALL"]
997
seccompProfile:
998
type: "RuntimeDefault"
999
## @param readReplicas.automountServiceAccountToken Mount Service Account token in pod
1000
##
1001
automountServiceAccountToken: false
1002
## @param readReplicas.hostAliases PostgreSQL read only pods host aliases
1003
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1004
##
1005
hostAliases: []
1006
## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only)
1007
##
1008
hostNetwork: false
1009
## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary)
1010
##
1011
hostIPC: false
1012
## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only)
1013
##
1014
labels: {}
1015
## @param readReplicas.annotations Annotations for PostgreSQL read only pods
1016
##
1017
annotations: {}
1018
## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only)
1019
##
1020
podLabels: {}
1021
## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only)
1022
##
1023
podAnnotations: {}
1024
## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
1025
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1026
##
1027
podAffinityPreset: ""
1028
## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
1029
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1030
##
1031
podAntiAffinityPreset: soft
1032
## PostgreSQL read only node affinity preset
1033
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1034
##
1035
nodeAffinityPreset:
1036
## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`
1037
##
1038
type: ""
1039
## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set.
1040
## E.g.
1041
## key: "kubernetes.io/e2e-az-name"
1042
##
1043
key: ""
1044
## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set.
1045
## E.g.
1046
## values:
1047
## - e2e-az1
1048
## - e2e-az2
1049
##
1050
values: []
1051
## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment
1052
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1053
## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set
1054
##
1055
affinity: {}
1056
## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment
1057
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1058
##
1059
nodeSelector: {}
1060
## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment
1061
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1062
##
1063
tolerations: []
1064
## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1065
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1066
##
1067
topologySpreadConstraints: []
1068
## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only)
1069
##
1070
priorityClassName: ""
1071
## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork".
1072
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1073
##
1074
schedulerName: ""
1075
## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully
1076
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1077
##
1078
terminationGracePeriodSeconds: ""
1079
## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type
1080
## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters
1081
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1082
##
1083
updateStrategy:
1084
type: RollingUpdate
1085
rollingUpdate: {}
1086
## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s)
1087
##
1088
extraVolumeMounts: []
1089
## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s)
1090
##
1091
extraVolumes: []
1092
## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s)
1093
## For example:
1094
## sidecars:
1095
## - name: your-image-name
1096
## image: your-image
1097
## imagePullPolicy: Always
1098
## ports:
1099
## - name: portname
1100
## containerPort: 1234
1101
##
1102
sidecars: []
1103
## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s)
1104
## Example
1105
##
1106
## initContainers:
1107
## - name: do-something
1108
## image: busybox
1109
## command: ['do', 'something']
1110
##
1111
initContainers: []
1112
## Pod Disruption Budget configuration
1113
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1114
## @param readReplicas.pdb.create Enable/disable a Pod Disruption Budget creation
1115
## @param readReplicas.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1116
## @param readReplicas.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `readReplicas.pdb.minAvailable` and `readReplicas.pdb.maxUnavailable` are empty.
1117
##
1118
pdb:
1119
create: true
1120
minAvailable: ""
1121
maxUnavailable: ""
1122
## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s)
1123
##
1124
extraPodSpec: {}
1125
## Network Policies
1126
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1127
##
1128
networkPolicy:
1129
## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1130
##
1131
enabled: true
1132
## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections
1133
## The Policy model to apply. When set to false, only pods with the correct
1134
## server label will have network access to the ports server is listening
1135
## on. When true, server will accept connections from any source
1136
## (with the correct destination port).
1137
##
1138
allowExternal: true
1139
## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1140
##
1141
allowExternalEgress: true
1142
## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1143
## e.g:
1144
## extraIngress:
1145
## - ports:
1146
## - port: 1234
1147
## from:
1148
## - podSelector:
1149
## - matchLabels:
1150
## - role: frontend
1151
## - podSelector:
1152
## - matchExpressions:
1153
## - key: role
1154
## operator: In
1155
## values:
1156
## - frontend
1157
extraIngress: []
1158
## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1159
## e.g:
1160
## extraEgress:
1161
## - ports:
1162
## - port: 1234
1163
## to:
1164
## - podSelector:
1165
## - matchLabels:
1166
## - role: frontend
1167
## - podSelector:
1168
## - matchExpressions:
1169
## - key: role
1170
## operator: In
1171
## values:
1172
## - frontend
1173
##
1174
extraEgress: []
1175
## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1176
## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1177
##
1178
ingressNSMatchLabels: {}
1179
ingressNSPodMatchLabels: {}
1180
## PostgreSQL read only service configuration
1181
##
1182
service:
1183
## @param readReplicas.service.type Kubernetes Service type
1184
##
1185
type: ClusterIP
1186
## @param readReplicas.service.ports.postgresql PostgreSQL service port
1187
##
1188
ports:
1189
postgresql: 5432
1190
## Node ports to expose
1191
## NOTE: choose port between <30000-32767>
1192
## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL
1193
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
1194
##
1195
nodePorts:
1196
postgresql: ""
1197
## @param readReplicas.service.clusterIP Static clusterIP or None for headless services
1198
## e.g:
1199
## clusterIP: None
1200
##
1201
clusterIP: ""
1202
## @param readReplicas.service.labels Map of labels to add to the read service
1203
##
1204
labels: {}
1205
## @param readReplicas.service.annotations Annotations for PostgreSQL read only service
1206
##
1207
annotations: {}
1208
## @param readReplicas.service.loadBalancerClass Load balancer class if service type is `LoadBalancer`
1209
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1210
##
1211
loadBalancerClass: ""
1212
## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`
1213
## Set the LoadBalancer service type to internal only
1214
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
1215
##
1216
loadBalancerIP: ""
1217
## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation
1218
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1219
##
1220
externalTrafficPolicy: Cluster
1221
## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
1222
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1223
##
1224
## loadBalancerSourceRanges:
1225
## - 10.10.10.0/24
1226
##
1227
loadBalancerSourceRanges: []
1228
## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service
1229
##
1230
extraPorts: []
1231
## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1232
## If "ClientIP", consecutive client requests will be directed to the same Pod
1233
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1234
##
1235
sessionAffinity: None
1236
## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity
1237
## sessionAffinityConfig:
1238
## clientIP:
1239
## timeoutSeconds: 300
1240
##
1241
sessionAffinityConfig: {}
1242
## Headless service properties
1243
##
1244
headless:
1245
## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service
1246
##
1247
annotations: {}
1248
## PostgreSQL read only persistence configuration
1249
##
1250
persistence:
1251
## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC
1252
##
1253
enabled: true
1254
## @param readReplicas.persistence.existingClaim Name of an existing PVC to use
1255
##
1256
existingClaim: ""
1257
## @param readReplicas.persistence.mountPath The path the volume will be mounted at
1258
## Note: useful when using custom PostgreSQL images
1259
##
1260
mountPath: /iamguarded/postgresql
1261
## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to
1262
## Useful in dev environments and one PV for multiple services
1263
##
1264
subPath: ""
1265
## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume
1266
## If defined, storageClassName: <storageClass>
1267
## If set to "-", storageClassName: "", which disables dynamic provisioning
1268
## If undefined (the default) or set to null, no storageClassName spec is
1269
## set, choosing the default provisioner. (gp2 on AWS, standard on
1270
## GKE, AWS & OpenStack)
1271
##
1272
storageClass: ""
1273
## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume
1274
##
1275
accessModes:
1276
- ReadWriteOnce
1277
## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume
1278
##
1279
size: 8Gi
1280
## @param readReplicas.persistence.annotations Annotations for the PVC
1281
##
1282
annotations: {}
1283
## @param readReplicas.persistence.labels Labels for the PVC
1284
##
1285
labels: {}
1286
## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
1287
## selector:
1288
## matchLabels:
1289
## app: my-app
1290
##
1291
selector: {}
1292
## @param readReplicas.persistence.dataSource Custom PVC data source
1293
##
1294
dataSource: {}
1295
## PostgreSQL Read only Persistent Volume Claim Retention Policy
1296
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1297
##
1298
persistentVolumeClaimRetentionPolicy:
1299
## @param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset
1300
##
1301
enabled: false
1302
## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1303
##
1304
whenScaled: Retain
1305
## @param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1306
##
1307
whenDeleted: Retain
1308
## @section Backup parameters
1309
## This section implements a trivial logical dump cronjob of the database.
1310
## This only comes with the consistency guarantees of the dump program.
1311
## This is not a snapshot based roll forward/backward recovery backup.
1312
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
1313
backup:
1314
## @param backup.enabled Enable the logical dump of the database "regularly"
1315
enabled: false
1316
cronjob:
1317
## @param backup.cronjob.schedule Set the cronjob parameter schedule
1318
schedule: "@daily"
1319
## @param backup.cronjob.timeZone Set the cronjob parameter timeZone
1320
timeZone: ""
1321
## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy
1322
concurrencyPolicy: Allow
1323
## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit
1324
failedJobsHistoryLimit: 1
1325
## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit
1326
successfulJobsHistoryLimit: 3
1327
## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds
1328
startingDeadlineSeconds: ""
1329
## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished
1330
ttlSecondsAfterFinished: ""
1331
## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy
1332
restartPolicy: OnFailure
1333
## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup
1334
## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1335
## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1336
## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups
1337
## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob
1338
podSecurityContext:
1339
enabled: true
1340
fsGroupChangePolicy: Always
1341
sysctls: []
1342
supplementalGroups: []
1343
fsGroup: 1001
1344
## backup container's Security Context
1345
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1346
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
1347
## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1348
## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1349
## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1350
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1351
## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged
1352
## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1353
## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1354
## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1355
## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1356
containerSecurityContext:
1357
enabled: true
1358
seLinuxOptions: {}
1359
runAsUser: 1001
1360
runAsGroup: 1001
1361
runAsNonRoot: true
1362
privileged: false
1363
readOnlyRootFilesystem: true
1364
allowPrivilegeEscalation: false
1365
capabilities:
1366
drop: ["ALL"]
1367
seccompProfile:
1368
type: "RuntimeDefault"
1369
## @param backup.cronjob.command Set backup container's command to run
1370
command:
1371
- /bin/bash
1372
- -c
1373
- PGPASSWORD="${PGPASSWORD:-$(< "$PGPASSWORD_FILE")}" pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file="${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"
1374
## @param backup.cronjob.labels Set the cronjob labels
1375
labels: {}
1376
## @param backup.cronjob.annotations Set the cronjob annotations
1377
annotations: {}
1378
## @param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment
1379
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
1380
##
1381
nodeSelector: {}
1382
## @param backup.cronjob.tolerations Tolerations for PostgreSQL backup CronJob pods assignment
1383
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1384
##
1385
tolerations: []
1386
## backup cronjob container resource requests and limits
1387
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1388
## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production).
1389
##
1390
resourcesPreset: "nano"
1391
## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory
1392
## Example:
1393
resources: {}
1394
## resources:
1395
## requests:
1396
## cpu: 1
1397
## memory: 512Mi
1398
## limits:
1399
## cpu: 2
1400
## memory: 1024Mi
1401
networkPolicy:
1402
## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1403
##
1404
enabled: true
1405
storage:
1406
## @param backup.cronjob.storage.enabled Enable using a `PersistentVolumeClaim` as backup data volume
1407
##
1408
enabled: true
1409
## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`)
1410
## If defined, PVC must be created manually before volume will be bound
1411
##
1412
existingClaim: ""
1413
## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
1414
##
1415
resourcePolicy: ""
1416
## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume
1417
## If defined, storageClassName: <storageClass>
1418
## If set to "-", storageClassName: "", which disables dynamic provisioning
1419
## If undefined (the default) or set to null, no storageClassName spec is
1420
## set, choosing the default provisioner.
1421
##
1422
storageClass: ""
1423
## @param backup.cronjob.storage.accessModes PV Access Mode
1424
##
1425
accessModes:
1426
- ReadWriteOnce
1427
## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume
1428
##
1429
size: 8Gi
1430
## @param backup.cronjob.storage.annotations PVC annotations
1431
##
1432
annotations: {}
1433
## @param backup.cronjob.storage.mountPath Path to mount the volume at
1434
##
1435
mountPath: /backup/pgdump
1436
## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at
1437
## and one PV for multiple services.
1438
##
1439
subPath: ""
1440
## Fine tuning for volumeClaimTemplates
1441
##
1442
volumeClaimTemplates:
1443
## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes)
1444
## A label query over volumes to consider for binding (e.g. when using local volumes)
1445
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details
1446
##
1447
selector: {}
1448
## @param backup.cronjob.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the backup container
1449
##
1450
extraVolumeMounts: []
1451
## @param backup.cronjob.extraVolumes Optionally specify extra list of additional volumes for the backup container
1452
##
1453
extraVolumes: []
1454
## @section Password update job
1455
##
1456
passwordUpdateJob:
1457
## @param passwordUpdateJob.enabled Enable password update job
1458
##
1459
enabled: false
1460
## @param passwordUpdateJob.backoffLimit set backoff limit of the job
1461
##
1462
backoffLimit: 10
1463
## @param passwordUpdateJob.command Override default container command on mysql Primary container(s) (useful when using custom images)
1464
##
1465
command: []
1466
## @param passwordUpdateJob.args Override default container args on mysql Primary container(s) (useful when using custom images)
1467
##
1468
args: []
1469
## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job
1470
##
1471
extraCommands: ""
1472
## @param passwordUpdateJob.previousPasswords.postgresPassword Previous postgres password (set if the password secret was already changed)
1473
## @param passwordUpdateJob.previousPasswords.password Previous password (set if the password secret was already changed)
1474
## @param passwordUpdateJob.previousPasswords.replicationPassword Previous replication password (set if the password secret was already changed)
1475
## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed)
1476
previousPasswords:
1477
postgresPassword: ""
1478
password: ""
1479
replicationPassword: ""
1480
existingSecret: ""
1481
## Configure Container Security Context
1482
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1483
## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context
1484
## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1485
## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1486
## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1487
## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1488
## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged
1489
## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1490
## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1491
## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1492
## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1493
##
1494
containerSecurityContext:
1495
enabled: true
1496
seLinuxOptions: {}
1497
runAsUser: 1001
1498
runAsGroup: 1001
1499
runAsNonRoot: true
1500
privileged: false
1501
readOnlyRootFilesystem: true
1502
allowPrivilegeEscalation: false
1503
capabilities:
1504
drop: ["ALL"]
1505
seccompProfile:
1506
type: "RuntimeDefault"
1507
## Configure Pods Security Context
1508
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1509
## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context
1510
## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1511
## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1512
## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups
1513
## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup
1514
##
1515
podSecurityContext:
1516
enabled: true
1517
fsGroupChangePolicy: Always
1518
sysctls: []
1519
supplementalGroups: []
1520
fsGroup: 1001
1521
## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job
1522
## For example:
1523
## extraEnvVars:
1524
## - name: GF_DEFAULT_INSTANCE_NAME
1525
## value: my-instance
1526
##
1527
extraEnvVars: []
1528
## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job
1529
##
1530
extraEnvVarsCM: ""
1531
## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data)
1532
##
1533
extraEnvVarsSecret: ""
1534
## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job
1535
##
1536
extraVolumes: []
1537
## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`.
1538
##
1539
extraVolumeMounts: []
1540
## @param passwordUpdateJob.initContainers Add additional init containers for the mysql Primary pod(s)
1541
##
1542
initContainers: []
1543
## Container resource requests and limits
1544
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1545
## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production).
1546
##
1547
resourcesPreset: "micro"
1548
## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1549
## Example:
1550
## resources:
1551
## requests:
1552
## cpu: 2
1553
## memory: 512Mi
1554
## limits:
1555
## cpu: 3
1556
## memory: 1024Mi
1557
##
1558
resources: {}
1559
## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one
1560
##
1561
customLivenessProbe: {}
1562
## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one
1563
##
1564
customReadinessProbe: {}
1565
## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one
1566
##
1567
customStartupProbe: {}
1568
## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod
1569
##
1570
automountServiceAccountToken: false
1571
## @param passwordUpdateJob.hostAliases Add deployment host aliases
1572
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1573
##
1574
hostAliases: []
1575
## @param passwordUpdateJob.annotations [object] Add annotations to the job
1576
##
1577
annotations: {}
1578
## @param passwordUpdateJob.podLabels Additional pod labels
1579
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1580
##
1581
podLabels: {}
1582
## @param passwordUpdateJob.podAnnotations Additional pod annotations
1583
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1584
##
1585
podAnnotations: {}
1586
## @section Volume Permissions parameters
1587
##
1588
1589
## Init containers parameters:
1590
## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
1591
##
1592
volumePermissions:
1593
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
1594
##
1595
enabled: false
1596
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
1597
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
1598
## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
1599
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1600
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
1601
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
1602
##
1603
image:
1604
registry: cgr.dev
1605
repository: chainguard-private/os-shell-iamguarded
1606
tag: 1.0.0
1607
digest: ""
1608
pullPolicy: IfNotPresent
1609
## Optionally specify an array of imagePullSecrets.
1610
## Secrets must be manually created in the namespace.
1611
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1612
## Example:
1613
## pullSecrets:
1614
## - myRegistryKeySecretName
1615
##
1616
pullSecrets: []
1617
## Init container resource requests and limits
1618
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1619
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1620
##
1621
resourcesPreset: "nano"
1622
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1623
## Example:
1624
## resources:
1625
## requests:
1626
## cpu: 2
1627
## memory: 512Mi
1628
## limits:
1629
## cpu: 3
1630
## memory: 1024Mi
1631
##
1632
resources: {}
1633
## Init container' Security Context
1634
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
1635
## and not the below volumePermissions.containerSecurityContext.runAsUser
1636
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1637
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
1638
## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
1639
## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container
1640
## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container
1641
##
1642
containerSecurityContext:
1643
seLinuxOptions: {}
1644
runAsUser: 0
1645
runAsGroup: 0
1646
runAsNonRoot: false
1647
seccompProfile:
1648
type: RuntimeDefault
1649
## @section Other Parameters
1650
##
1651
1652
## @param serviceBindings.enabled Create secret for service binding (Experimental)
1653
## Ref: https://servicebinding.io/service-provider/
1654
##
1655
serviceBindings:
1656
enabled: false
1657
## Service account for PostgreSQL to use.
1658
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1659
##
1660
serviceAccount:
1661
## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod
1662
##
1663
create: true
1664
## @param serviceAccount.name The name of the ServiceAccount to use.
1665
## If not set and create is true, a name is generated using the common.names.fullname template
1666
##
1667
name: ""
1668
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1669
## Can be set to false if pods using this serviceAccount do not need to use K8s API
1670
##
1671
automountServiceAccountToken: false
1672
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
1673
##
1674
annotations: {}
1675
## Creates role for ServiceAccount
1676
## @param rbac.create Create Role and RoleBinding (required for PSP to work)
1677
##
1678
rbac:
1679
create: false
1680
## @param rbac.rules Custom RBAC rules to set
1681
## e.g:
1682
## rules:
1683
## - apiGroups:
1684
## - ""
1685
## resources:
1686
## - pods
1687
## verbs:
1688
## - get
1689
## - list
1690
##
1691
rules: []
1692
## Pod Security Policy
1693
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
1694
## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
1695
##
1696
psp:
1697
create: false
1698
## @section Metrics Parameters
1699
##
1700
metrics:
1701
## @param metrics.enabled Start a prometheus exporter
1702
##
1703
enabled: false
1704
## @param metrics.image.registry [default: REGISTRY_NAME] PostgreSQL Prometheus Exporter image registry
1705
## @param metrics.image.repository [default: REPOSITORY_NAME/postgres-exporter] PostgreSQL Prometheus Exporter image repository
1706
## @skip metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended)
1707
## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1708
## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy
1709
## @param metrics.image.pullSecrets Specify image pull secrets
1710
##
1711
image:
1712
registry: cgr.dev
1713
repository: chainguard-private/prometheus-postgres-exporter-iamguarded
1714
tag: 0.19.1
1715
digest: ""
1716
pullPolicy: IfNotPresent
1717
## Optionally specify an array of imagePullSecrets.
1718
## Secrets must be manually created in the namespace.
1719
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1720
## Example:
1721
## pullSecrets:
1722
## - myRegistryKeySecretName
1723
##
1724
pullSecrets: []
1725
## @param metrics.collectors Control enabled collectors
1726
## ref: https://github.com/prometheus-community/postgres_exporter#flags
1727
## Example:
1728
## collectors:
1729
## wal: false
1730
collectors: {}
1731
## @param metrics.customMetrics Define additional custom metrics
1732
## ref: https://github.com/prometheus-community/postgres_exporter#adding-new-metrics-via-a-config-file-deprecated
1733
## customMetrics:
1734
## pg_database:
1735
## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
1736
## metrics:
1737
## - name:
1738
## usage: "LABEL"
1739
## description: "Name of the database"
1740
## - size_bytes:
1741
## usage: "GAUGE"
1742
## description: "Size of the database in bytes"
1743
##
1744
customMetrics: {}
1745
## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter
1746
## see: https://github.com/prometheus-community/postgres_exporter#environment-variables
1747
## For example:
1748
## extraEnvVars:
1749
## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
1750
## value: "true"
1751
##
1752
extraEnvVars: []
1753
## PostgreSQL Prometheus exporter containers' Security Context
1754
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1755
## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context
1756
## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1757
## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1758
## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1759
## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1760
## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged
1761
## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1762
## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1763
## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1764
## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1765
##
1766
containerSecurityContext:
1767
enabled: true
1768
seLinuxOptions: {}
1769
runAsUser: 1001
1770
runAsGroup: 1001
1771
runAsNonRoot: true
1772
privileged: false
1773
readOnlyRootFilesystem: true
1774
allowPrivilegeEscalation: false
1775
capabilities:
1776
drop: ["ALL"]
1777
seccompProfile:
1778
type: "RuntimeDefault"
1779
## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes
1780
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
1781
## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers
1782
## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1783
## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe
1784
## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1785
## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe
1786
## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe
1787
##
1788
livenessProbe:
1789
enabled: true
1790
initialDelaySeconds: 5
1791
periodSeconds: 10
1792
timeoutSeconds: 5
1793
failureThreshold: 6
1794
successThreshold: 1
1795
## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers
1796
## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1797
## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe
1798
## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1799
## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe
1800
## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe
1801
##
1802
readinessProbe:
1803
enabled: true
1804
initialDelaySeconds: 5
1805
periodSeconds: 10
1806
timeoutSeconds: 5
1807
failureThreshold: 6
1808
successThreshold: 1
1809
## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers
1810
## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1811
## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe
1812
## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1813
## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe
1814
## @param metrics.startupProbe.successThreshold Success threshold for startupProbe
1815
##
1816
startupProbe:
1817
enabled: false
1818
initialDelaySeconds: 10
1819
periodSeconds: 10
1820
timeoutSeconds: 1
1821
failureThreshold: 15
1822
successThreshold: 1
1823
## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one
1824
##
1825
customLivenessProbe: {}
1826
## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one
1827
##
1828
customReadinessProbe: {}
1829
## @param metrics.customStartupProbe Custom startupProbe that overrides the default one
1830
##
1831
customStartupProbe: {}
1832
## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port
1833
##
1834
containerPorts:
1835
metrics: 9187
1836
## PostgreSQL Prometheus exporter resource requests and limits
1837
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1838
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
1839
##
1840
resourcesPreset: "nano"
1841
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1842
## Example:
1843
## resources:
1844
## requests:
1845
## cpu: 2
1846
## memory: 512Mi
1847
## limits:
1848
## cpu: 3
1849
## memory: 1024Mi
1850
##
1851
resources: {}
1852
## Service configuration
1853
##
1854
service:
1855
## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port
1856
##
1857
ports:
1858
metrics: 9187
1859
## @param metrics.service.clusterIP Static clusterIP or None for headless services
1860
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
1861
##
1862
clusterIP: ""
1863
## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1864
## Values: ClientIP or None
1865
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1866
##
1867
sessionAffinity: None
1868
## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint
1869
##
1870
annotations:
1871
prometheus.io/scrape: "true"
1872
prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}"
1873
## Prometheus Operator ServiceMonitor configuration
1874
##
1875
serviceMonitor:
1876
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator
1877
##
1878
enabled: false
1879
## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
1880
##
1881
namespace: ""
1882
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1883
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1884
##
1885
interval: ""
1886
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1887
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1888
##
1889
scrapeTimeout: ""
1890
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
1891
##
1892
labels: {}
1893
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
1894
##
1895
selector: {}
1896
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1897
##
1898
relabelings: []
1899
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1900
##
1901
metricRelabelings: []
1902
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
1903
##
1904
honorLabels: false
1905
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1906
##
1907
jobLabel: ""
1908
## Custom PrometheusRule to be defined
1909
## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
1910
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
1911
##
1912
prometheusRule:
1913
## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator
1914
##
1915
enabled: false
1916
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
1917
##
1918
namespace: ""
1919
## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
1920
##
1921
labels: {}
1922
## @param metrics.prometheusRule.rules PrometheusRule definitions
1923
## Make sure to constraint the rules to the current postgresql service.
1924
## rules:
1925
## - alert: HugeReplicationLag
1926
## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "postgresql.v1.chart.fullname" .) }}"} / 3600 > 1
1927
## for: 1m
1928
## labels:
1929
## severity: critical
1930
## annotations:
1931
## description: replication for {{ include "postgresql.v1.chart.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
1932
## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
1933
##
1934
rules: []
1935