diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml index 9f1a3e1..9416193 100644 --- a/.github/workflows/ci-helm-lint-test.yml +++ b/.github/workflows/ci-helm-lint-test.yml @@ -22,6 +22,10 @@ jobs: - name: Install Helm uses: azure/setup-helm@v3.5 + - name: Add dependency chart repos + run: | + helm repo add cnpg https://cloudnative-pg.github.io/charts + - name: Set up chart-testing uses: helm/chart-testing-action@v2.6.1 @@ -49,7 +53,7 @@ jobs: kubectl get pods -A pwd ls -hal - + - name: Install Certmanager run: | helm repo add jetstack https://charts.jetstack.io @@ -60,7 +64,7 @@ jobs: --set installCRDs=true \ --set prometheus.enabled=false \ --wait - + - name: Install CNPG Operator run: | helm repo add cnpg-operator https://cloudnative-pg.github.io/charts @@ -95,7 +99,7 @@ jobs: replicationTLSSecret: "" user: enabled: true - username: + username: - "app" monitoring: enablePodMonitor: false @@ -114,7 +118,7 @@ jobs: testApp: enabled: false EOF - + - name: Install CNPG cluster working-directory: ./charts/cloudnative-pg-cluster run: | @@ -139,7 +143,7 @@ jobs: echo "$STATUS" (( ++ITER )) done - + - name: Run chart-testing (install) id: install if: steps.list-changed.outputs.changed == 'true' diff --git a/README.md b/README.md index a6a694a..10e0fad 100644 --- a/README.md +++ b/README.md @@ -70,8 +70,6 @@ cnpgCluster: # All other values here are passed directly to the their chart. See: # https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml enabled: true - type: postgresql - mode: standalone # -- see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate certificates: ## examples if using our certificates features of this chart. @@ -80,21 +78,52 @@ cnpgCluster: serverCASecret: "app-postgres-server-ca-key-pair" clientCASecret: "app-postgres-client-ca-key-pair" replicationTLSSecret: "app-postgres-client-cert" - - postgresql: - # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html - # this states that certs are required for access to the cluster, - # but you can change it to still allow passwords if you'd like - pg_hba: - - hostnossl all all 0.0.0.0/0 reject - - hostssl all all 0.0.0.0/0 cert clientcert=verify-full + + cluster: + initdb: + # -- replace this with your database name + database: app + # -- replace this with your database username + owner: app + + postgresql: + # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + # this states that certs are required for access to the cluster, + # but you can change it to still allow passwords if you'd like + pg_hba: + - hostnossl all all 0.0.0.0/0 reject + - hostssl all all 0.0.0.0/0 cert clientcert=verify-full ``` ### Using the test app The test app may be enabled by certificates as well as setting `testApp.enabled=true` in your helm parameters or in the `values.yaml` like this: ```yaml +# -- name to use for templating certs +name: "app-postgres" + testApp: enabled: true + +cnpgCluster: + # -- enable this to deploy the official CNPG cluster helm chart dep + # All other values here are passed directly to the their chart. See: + # https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml + enabled: true + # -- see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate + certificates: + ## examples if using our certificates features of this chart. + ## NOTE: app-postgres should be replaced with whatever you set Values.name to + serverTLSSecret: "app-postgres-server-cert" + serverCASecret: "app-postgres-server-ca-key-pair" + clientCASecret: "app-postgres-client-ca-key-pair" + replicationTLSSecret: "app-postgres-client-cert" + + cluster: + initdb: + # -- replace this with your database name + database: app + # -- replace this with your database username + owner: app ``` This will create a very basic Deployment of `ghcr.io/cloudnative-pg/webtest` [as described in the official docs](https://cloudnative-pg.io/docs/1.28/ssl_connections#testing-the-connection-via-a-tls-certificate) that attempts to connect to your postgres cluster using full mTLS. diff --git a/charts/cloudnative-pg-cluster/Chart.lock b/charts/cloudnative-pg-cluster/Chart.lock new file mode 100644 index 0000000..f74ad9a --- /dev/null +++ b/charts/cloudnative-pg-cluster/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cluster + repository: https://cloudnative-pg.github.io/charts + version: 0.5.0 +digest: sha256:267917b68a642fca0e337cd78580f656a5084d3a84aa2df12a9291bee6ccbc56 +generated: "2026-01-18T10:52:01.555554815+01:00" diff --git a/charts/cloudnative-pg-cluster/Chart.yaml b/charts/cloudnative-pg-cluster/Chart.yaml index 62a9919..5e73f81 100644 --- a/charts/cloudnative-pg-cluster/Chart.yaml +++ b/charts/cloudnative-pg-cluster/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cnpg-cluster description: Create postgres tenant clusters managed by the CNPG Operator type: application -version: 1.0.0 +version: 1.0.1 dependencies: - name: cluster diff --git a/charts/cloudnative-pg-cluster/README.md b/charts/cloudnative-pg-cluster/README.md index 2dc75b0..e65cf07 100644 --- a/charts/cloudnative-pg-cluster/README.md +++ b/charts/cloudnative-pg-cluster/README.md @@ -1,6 +1,6 @@ # cnpg-cluster -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Create postgres tenant clusters managed by the CNPG Operator @@ -36,10 +36,12 @@ Create postgres tenant clusters managed by the CNPG Operator | cnpgCluster.additionalEnv[1].name | string | `"AWS_RESPONSE_CHECKSUM_VALIDATION"` | | | cnpgCluster.additionalEnv[1].value | string | `"when_required"` | | | cnpgCluster.certificates | object | `{}` | see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate | +| cnpgCluster.cluster.initdb.database | string | `"app"` | | +| cnpgCluster.cluster.initdb.owner | string | `"app"` | | | cnpgCluster.cluster.instances | int | `3` | Number of instances | +| cnpgCluster.cluster.postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html | | cnpgCluster.enabled | bool | `false` | enable this to deploy the official CNPG cluster helm chart dep All other values here are passed directly to the their chart. See: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml | | cnpgCluster.mode | string | `"standalone"` | | -| cnpgCluster.postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html | | cnpgCluster.primaryUpdateStrategy | string | `"unsupervised"` | | | cnpgCluster.type | string | `"postgresql"` | | | cnpgCluster.version.postgresql | string | `"16"` | | diff --git a/charts/cloudnative-pg-cluster/charts/cluster-0.5.0.tgz b/charts/cloudnative-pg-cluster/charts/cluster-0.5.0.tgz new file mode 100644 index 0000000..03c7ff8 Binary files /dev/null and b/charts/cloudnative-pg-cluster/charts/cluster-0.5.0.tgz differ diff --git a/charts/cloudnative-pg-cluster/templates/test-app.yaml b/charts/cloudnative-pg-cluster/templates/test-app.yaml index 6c02eab..414a22e 100644 --- a/charts/cloudnative-pg-cluster/templates/test-app.yaml +++ b/charts/cloudnative-pg-cluster/templates/test-app.yaml @@ -30,8 +30,8 @@ spec: sslcert=/etc/secrets/app/tls.crt sslrootcert=/etc/secrets/ca/ca.crt host={{ .Values.name }}-rw.{{ .Release.Namespace }}.svc - dbname={{ .Values.bootstrap.initdb.database }} - user={{ .Values.bootstrap.initdb.owner }} + dbname={{ .Values.cnpgCluster.cluster.initdb.database }} + user={{ .Values.cnpgCluster.cluster.initdb.owner }} sslmode=verify-full - name: SQL_QUERY value: SELECT 1 @@ -50,6 +50,6 @@ spec: defaultMode: 0600 - name: secret-volume-app secret: - secretName: "{{ .Values.name }}-{{ .Values.bootstrap.initdb.owner }}-cert" + secretName: "{{ .Values.name }}-{{ .Values.cnpgCluster.cluster.initdb.owner }}-cert" defaultMode: 0600 {{- end }} diff --git a/charts/cloudnative-pg-cluster/values.yaml b/charts/cloudnative-pg-cluster/values.yaml index 7908cf3..5b9e022 100644 --- a/charts/cloudnative-pg-cluster/values.yaml +++ b/charts/cloudnative-pg-cluster/values.yaml @@ -65,11 +65,15 @@ cnpgCluster: # -- Number of instances instances: 3 - postgresql: - # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html - pg_hba: - - hostnossl all all 0.0.0.0/0 reject - - hostssl all all 0.0.0.0/0 cert clientcert=verify-full + initdb: + database: app + owner: app + + postgresql: + # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + pg_hba: + - hostnossl all all 0.0.0.0/0 reject + - hostssl all all 0.0.0.0/0 cert clientcert=verify-full primaryUpdateStrategy: unsupervised