Merge remote-tracking branch 'origin/main' into add-cluster-pg-hba

Signed-off-by: Itay Grudev <[email protected]>

.github/workflows/lint.yml

@@ -5,6 +5,9 @@ on:
     branches:
       - '**'
       - '!gh-pages'
+  pull_request:
+    branches-ignore:
+      - 'gh-pages'
 
 jobs:
   linter:

.github/workflows/tests-cluster-chainsaw.yaml

@@ -26,7 +26,7 @@ jobs:
           helm install prometheus-crds prometheus-community/prometheus-operator-crds
 
       - name: Install Chainsaw
-        uses: kyverno/[email protected].7
+        uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
 
       - name: Setup MinIO
         run: |

README.md

@@ -1,5 +1,13 @@
 # CloudNativePG Helm Charts
 
+[![Stack Overflow](https://img.shields.io/badge/stackoverflow-cloudnative--pg-blue?logo=stackoverflow&logoColor=%23F48024&link=https%3A%2F%2Fstackoverflow.com%2Fquestions%2Ftagged%2Fcloudnative-pg)][stackoverflow]
+[![GitHub License](https://img.shields.io/github/license/cloudnative-pg/charts)][license]
+
+
+[![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cloudnative-pg-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg)
+[![GitHub Release](https://img.shields.io/github/v/release/cloudnative-pg/charts?filter=cluster-*)](https://github.com/cloudnative-pg/charts/tree/main/charts/cluster)
+
+
 ## Operator chart
 
 Helm chart to install the
@@ -40,3 +48,6 @@ Please read the [code of conduct](CODE-OF-CONDUCT.md) and the
 ## Copyright
 
 Helm charts for CloudNativePG are distributed under [Apache License 2.0](LICENSE).
+
+[stackoverflow]: https://stackoverflow.com/questions/tagged/cloudnative-pg
+[license]: https://github.com/cloudnative-pg/charts?tab=Apache-2.0-1-ov-file

charts/cloudnative-pg/Chart.yaml

@@ -18,12 +18,12 @@ name: cloudnative-pg
 description: CloudNativePG Operator Helm Chart
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: "0.21.6"
+version: "0.22.0"
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning, they should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.23.3"
+appVersion: "1.24.0"
 sources:
   - https://github.com/cloudnative-pg/charts
 keywords:

charts/cloudnative-pg/templates/rbac.yaml

@@ -171,14 +171,6 @@ rules:
   verbs:
   - get
   - patch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-  - update
 - apiGroups:
   - apps
   resources:

charts/cluster/Chart.yaml

@@ -18,7 +18,7 @@ name: cluster
 description: Deploys and manages a CloudNativePG cluster and its associated resources.
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: 0.0.9
+version: 0.0.11
 sources:
   - https://github.com/cloudnative-pg/charts
 keywords:

charts/cluster/README.md

@@ -1,6 +1,6 @@
 # cluster
 
-![Version: 0.0.9](https://img.shields.io/badge/Version-0.0.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.0.11](https://img.shields.io/badge/Version-0.0.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 > **Warning**
 > ### This chart is under active development.
@@ -168,14 +168,15 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | cluster.postgresUID | int | `26` | The UID of the postgres user inside the image, defaults to 26 |
 | cluster.postgresql.parameters | object | `{}` | PostgreSQL configuration options (postgresql.conf) |
 | cluster.postgresql.pg_hba | list | `[]` | PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) |
-| cluster.primaryUpdateMethod | string | `"switchover"` | Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated. It can be switchover (default) or in-place (restart). |
+| cluster.primaryUpdateMethod | string | `"switchover"` | Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated. It can be switchover (default) or restart. |
 | cluster.primaryUpdateStrategy | string | `"unsupervised"` | Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated: it can be automated (unsupervised - default) or manual (supervised) |
 | cluster.priorityClassName | string | `""` |  |
 | cluster.resources | object | `{}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.storage.size | string | `"8Gi"` |  |
 | cluster.storage.storageClass | string | `""` |  |
 | cluster.superuserSecret | string | `""` |  |
+| cluster.walStorage.enabled | bool | `false` |  |
 | cluster.walStorage.size | string | `"1Gi"` |  |
 | cluster.walStorage.storageClass | string | `""` |  |
 | fullnameOverride | string | `""` | Override the full name of the chart |
@@ -208,6 +209,24 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | recovery.google.gkeEnvironment | bool | `false` |  |
 | recovery.google.path | string | `"/"` |  |
 | recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported). * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to        migrate databases to CloudNativePG, even from outside Kubernetes. # TODO |
+| recovery.pgBaseBackup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
+| recovery.pgBaseBackup.owner | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch |
+| recovery.pgBaseBackup.secret | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
+| recovery.pgBaseBackup.source.database | string | `"app"` |  |
+| recovery.pgBaseBackup.source.host | string | `""` |  |
+| recovery.pgBaseBackup.source.passwordSecret.create | bool | `false` | Whether to create a secret for the password |
+| recovery.pgBaseBackup.source.passwordSecret.key | string | `"password"` | The key in the secret containing the password |
+| recovery.pgBaseBackup.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
+| recovery.pgBaseBackup.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
+| recovery.pgBaseBackup.source.port | int | `5432` |  |
+| recovery.pgBaseBackup.source.sslCertSecret.key | string | `""` |  |
+| recovery.pgBaseBackup.source.sslCertSecret.name | string | `""` |  |
+| recovery.pgBaseBackup.source.sslKeySecret.key | string | `""` |  |
+| recovery.pgBaseBackup.source.sslKeySecret.name | string | `""` |  |
+| recovery.pgBaseBackup.source.sslMode | string | `"verify-full"` |  |
+| recovery.pgBaseBackup.source.sslRootCertSecret.key | string | `""` |  |
+| recovery.pgBaseBackup.source.sslRootCertSecret.name | string | `""` |  |
+| recovery.pgBaseBackup.source.username | string | `""` |  |
 | recovery.pitrTarget.time | string | `""` | Time in RFC3339 format |
 | recovery.provider | string | `"s3"` | One of `s3`, `azure` or `google` |
 | recovery.s3.accessKey | string | `""` |  |

charts/cluster/docs/Recovery.md

@@ -10,18 +10,18 @@ You can find more information about the recovery process in the [CNPG documentat
 There are 3 types of recovery possible with CNPG:
 * Recovery from a backup object in the same Kubernetes namespace.
 * Recovery from a Barman Object Store, that could be located anywhere.
-* Streaming replication from an operating cluster using `pg_basebackup` (not supported by the chart yet).
+* Streaming replication from an operating cluster using `pg_basebackup`.
 
 When performing a recovery you are strongly advised to use the same configuration and PostgreSQL version as the original cluster.
 
 To begin, create a `values.yaml` that contains the following:
 
 1. Set `mode: recovery` to indicate that you want to perform bootstrap the new cluster from an existing one.
 2. Set the `recovery.method` to the type of recovery you want to perform.
-3. Set either the `recovery.backupName` or the Barman Object Store configuration - i.e. `recovery.provider` and appropriate S3, Azure or GCS configuration.
-4. Optionally set the `recovery.pitrTarget.time` in RFC3339 format to perform a point-in-time recovery.
-4. Retain the identical PostgreSQL version and configuration as the original cluster.
-5. Make sure you don't use the same backup section name as the original cluster. We advise you change the `path` within the storage location if you want to reuse the same storage location/bucket.
+3. Set either the `recovery.backupName` or the Barman Object Store configuration - i.e. `recovery.provider` and appropriate S3, Azure or GCS configuration. In case of `pg_basebackup` complete the `recovery.pgBaseBackup` section. 
+4. Optionally set the `recovery.pitrTarget.time` in RFC3339 format to perform a point-in-time recovery (not applicable for `pgBaseBackup`).
+5. Retain the identical PostgreSQL version and configuration as the original cluster.
+6. Make sure you don't use the same backup section name as the original cluster. We advise you change the `path` within the storage location if you want to reuse the same storage location/bucket.
     One pattern is adding a version number at the end of the path, e.g. `/v1` or `/v2` after each recovery procedure.
 
 Example recovery configurations can be found in the [examples](../examples) directory.

charts/cluster/examples/recovery-pg_basebackup.yaml

@@ -0,0 +1,14 @@
+mode: "recovery"
+
+recovery:
+  method: "pg_basebackup"
+  pgBaseBackup:
+    sourceHost: "source-db.foo.com"
+    sourceUsername: "streaming_replica"
+    existingPasswordSecret: "source-db-replica-password"
+
+cluster:
+  instances: 1
+
+backups:
+  enabled: false

charts/cluster/templates/NOTES.txt

@@ -41,22 +41,39 @@ Configuration
 {{- range (rest .Values.backups.scheduledBackups) -}}
   {{ $scheduledBackups = printf "%s, %s" $scheduledBackups .name }}
 {{- end -}}
+{{- if eq (len .Values.backups.scheduledBackups) 0 }}
+  {{- $scheduledBackups = "None" -}}
+{{- end -}}
+
+{{- $mode := .Values.mode -}}
+{{- $source := "" -}}
+{{- if eq .Values.mode "recovery" }}
+{{- $mode = printf "%s (%s)" .Values.mode .Values.recovery.method -}}
+  {{- if eq .Values.recovery.method "pg_basebackup" }}
+    {{- $source = printf "postgresql://%s@%s:%.0f/%s" .Values.recovery.pgBaseBackup.source.username .Values.recovery.pgBaseBackup.source.host .Values.recovery.pgBaseBackup.source.port .Values.recovery.pgBaseBackup.source.database -}}
+  {{- end -}}
+{{- end -}}
 
-╭───────────────────┬────────────────────────────────────────────────────────╮
-│ Configuration     │ Value                                                  │
-┝━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
-│ Cluster mode      │ {{ (printf "%-54s" .Values.mode) }} │
-│ Type              │ {{ (printf "%-54s" .Values.type) }} │
-│ Image             │ {{ include "cluster.color-info" (printf "%-54s" (include "cluster.imageName" .)) }} │
-│ Instances         │ {{ include (printf "%s%s" "cluster.color-" $redundancyColor) (printf "%-54s" (toString .Values.cluster.instances)) }} │
-│ Backups           │ {{ include (printf "%s%s" "cluster.color-" (ternary "ok" "error" .Values.backups.enabled)) (printf "%-54s" (ternary "Enabled" "Disabled" .Values.backups.enabled)) }} │
-│ Backup Provider   │ {{ (printf "%-54s" (title .Values.backups.provider)) }} │
-│ Scheduled Backups │ {{ (printf "%-54s" $scheduledBackups) }} │
-│ Storage           │ {{ (printf "%-54s" .Values.cluster.storage.size) }} │
-│ Storage Class     │ {{ (printf "%-54s" (default "Default" .Values.cluster.storage.storageClass)) }} │
-│ PGBouncer         │ {{ (printf "%-54s" (ternary "Enabled" "Disabled" .Values.pooler.enabled)) }} │
-│ Monitoring        │ {{ include (printf "%s%s" "cluster.color-" (ternary "ok" "error" .Values.cluster.monitoring.enabled)) (printf "%-54s" (ternary "Enabled" "Disabled" .Values.cluster.monitoring.enabled)) }} │
-╰───────────────────┴────────────────────────────────────────────────────────╯
+╭───────────────────┬──────────────────────────────────────────────────────────╮
+│ Configuration     │ Value                                                    │
+┝━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
+│ Cluster mode      │ {{ printf "%-56s" $mode }} │
+│ Type              │ {{ printf "%-56s" .Values.type }} │
+│ Image             │ {{ include "cluster.color-info" (printf "%-56s" (include "cluster.imageName" .)) }} │
+{{- if eq .Values.mode "recovery" }}
+│ Source            │ {{ printf "%-56s" $source }} │
+{{- end }}
+│ Instances         │ {{ include (printf "%s%s" "cluster.color-" $redundancyColor) (printf "%-56s" (toString .Values.cluster.instances)) }} │
+│ Backups           │ {{ include (printf "%s%s" "cluster.color-" (ternary "ok" "error" .Values.backups.enabled)) (printf "%-56s" (ternary "Enabled" "Disabled" .Values.backups.enabled)) }} │
+{{- if .Values.backups.enabled }}
+│ Backup Provider   │ {{ printf "%-56s" (title .Values.backups.provider) }} │
+│ Scheduled Backups │ {{ printf "%-56s" $scheduledBackups }} │
+{{- end }}
+│ Storage           │ {{ printf "%-56s" .Values.cluster.storage.size }} │
+│ Storage Class     │ {{ printf "%-56s" (default "Default" .Values.cluster.storage.storageClass) }} │
+│ PGBouncer         │ {{ printf "%-56s" (ternary "Enabled" "Disabled" .Values.pooler.enabled) }} │
+│ Monitoring        │ {{ include (printf "%s%s" "cluster.color-" (ternary "ok" "error" .Values.cluster.monitoring.enabled)) (printf "%-56s" (ternary "Enabled" "Disabled" .Values.cluster.monitoring.enabled)) }} │
+╰───────────────────┴──────────────────────────────────────────────────────────╯
 
 {{ if not .Values.backups.enabled }}
   {{- include "cluster.color-error" "Warning! Backups not enabled. Recovery will not be possible! Do not use this configuration in production.\n" }}

charts/cluster/templates/_bootstrap.tpl

@@ -23,6 +23,50 @@ bootstrap:
       {{- end -}}
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
+{{- if eq .Values.recovery.method "pg_basebackup" }}
+  pg_basebackup:
+    source: pgBaseBackupSource
+    {{ with .Values.recovery.pgBaseBackup.database }}
+    database: {{ . }}
+    {{- end }}
+    {{ with .Values.recovery.pgBaseBackup.owner }}
+    owner: {{ . }}
+    {{- end }}
+    {{ with .Values.recovery.pgBaseBackup.secret }}
+    secret:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+
+externalClusters:
+- name: pgBaseBackupSource
+  connectionParameters:
+    host: {{ .Values.recovery.pgBaseBackup.source.host | quote }}
+    port: {{ .Values.recovery.pgBaseBackup.source.port | quote }}
+    user: {{ .Values.recovery.pgBaseBackup.source.username | quote }}
+    dbname: {{ .Values.recovery.pgBaseBackup.source.database | quote }}
+    sslmode: {{ .Values.recovery.pgBaseBackup.source.sslMode | quote }}
+  {{- if .Values.recovery.pgBaseBackup.source.passwordSecret.name }}
+  password:
+    name: {{ default (printf "%s-pg-basebackup-password" (include "cluster.fullname" .)) .Values.recovery.pgBaseBackup.source.passwordSecret.name }}
+    key: {{ .Values.recovery.pgBaseBackup.source.passwordSecret.key }}
+  {{- end }}
+  {{- if .Values.recovery.pgBaseBackup.source.sslKeySecret.name }}
+  sslKey:
+    name: {{ .Values.recovery.pgBaseBackup.source.sslKeySecret.name }}
+    key: {{ .Values.recovery.pgBaseBackup.source.sslKeySecret.key }}
+  {{- end }}
+  {{- if .Values.recovery.pgBaseBackup.source.sslCertSecret.name }}
+  sslCert:
+    name: {{ .Values.recovery.pgBaseBackup.source.sslCertSecret.name }}
+    key: {{ .Values.recovery.pgBaseBackup.source.sslCertSecret.key }}
+  {{- end }}
+  {{- if .Values.recovery.pgBaseBackup.source.sslRootCertSecret.name }}
+  sslRootCert:
+    name: {{ .Values.recovery.pgBaseBackup.source.sslRootCertSecret.name }}
+    key: {{ .Values.recovery.pgBaseBackup.source.sslRootCertSecret.key }}
+  {{- end }}
+
+{{- else }}
   recovery:
     {{- with .Values.recovery.pitrTarget.time }}
     recoveryTarget:
@@ -38,9 +82,10 @@ bootstrap:
 externalClusters:
   - name: objectStoreRecoveryCluster
     barmanObjectStore:
-      serverName: {{ default (include "cluster.fullname" .) .Values.recovery.clusterName }}
+      serverName: {{ .Values.recovery.clusterName }}
       {{- $d := dict "chartFullname" (include "cluster.fullname" .) "scope" .Values.recovery "secretPrefix" "recovery" -}}
       {{- include "cluster.barmanObjectStoreConfig" $d | nindent 4 }}
+{{- end }}
 {{-  else }}
   {{ fail "Invalid cluster mode!" }}
 {{- end }}

charts/cluster/templates/cluster.yaml

@@ -24,7 +24,7 @@ spec:
   storage:
     size: {{ .Values.cluster.storage.size }}
     storageClass: {{ .Values.cluster.storage.storageClass }}
-{{- if .Values.cluster.walStorage }}
+{{- if .Values.cluster.walStorage.enabled }}
   walStorage:
     size: {{ .Values.cluster.walStorage.size }}
     storageClass: {{ .Values.cluster.walStorage.storageClass }}

charts/cluster/templates/recovery-pg_basebackup-password.yaml

@@ -0,0 +1,8 @@
+{{- if and (eq .Values.mode "recovery") (eq .Values.recovery.method "pg_basebackup") .Values.recovery.pgBaseBackup.source.passwordSecret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ default (printf "%s-pg-basebackup-password" (include "cluster.fullname" .)) .Values.recovery.pgBaseBackup.source.passwordSecret.name }}
+data:
+  {{ .Values.recovery.pgBaseBackup.source.passwordSecret.key }}: {{ required ".Values.recovery.pgBaseBackup.source.passwordSecret.value required when creating a password secret." .Values.recovery.pgBaseBackup.source.passwordSecret.value | b64enc | quote }}
+{{- end }}

charts/cluster/test/monitoring/chainsaw-test.yaml

@@ -1,6 +1,5 @@
 ##
-# This is a test that verifies that non-default configuration options are correctly propagated to the CNPG cluster.
-# P.S. This test is not designed to have a good running configuration, it is designed to test the configuration propagation!
+# This is a test that checks if PodMonitors, ConfigMaps and PrometheusRules are correctly provisioned when requested.
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
@@ -11,7 +10,7 @@ spec:
     assert: 20s
     cleanup: 30s
   steps:
-    - name: Install the non-default configuration cluster
+    - name: Install the monitoring cluster
       try:
         - script:
             content: |

charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml

@@ -9,6 +9,7 @@ cluster:
     size: 256Mi
     storageClass: standard
   walStorage:
+    enabled: true
     size: 256Mi
     storageClass: standard
   postgresUID: 1001