From 5073b2bb47587141497115e312cd41c7211e0a02 Mon Sep 17 00:00:00 2001 From: 2ubyz Date: Fri, 27 Mar 2026 16:31:00 +0700 Subject: [PATCH 1/5] Add CNPG Template --- charts/cnpg/Chart.yaml | 8 +++ charts/cnpg/templates/cluster.yaml | 69 +++++++++++++++++++ charts/cnpg/templates/scheduled-backup.yaml | 13 ++++ .../cnpg/templates/secret-admin-postgres.yaml | 10 +++ charts/cnpg/templates/secret-postgres.yaml | 10 +++ charts/cnpg/templates/secret-s3.yaml | 11 +++ charts/cnpg/values.yaml | 53 ++++++++++++++ charts/onechart/Chart.yaml | 4 ++ values.yaml | 28 ++++++++ 9 files changed, 206 insertions(+) create mode 100644 charts/cnpg/Chart.yaml create mode 100644 charts/cnpg/templates/cluster.yaml create mode 100644 charts/cnpg/templates/scheduled-backup.yaml create mode 100644 charts/cnpg/templates/secret-admin-postgres.yaml create mode 100644 charts/cnpg/templates/secret-postgres.yaml create mode 100644 charts/cnpg/templates/secret-s3.yaml create mode 100644 charts/cnpg/values.yaml diff --git a/charts/cnpg/Chart.yaml b/charts/cnpg/Chart.yaml new file mode 100644 index 0000000..1d5c959 --- /dev/null +++ b/charts/cnpg/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +description: CNPG (China Postgres) +name: cnpg +version: 0.1.0 +appVersion: 0.1.0 +maintainers: + - name: Developer + email: dev@opsta.in.th diff --git a/charts/cnpg/templates/cluster.yaml b/charts/cnpg/templates/cluster.yaml new file mode 100644 index 0000000..4bb827f --- /dev/null +++ b/charts/cnpg/templates/cluster.yaml @@ -0,0 +1,69 @@ +{{- if .Values.enabled }} +#{{- $cnpg := .Values.cnpg -}} +{{- $backup := .Values.backup -}} +{{- $bos := $backup.barmanObjectStore -}} +{{- $s3 := $bos.s3Credentials -}} +{{- $defaultS3Secret := printf "%s-cnpg-s3-creds" .Release.Name | trunc 63 | trimSuffix "-" -}} + + +{{- $s3SecretName := $defaultS3Secret -}} + +{{- if and $backup.enabled (not $s3SecretName) -}} +{{- fail "backup.enabled=true but S3 secret name resolved empty (unexpected)" -}} +{{ end }} + +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: {{ printf "%s-cnpg" .Release.Name | trunc 63 | trimSuffix "-" | quote }} +spec: + imageName: {{ .Values.cluster.imageName | quote }} + instances: {{ .Values.cluster.instances }} + + {{- if .Values.superuser.enabled }} + enableSuperuserAccess: true + superuserSecret: + name: {{ printf "%s-cnpg-superuser-secret" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + {{ end }} + + {{- with .Values.cluster.resources }} + resources: + {{- toYaml . | nindent 4 }} + {{ end }} + + storage: + size: {{ .Values.cluster.storage.size | quote }} + storageClass: {{ .Values.cluster.storage.storageClass | quote }} + + walStorage: + size: {{ .Values.cluster.walStorage.size | quote }} + storageClass: {{ .Values.cluster.walStorage.storageClass | quote }} + + {{- if $backup.enabled }} + backup: + retentionPolicy: {{ $backup.retentionPolicy | quote }} + barmanObjectStore: + serverName: {{ printf "%s-cnpg-backup" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + destinationPath: {{ $bos.destinationPath | quote }} + endpointURL: {{ $bos.endpointURL | quote }} + s3Credentials: + accessKeyId: + name: {{ $s3SecretName | quote }} + key: {{ default "S3_ACCESS_KEY" $s3.accessKeyKey | quote }} + secretAccessKey: + name: {{ $s3SecretName | quote }} + key: {{ default "S3_SECRET_KEY" $s3.secretKeyKey | quote }} + data: + compression: {{ $bos.compression.data | quote }} + wal: + compression: {{ $bos.compression.wal | quote }} + {{ end }} + + {{- if .Values.bootstrap.enabled }} + bootstrap: + initdb: + {{- toYaml .Values.bootstrap.initdb | nindent 6 }} + secret: + name: {{ printf "%s-cnpg-app-creds" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + {{ end }} +{{ end }} diff --git a/charts/cnpg/templates/scheduled-backup.yaml b/charts/cnpg/templates/scheduled-backup.yaml new file mode 100644 index 0000000..a54d020 --- /dev/null +++ b/charts/cnpg/templates/scheduled-backup.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.enabled .Values.scheduledBackup.enabled }} +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: {{ printf "%s-scheduled-backup" .Release.Name | trunc 63 | trimSuffix "-" | quote }} +spec: + schedule: {{ .Values.scheduledBackup.schedule | quote }} + backupOwnerReference: {{ .Values.scheduledBackup.backupOwnerReference | quote }} + cluster: + name: {{ printf "%s-cnpg" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + immediate: {{ .Values.scheduledBackup.immediate }} +{{- end }} + diff --git a/charts/cnpg/templates/secret-admin-postgres.yaml b/charts/cnpg/templates/secret-admin-postgres.yaml new file mode 100644 index 0000000..b92a334 --- /dev/null +++ b/charts/cnpg/templates/secret-admin-postgres.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.enabled .Values.superuser.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-cnpg-superuser-secret" .Release.Name | trunc 63 | trimSuffix "-" | quote }} +type: {{ default "kubernetes.io/basic-auth" }} +stringData: + username: postgres + password: {{ randAlphaNum 8 | quote }} +{{- end }} diff --git a/charts/cnpg/templates/secret-postgres.yaml b/charts/cnpg/templates/secret-postgres.yaml new file mode 100644 index 0000000..ccab927 --- /dev/null +++ b/charts/cnpg/templates/secret-postgres.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.enabled .Values.postgresAuth.create }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-cnpg-app-creds" .Release.Name | trunc 63 | trimSuffix "-" | quote }} +type: {{ .Values.postgresAuth.type | default "kubernetes.io/basic-auth" }} +stringData: + username: {{ .Values.postgresAuth.username | quote }} + password: {{ .Values.postgresAuth.password | quote }} +{{- end }} diff --git a/charts/cnpg/templates/secret-s3.yaml b/charts/cnpg/templates/secret-s3.yaml new file mode 100644 index 0000000..6ec71ab --- /dev/null +++ b/charts/cnpg/templates/secret-s3.yaml @@ -0,0 +1,11 @@ +{{- $s3 := .Values.backup.barmanObjectStore.s3Credentials -}} +{{- if and .Values.enabled .Values.backup.enabled ($s3.create) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-cnpg-s3-creds" .Release.Name | trunc 63 | trimSuffix "-" | quote }} +type: Opaque +stringData: + {{ default "S3_ACCESS_KEY" $s3.accessKeyKey }}: {{ required "accessKeyValue required when create=true" $s3.accessKeyValue | quote }} + {{ default "S3_SECRET_KEY" $s3.secretKeyKey }}: {{ required "secretKeyValue required when create=true" $s3.secretKeyValue | quote }} +{{- end }} diff --git a/charts/cnpg/values.yaml b/charts/cnpg/values.yaml new file mode 100644 index 0000000..b000cd1 --- /dev/null +++ b/charts/cnpg/values.yaml @@ -0,0 +1,53 @@ +enabled: true + +superuser: + enabled: true + +cluster: + imageName: ghcr.io/cloudnative-pg/postgresql:16.8-13-bullseye + instances: 3 + storage: + size: 5Gi + storageClass: standard + walStorage: + size: 2Gi + storageClass: standard + resources: + requests: + cpu: "500m" + memory: "1Gi" + limits: + cpu: "2" + memory: "4Gi" + +postgresAuth: + create: true + username: cnpg + password: P@ssw0rd123 + +backup: + enabled: true + retentionPolicy: "7d" + barmanObjectStore: + destinationPath: s3://postgres-backups/ + endpointURL: https://opsta.in.th/buckets/ + s3Credentials: + create: true + accessKeyValue: accesskey + secretKeyValue: secretkey + compression: + data: gzip + wal: gzip + +scheduledBackup: + enabled: true + schedule: "0 0 * * *" + backupOwnerReference: self + immediate: true + +bootstrap: + enabled: true + initdb: + database: cnpg + owner: cnpg + diff --git a/charts/onechart/Chart.yaml b/charts/onechart/Chart.yaml index 4731cea..a441002 100644 --- a/charts/onechart/Chart.yaml +++ b/charts/onechart/Chart.yaml @@ -21,3 +21,7 @@ dependencies: - name: common version: 0.9.0 repository: file://../common + + - name: cnpg + version: 0.1.0 + repository: file://../cnpg diff --git a/values.yaml b/values.yaml index 1451640..43980da 100644 --- a/values.yaml +++ b/values.yaml @@ -30,3 +30,31 @@ probe: podSpec: hostNetwork: true + +cnpg: + enabled: false + + cluster: + instances: 3 + storage: + size: 5Gi + storageClass: external-nfs + walStorage: + size: 2Gi + storageClass: external-nfs + + postgresAuth: + username: + password: + + backup: + retentionPolicy: "7d" + barmanObjectStore: + endpointURL: https://seaweedfs-admin.mea-poc.opsta.in.th/buckets/ + s3Credentials: + accessKeyValue: + secretKeyValue: + bootstrap: + initdb: + database: cnpg + owner: cnpg \ No newline at end of file From c45cfcfa3cdb87507a1438a07f00de900568143c Mon Sep 17 00:00:00 2001 From: 2ubyz Date: Fri, 27 Mar 2026 17:20:48 +0700 Subject: [PATCH 2/5] Add CNPG Dependency --- charts/onechart/Chart.lock | 7 +++++-- charts/onechart/charts/cnpg-0.1.0.tgz | Bin 0 -> 1715 bytes charts/onechart/charts/common-0.9.0.tgz | Bin 3215 -> 3214 bytes 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 charts/onechart/charts/cnpg-0.1.0.tgz diff --git a/charts/onechart/Chart.lock b/charts/onechart/Chart.lock index 35869c1..ba294ab 100644 --- a/charts/onechart/Chart.lock +++ b/charts/onechart/Chart.lock @@ -2,5 +2,8 @@ dependencies: - name: common repository: file://../common version: 0.9.0 -digest: sha256:c691781bff5490003ec6b84de1a1f71ab89d193325e5f5fe1c83b8c1398e2273 -generated: "2026-02-09T14:47:43.892718793+07:00" +- name: cnpg + repository: file://../cnpg + version: 0.1.0 +digest: sha256:31c485857050d6ca5163882dcea296372d4b86d751ba56579102dde793cbeddd +generated: "2026-03-27T17:18:51.484489+07:00" diff --git a/charts/onechart/charts/cnpg-0.1.0.tgz b/charts/onechart/charts/cnpg-0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..fe432a48c8efa4c2fa7c4609a246006869e426e2 GIT binary patch literal 1715 zcmV;k22A-MiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI;`Z{xTT&$B+oz`X*S0+J=mb`Am#xYQRciY>B1+%9lW2U;52 zY$Qq{Df_ZczI#Fa7cIxx#OrKPPaa~5Gvsi{`SC~6XUU>JSrRU-2NH#6-$QKMw#UO^ z_TRQ`{l7gJjL)2rGj@if;n*3S+0MXm?K7~yi#M92LK1#vzqv1caQ`Dh68Z(XpfU4c zAP6^+@f*c592goMA8+S z$)cYW=x`r;&e;0dbX;?mhM~X*RQ60r!h94SxCVfbF((UDEdvPp6+IYzqo-;j;_bCcllmPrB^`JMh?Wk9Li7<-!g9kn5Bh9~s zG@`o2U`u_d)QvI>m#JJT3!fvASVR;+MY@5400|Ld9rM70n_q=k+dOavu3^lGf0riP zbD{x7@1qc(@ZpOB9j_?g z;X_d`(B~-Y`n+7$`*DFk0sDubB^M(OU1hB7^K@fTI~ zlUg6({Zc7pW%KFD$ZGQ>Y1S8CYK>T^>O#}nf~8thxVd61tQMBk8UfBp8p^3V%`ic! zC!8`lhu&X>sXQ}@XqwLF^iSxSy{vts^dWCL zvr*pYU1qvP%m@prag}lVz+%~M=DhNMPG|_dw!tq7B4CzEn7RejWi&b4r@|EmfKehJ z;6uvr&jfvm!FjJ}Q314?D5J^Y>wPzyDz!7O9OI6%z=KJi+(v|wWT;tj^36t%x~Drh znBq8mh5UNgI?G#s_3G;6d70O-u(XP8%NFY^tr{PO{af+y86ARny{*FKH=5`)O_-?)H$Y8+1V*R#|SNNB1?rGtG1vw3}?)qaB=ox2`6h@v_o_ z;&4)K3-7%iPjXz*@ju&_O%gA z!h*{%S(58Cf}fimH$d~f=kP7ko&Sf*{9N|szsh-?{|!#>|3{G*-SeLzI5Djqy3t`&karchXJXRoa7`YImyB0zX1RM|No*D J0L}m|004U27t{?U>7ztidX|984a2ameFZohlfJL-3Pk2>9hqkjJp zbiM&EHOizS;!)?T`|=0(K!~LD0}4qw8^G)!h*3s@rpi2@z^|B0A<}<)14dlHZ`lw9 zLxnP6WQqf@yC+arDGnf^LqWtL z#^7L;{P&K#p8WTEhle})-v(V@w;{$6We6?17s7G_s5EIo`}Q`_rRWI44TBNZk>DVVFfp79+GKm`vLS#X?)A1tHu3qbx?I;7C`u zJnCwKurb2kXS{j_doz;2;OE-FbqA&h+};|VOu-xYE91&=qZ@xh7BBdzr}VxTeol?@ zuLxx*wk7`u{lmKa_qsdz-v%|y|9k@!^4}o2OGQ>%QxCE2wjw8(Bo-^$(2o4n>OU z)Qudh-?bfl<-wcyRPZ5&$jC53lP{3Ol%bSoI!8~Lo{WEAP}y@JC2CTc2it&7E;w0h zs$?`lJ>Fm6zt7pdplaf^D^V%R#_i# zv1xGky+Fw`5orM(GcM4s{yfc*l||)$r&F5mUV(pQD3zluc+gZ<&WrjAgD)-1o4L!l z?awXYf5U(IpGn21FKL3O8@dUs)c<>Z@BBaR9q!Kmtx(hX->?BHH-YM*Fyl!!MMu`P z4321mxiaugZV5l7f-*IN)(^7%gKWWGRR=L=(vzm!!(Q|CA@5xSp~L(DZVK5p=|)#! z%148WKm&Z|O20#O`A0T;Dfsjqjy81xSRw!2e*J&`-#^;j|F=R7^6zW_-vGb`{N(?0 z@5WEcM~RU@^}=c_Po6kRKS?k?H@VVH)(LNn)aGe;Nu|~!3Y?Jjym>>0$vNYLMdk{v zwMKbc?{H*K|1Y*ncrso^MW4TU_jZ^~eOI(-0B&rsB(ZtkENk1@%B!3Is@?Ui^us#->r>8-X-oLu z>2-Yluh;MG@P8}Rfd9@0Sfcior3zE9)#_}bukl$I(c6^#m0`2Gw}wJ@XMJv=Jy*Iy z+ic4n_K%Q756YPP1yq;+2_`8Dsn>o(eXM_!|AQl6{yY8NPX4z+*Vp?`VMeC|kf=Zl zwU*SMr+QkV2@c@tzP{e*V!^3EeSDS27N`kP5D^ALgiK-#L^@7l$ju){WS;?Hrhv?b zF`p93^uq-vN$~Lk{{7E?!S6&-1_>&KLOz3-j;WH*AY(BK8F7K|vn4Qzi#h%C;!`^ z29e1(K;`hSSbGcaiK77cX@jZ%q>QT5++6ODIG?LZ8GjmTmo3-nWq#)_E=9)1b5#`by;okMb31Fj8olA_ zOrS)jTCTa;zh(JX|Gm1^yR`8+PB82FDI8&%+EzKMd&6v|@rV`We0SLGEfjxUVcCT> zHNMs>;h65{3SQkF3E=W;j1?0i&jcFSmJ=c{ZntteMHSs0wyd@fD>TN4 zh?;A3J$HF~UVZVJ-_d>E_t3<}Guzc-A9`NE;!S0jdL`D7f4|Bq7+BDQ<0M}sME9`) zT&qxHGj0n_=P2Vbo@0WM;%4u-&;E(mbg)&;Qe2c1m!gkJl=7~J;2M(j%w6!|C?>{?)PX7|KDNF{&RHL+u47%LQVI-S+u6V--*)E+I8t| zN(h}os6kI_%Z^7q#A&Loo>RAQ?uY`id4wd2QwnW z^m?Xgho8IJrAx$5XVD2`T$NZ1K+1%=vhP(`qLM%$Q;c*AB#KbV*ZKq>1f`x;CcD?f zcSzztw2J;#AEH%mrQ(8&^(4tTuWm|tZLXKA9Cwv~Ek6#cXmj2a{ky_m_ZRA0+M3Pr z_bpQoiR$=oy_$b7H|PaiiT_<6|NF=No&9es)PVoB4Y1@e@XN|?g4si=m1nB&gZr~C zNzw`F7T(6v2fqdIt^u^2fVn#{bQz73Oez%Z3mW49T1sTtDsUNDB(740@$(|?tT1Ga zjE7PmneshoHX-YA?qTN>;Dw#WkhQ+oOa zg}pyog#Vk209l3q-QzxW+k)OVftI$rPK`k_%1{u_@cu^!J&oB*rhe-00ief;ltcJ`mGP$T|VHo&5n!0Vpz zg{GGCO3`M}U)=21fPc(=Pw#h6b@}%_U|$aaE9C#+u-B{I|BsG#^1lsgkpD&(=#rN} zJi~D19T3kt;JgRo#1Gfs>Ui0dX#+NFvbnn&rm8U^Yn!VV1$)$7_?7$Vk^qpxP?`2R|C*$?tk)^QAQ7rMf{RKg{m3Pt?VRep4g-d##o<9%Z+QH#O zqAgu>TbExxv408m_X-!*X>8e!(}@8UScCzV=v!^MTBp*i`zro&J~#Eky~jWi1~AXe zpY#69kCo&(USw^)P(`-7N}bckzFJnPUoFrSgX?^^BW(%<7H!U-l*`<aCLXY8$D20MaP#or8*1DJ=gJDLK zn6fdXB>GIoD8t|}yq{1BGE423;A}YmIN?JZvrXCf83;^>qBAt-x|2>=96SbwW8*~A z`UH;XC4a^?Jo$f~grF~Wz?rG3S<)vnB$QzogwM}EohvRdcnqgz%fg4#bBL*sK{%#r z-~6@g2jTE0gvF?=9`@=U_3=PzUsrh@;8kqSZ@BiXmb1t0%22xl_lG4AiMbw@ke(f3UM2><~9 M|DUTS8314a08lJOA^-pY delta 3123 zcmV-349xS68IKu|P62I^PZ@uw*(3+&9nKq`CpjQ#Nfaf2q;;M4zymb3_&NNTABQs| zMSM2n?C@+#gbJ_7EP1ef>U27t{>h2?ztidX|9844M-RHa?n(c+cQP1sA9T7$Cxhb$ z(D@3y)F_jRhzFf7?#mzCcS0nk?@&m}*%0POL5wmIG*#yL6n@2I29bZ>8!+Yqe#=HE z7%G$jBQqR=-93T2N^uAY9SI_?f_dIvC;Y##6WsR*_q2)@@~?1~CPbk;{19- zw+096kdp2xV<$znSwX)SH_j$MmK+iEMD?cPw9Ox{DK`MNR`p0$o@AdcczYA)X|HTF<~T+McHA0;b^hwq@Hs z&ywVvCp5aUxKe*5h?VKZPd&u8+lriGl31*0Lp$=b^A?&hBjrNLeAeg~ z7*|D2lb1Ja7iOwdYGAKex^phnu-c!KV`~GXf-4^JWC(B1&KJF5A~A=!91K@l{60dNO~0L1oW@l&EQC9&7_Tx!`1@ zsgltY^>}}M`!;9ylB%iKu0*9Mo5*q)`Ih%LcWsc(<4x!si_y8`u4JqqcD0@D55L;} z)~3PT_W~u)M5G0D!ni=Y`inG2R+g3joz7^!djCJWVLBR0w@+-M@U z#f*Qm2$lV?emV-{O~XnYtXqm&x1}j*3>4$av*QcBv(~j`J z)9d*9U$5Wam0soy1utM!COBJSItJT>=U*oebqSq<;E5l}WZv%zy&idR^d#-ea zw%L|D>YpHszAIzyXHZ@KrO>qd15B2p%7Yoh=>f@_Cwm?mZf`~8}A!HI`AkuLXLvH>sBKrggGX-Qe ziusICrXMabNrLy6@b7>A3w|exGDuJ<6!HngbV8MU0vU@@$cPJsA3yvEVetMBQ=ES! z35+rY?=K+?44VyL=AN+@$Uxu(KfS>;ArYP?3AEn7|KopK5JIcnf*TMv2U;Imi0PKU|0$0zQjE4346;W4d)-d${@3lF?B#zK z)F3kX2B;kV6>D$dJ#iEOKW$j`AXtC1NY!t!$`HDl2T8NK+KE(C*~Oejcp61KW6E~q zro5`(1^fyQlax_)mYd7{5$AJNDdSH=?Xu-Mz0B|2#ihu^c&>^VHtTdY3jn#|dUVKZPSqQ`;(Mb#Iu>G#;^{obL|1y@h|GD=fRP zrpA|gB^=ZJLcy!sBLQ4~jj>`%nntNU9LQoZh1}FMWq*r!-r*2#U@Z8| z@KbbBwxXMup_t(7If_d`6?%VN)Z9+_MOxpO?J%9zmTkv1`?wbFv8I*Na%JmHh8-wb&d?P&l9*`+u*ym;YT*gZwwTKv%p3 z;u(f3?|^vL0p~psCw{p8R>$+EOdGIalg-`LFjb8S+1OmYEZC#w!mr#fzTXpf&~TU!!(^?r$7*T6X?# z>F77K=KMeI)Z>2#-Tn99c0xG|^zt{ogs zB-+w7w{`jD6Ptfff3I+9oyL~!IGq?!fkhZ#iN4jAt92^Py07A|=5t#w+f zUspQxtKG>#;tghn772}_aYyBG<@Vc{@mk2+XDWs};pTtNO5bV`-MHT+D%+R!x>hN= z?*nL0_eu->FPvgBv)@VDejn@XzrADM{&O_w?7#oB6M6{eL@5+Zg5t3FvexAk8H_TT z#FR}SCDBJRK^X=Q;q8=4kXdTK1ZTtfCkY?fm~F}?Pe5Qo6rH0v*PV32;@}}LoERsX z)+caGKVg4t!;}B#Q3(2C2b`Ijnk9WQLqZvbLHP9I!-e7kgNJZtwk*6myMUMq8H5w6 z4$WW7eh`lS7Ki3Oc9ToU_BSp%IBbW~q7iRR)hkd6@=}!x8xyJPy@N|K@^D zg2(>|9>O~!D9I2Tlci5J$=jcp8x;= N|Ns3v{;2?9008zTLcRb1 From 8952d096b9cd58791ca78a540d10df131e8c3786 Mon Sep 17 00:00:00 2001 From: 2ubyz Date: Fri, 3 Apr 2026 14:38:31 +0700 Subject: [PATCH 3/5] remove hardcode credential --- charts/cnpg/values.yaml | 8 ++++---- values.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/cnpg/values.yaml b/charts/cnpg/values.yaml index b000cd1..f78901b 100644 --- a/charts/cnpg/values.yaml +++ b/charts/cnpg/values.yaml @@ -22,8 +22,8 @@ cluster: postgresAuth: create: true - username: cnpg - password: P@ssw0rd123 + username: + password: backup: enabled: true @@ -33,8 +33,8 @@ backup: endpointURL: https://opsta.in.th/buckets/ s3Credentials: create: true - accessKeyValue: accesskey - secretKeyValue: secretkey + accessKeyValue: + secretKeyValue: compression: data: gzip wal: gzip diff --git a/values.yaml b/values.yaml index 43980da..13b8a1c 100644 --- a/values.yaml +++ b/values.yaml @@ -57,4 +57,4 @@ cnpg: bootstrap: initdb: database: cnpg - owner: cnpg \ No newline at end of file + owner: cnpg From d12b7c35583f2af5e66f181d1d7cae978825bde9 Mon Sep 17 00:00:00 2001 From: 2ubyz Date: Fri, 3 Apr 2026 15:02:44 +0700 Subject: [PATCH 4/5] edit cnpg/chart.yaml & add random password for user postgres --- charts/cnpg/Chart.yaml | 2 +- charts/cnpg/templates/secret-postgres.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cnpg/Chart.yaml b/charts/cnpg/Chart.yaml index 1d5c959..ea43ae7 100644 --- a/charts/cnpg/Chart.yaml +++ b/charts/cnpg/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -description: CNPG (China Postgres) +description: Cloud Native Postgres name: cnpg version: 0.1.0 appVersion: 0.1.0 diff --git a/charts/cnpg/templates/secret-postgres.yaml b/charts/cnpg/templates/secret-postgres.yaml index ccab927..ec8a18e 100644 --- a/charts/cnpg/templates/secret-postgres.yaml +++ b/charts/cnpg/templates/secret-postgres.yaml @@ -6,5 +6,5 @@ metadata: type: {{ .Values.postgresAuth.type | default "kubernetes.io/basic-auth" }} stringData: username: {{ .Values.postgresAuth.username | quote }} - password: {{ .Values.postgresAuth.password | quote }} + password: {{ default (randAlphaNum 8) .Values.postgresAuth.password | quote }} {{- end }} From d57719c53f6fdba2fad15fd5280dbfdf2d65a45d Mon Sep 17 00:00:00 2001 From: 2ubyz Date: Fri, 3 Apr 2026 15:52:04 +0700 Subject: [PATCH 5/5] add lookup for secret postgres --- charts/cnpg/templates/secret-admin-postgres.yaml | 12 ++++++++++-- charts/cnpg/templates/secret-postgres.yaml | 12 ++++++++++-- charts/cnpg/values.yaml | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/charts/cnpg/templates/secret-admin-postgres.yaml b/charts/cnpg/templates/secret-admin-postgres.yaml index b92a334..768c62d 100644 --- a/charts/cnpg/templates/secret-admin-postgres.yaml +++ b/charts/cnpg/templates/secret-admin-postgres.yaml @@ -1,10 +1,18 @@ {{- if and .Values.enabled .Values.superuser.enabled }} +{{- $secretName := printf "%s-cnpg-superuser-secret" .Release.Name | trunc 63 | trimSuffix "-" }} +{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-cnpg-superuser-secret" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + name: {{ $secretName | quote }} type: {{ default "kubernetes.io/basic-auth" }} stringData: username: postgres - password: {{ randAlphaNum 8 | quote }} + password: {{- if .Values.superuser.password }} + {{ .Values.superuser.password | quote }} + {{- else if $existing }} + {{ index $existing.data "password" | b64dec | quote }} + {{- else }} + {{ randAlphaNum 32 | quote }} + {{- end }} {{- end }} diff --git a/charts/cnpg/templates/secret-postgres.yaml b/charts/cnpg/templates/secret-postgres.yaml index ec8a18e..f08ba04 100644 --- a/charts/cnpg/templates/secret-postgres.yaml +++ b/charts/cnpg/templates/secret-postgres.yaml @@ -1,10 +1,18 @@ {{- if and .Values.enabled .Values.postgresAuth.create }} +{{- $secretName := printf "%s-cnpg-app-creds" .Release.Name | trunc 63 | trimSuffix "-" }} +{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-cnpg-app-creds" .Release.Name | trunc 63 | trimSuffix "-" | quote }} + name: {{ $secretName | quote }} type: {{ .Values.postgresAuth.type | default "kubernetes.io/basic-auth" }} stringData: username: {{ .Values.postgresAuth.username | quote }} - password: {{ default (randAlphaNum 8) .Values.postgresAuth.password | quote }} + password: {{- if .Values.postgresAuth.password }} + {{ .Values.postgresAuth.password | quote }} + {{- else if $existing }} + {{ index $existing.data "password" | b64dec | quote }} + {{- else }} + {{ randAlphaNum 32 | quote }} + {{- end }} {{- end }} diff --git a/charts/cnpg/values.yaml b/charts/cnpg/values.yaml index f78901b..7a3879a 100644 --- a/charts/cnpg/values.yaml +++ b/charts/cnpg/values.yaml @@ -32,7 +32,7 @@ backup: destinationPath: s3://postgres-backups/ endpointURL: https://opsta.in.th/buckets/ s3Credentials: - create: true + create: false accessKeyValue: secretKeyValue: compression: