Created
February 25, 2025 11:19
-
-
Save lokeshrangineni/4f60aba489969d827206a1f00d59e338 to your computer and use it in GitHub Desktop.
postgres-tls-helm-export.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Source: postgresql/templates/primary/networkpolicy.yaml | |
| kind: NetworkPolicy | |
| apiVersion: networking.k8s.io/v1 | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| policyTypes: | |
| - Ingress | |
| - Egress | |
| egress: | |
| - {} | |
| ingress: | |
| - ports: | |
| - port: 5432 | |
| --- | |
| # Source: postgresql/templates/primary/pdb.yaml | |
| apiVersion: policy/v1 | |
| kind: PodDisruptionBudget | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| spec: | |
| maxUnavailable: 1 | |
| selector: | |
| matchLabels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| --- | |
| # Source: postgresql/templates/serviceaccount.yaml | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| automountServiceAccountToken: false | |
| --- | |
| # Source: postgresql/templates/secrets.yaml | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| type: Opaque | |
| data: | |
| postgres-password: "cjY0Y1lsbDNhcg==" | |
| password: "cGFzc3dvcmQ=" | |
| # We don't auto-generate LDAP password when it's not provided as we do for other passwords | |
| --- | |
| # Source: postgresql/templates/primary/svc-headless.yaml | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: postgresql-hl | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| annotations: | |
| spec: | |
| type: ClusterIP | |
| clusterIP: None | |
| # We want all pods in the StatefulSet to have their addresses published for | |
| # the sake of the other Postgresql pods even before they're ready, since they | |
| # have to be able to talk to each other in order to become ready. | |
| publishNotReadyAddresses: true | |
| ports: | |
| - name: tcp-postgresql | |
| port: 5432 | |
| targetPort: tcp-postgresql | |
| selector: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| --- | |
| # Source: postgresql/templates/primary/svc.yaml | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| spec: | |
| type: ClusterIP | |
| sessionAffinity: None | |
| ports: | |
| - name: tcp-postgresql | |
| port: 5432 | |
| targetPort: tcp-postgresql | |
| nodePort: null | |
| selector: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| --- | |
| # Source: postgresql/templates/primary/statefulset.yaml | |
| apiVersion: apps/v1 | |
| kind: StatefulSet | |
| metadata: | |
| name: postgresql | |
| namespace: "feast" | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| spec: | |
| replicas: 1 | |
| serviceName: postgresql-hl | |
| updateStrategy: | |
| rollingUpdate: {} | |
| type: RollingUpdate | |
| selector: | |
| matchLabels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| template: | |
| metadata: | |
| name: postgresql | |
| labels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/managed-by: Helm | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/version: 17.3.0 | |
| helm.sh/chart: postgresql-16.4.9 | |
| app.kubernetes.io/component: primary | |
| spec: | |
| serviceAccountName: postgresql | |
| automountServiceAccountToken: false | |
| affinity: | |
| podAffinity: | |
| podAntiAffinity: | |
| preferredDuringSchedulingIgnoredDuringExecution: | |
| - podAffinityTerm: | |
| labelSelector: | |
| matchLabels: | |
| app.kubernetes.io/instance: postgresql | |
| app.kubernetes.io/name: postgresql | |
| app.kubernetes.io/component: primary | |
| topologyKey: kubernetes.io/hostname | |
| weight: 1 | |
| nodeAffinity: | |
| securityContext: | |
| fsGroupChangePolicy: Always | |
| seccompProfile: | |
| type: RuntimeDefault | |
| supplementalGroups: [] | |
| sysctls: [] | |
| hostNetwork: false | |
| hostIPC: false | |
| initContainers: | |
| - name: copy-certs | |
| image: docker.io/bitnami/os-shell:12-debian-12-r37 | |
| imagePullPolicy: "IfNotPresent" | |
| resources: | |
| limits: | |
| cpu: 150m | |
| ephemeral-storage: 2Gi | |
| memory: 192Mi | |
| requests: | |
| cpu: 100m | |
| ephemeral-storage: 50Mi | |
| memory: 128Mi | |
| # We don't require a privileged container in this case | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsNonRoot: true | |
| seccompProfile: | |
| type: RuntimeDefault | |
| command: | |
| - /bin/sh | |
| - -ec | |
| - | | |
| cp /tmp/certs/* /opt/bitnami/postgresql/certs/ | |
| chmod 600 /opt/bitnami/postgresql/certs/tls.key | |
| volumeMounts: | |
| - name: empty-dir | |
| mountPath: /tmp | |
| subPath: tmp-dir | |
| - name: raw-certificates | |
| mountPath: /tmp/certs | |
| - name: postgresql-certificates | |
| mountPath: /opt/bitnami/postgresql/certs | |
| containers: | |
| - name: postgresql | |
| image: docker.io/bitnami/postgresql:17.3.0-debian-12-r1 | |
| imagePullPolicy: "IfNotPresent" | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsNonRoot: true | |
| seccompProfile: | |
| type: RuntimeDefault | |
| env: | |
| - name: BITNAMI_DEBUG | |
| value: "false" | |
| - name: POSTGRESQL_PORT_NUMBER | |
| value: "5432" | |
| - name: POSTGRESQL_VOLUME_DIR | |
| value: "/bitnami/postgresql" | |
| - name: PGDATA | |
| value: "/bitnami/postgresql/data" | |
| # Authentication | |
| - name: POSTGRES_USER | |
| value: "admin" | |
| - name: POSTGRES_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: postgresql | |
| key: password | |
| - name: POSTGRES_POSTGRES_PASSWORD | |
| valueFrom: | |
| secretKeyRef: | |
| name: postgresql | |
| key: postgres-password | |
| - name: POSTGRES_DATABASE | |
| value: "feast" | |
| # LDAP | |
| - name: POSTGRESQL_ENABLE_LDAP | |
| value: "no" | |
| # TLS | |
| - name: POSTGRESQL_ENABLE_TLS | |
| value: "yes" | |
| - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS | |
| value: "yes" | |
| - name: POSTGRESQL_TLS_CERT_FILE | |
| value: /opt/bitnami/postgresql/certs/tls.crt | |
| - name: POSTGRESQL_TLS_KEY_FILE | |
| value: /opt/bitnami/postgresql/certs/tls.key | |
| - name: POSTGRESQL_TLS_CA_FILE | |
| value: /opt/bitnami/postgresql/certs/ca.crt | |
| # Audit | |
| - name: POSTGRESQL_LOG_HOSTNAME | |
| value: "false" | |
| - name: POSTGRESQL_LOG_CONNECTIONS | |
| value: "false" | |
| - name: POSTGRESQL_LOG_DISCONNECTIONS | |
| value: "false" | |
| - name: POSTGRESQL_PGAUDIT_LOG_CATALOG | |
| value: "off" | |
| # Others | |
| - name: POSTGRESQL_CLIENT_MIN_MESSAGES | |
| value: "error" | |
| - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES | |
| value: "pgaudit" | |
| ports: | |
| - name: tcp-postgresql | |
| containerPort: 5432 | |
| livenessProbe: | |
| failureThreshold: 6 | |
| initialDelaySeconds: 30 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 5 | |
| exec: | |
| command: | |
| - /bin/sh | |
| - -c | |
| - exec pg_isready -U "admin" -d "dbname=feast sslcert=/opt/bitnami/postgresql/certs/tls.crt sslkey=/opt/bitnami/postgresql/certs/tls.key" -h 127.0.0.1 -p 5432 | |
| readinessProbe: | |
| failureThreshold: 6 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 10 | |
| successThreshold: 1 | |
| timeoutSeconds: 5 | |
| exec: | |
| command: | |
| - /bin/sh | |
| - -c | |
| - -e | |
| - | | |
| exec pg_isready -U "admin" -d "dbname=feast sslcert=/opt/bitnami/postgresql/certs/tls.crt sslkey=/opt/bitnami/postgresql/certs/tls.key" -h 127.0.0.1 -p 5432 | |
| [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] | |
| resources: | |
| limits: | |
| cpu: 150m | |
| ephemeral-storage: 2Gi | |
| memory: 192Mi | |
| requests: | |
| cpu: 100m | |
| ephemeral-storage: 50Mi | |
| memory: 128Mi | |
| volumeMounts: | |
| - name: empty-dir | |
| mountPath: /tmp | |
| subPath: tmp-dir | |
| - name: empty-dir | |
| mountPath: /opt/bitnami/postgresql/conf | |
| subPath: app-conf-dir | |
| - name: empty-dir | |
| mountPath: /opt/bitnami/postgresql/tmp | |
| subPath: app-tmp-dir | |
| - name: postgresql-certificates | |
| mountPath: /opt/bitnami/postgresql/certs | |
| readOnly: true | |
| - name: data | |
| mountPath: /bitnami/postgresql | |
| volumes: | |
| - name: empty-dir | |
| emptyDir: {} | |
| - name: raw-certificates | |
| secret: | |
| secretName: postgresql-server-certs | |
| - name: postgresql-certificates | |
| emptyDir: {} | |
| volumeClaimTemplates: | |
| - apiVersion: v1 | |
| kind: PersistentVolumeClaim | |
| metadata: | |
| name: data | |
| spec: | |
| accessModes: | |
| - "ReadWriteOnce" | |
| resources: | |
| requests: | |
| storage: "8Gi" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment