236 lines
13 KiB
YAML
236 lines
13 KiB
YAML
{{- /*
|
|
Copyright Broadcom, Inc. All Rights Reserved.
|
|
SPDX-License-Identifier: APACHE-2.0
|
|
*/}}
|
|
|
|
{{- if .Values.passwordUpdateJob.enabled }}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ printf "%s-password-update" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
|
namespace: {{ include "common.names.namespace" . | quote }}
|
|
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
|
app.kubernetes.io/part-of: postgresql
|
|
app.kubernetes.io/component: update-job
|
|
{{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }}
|
|
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.annotations .Values.commonAnnotations $defaultAnnotations ) "context" . ) }}
|
|
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
|
|
spec:
|
|
backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }}
|
|
template:
|
|
metadata:
|
|
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.podLabels .Values.commonLabels ) "context" . ) }}
|
|
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
|
|
app.kubernetes.io/part-of: postgresql
|
|
app.kubernetes.io/component: update-job
|
|
{{- if .Values.passwordUpdateJob.podAnnotations }}
|
|
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.podAnnotations "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }}
|
|
restartPolicy: OnFailure
|
|
{{- if .Values.passwordUpdateJob.podSecurityContext.enabled }}
|
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.podSecurityContext "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
automountServiceAccountToken: {{ .Values.passwordUpdateJob.automountServiceAccountToken }}
|
|
{{- if .Values.passwordUpdateJob.hostAliases }}
|
|
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.hostAliases "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
initContainers:
|
|
{{- if .Values.passwordUpdateJob.initContainers }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.initContainers "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: update-credentials
|
|
image: {{ template "postgresql.v1.image" . }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{- if .Values.passwordUpdateJob.command }}
|
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.command "context" $) | nindent 12 }}
|
|
{{- else }}
|
|
command:
|
|
- /bin/bash
|
|
- -ec
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.args }}
|
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.args "context" $) | nindent 12 }}
|
|
{{- else }}
|
|
args:
|
|
- |
|
|
{{- $customUser := include "postgresql.v1.username" . }}
|
|
{{- $customDatabase := include "postgresql.v1.database" . | default "postgres" }}
|
|
{{- if .Values.auth.usePasswordFiles }}
|
|
# We need to load all the secret env vars to the system
|
|
for file in $(find /bitnami/postgresql/secrets -type f); do
|
|
env_var_name="$(basename $file)"
|
|
echo "Exporting $env_var_name"
|
|
export $env_var_name="$(< $file)"
|
|
done
|
|
{{- end }}
|
|
|
|
. /opt/bitnami/scripts/postgresql-env.sh
|
|
. /opt/bitnami/scripts/libpostgresql.sh
|
|
. /opt/bitnami/scripts/liblog.sh
|
|
|
|
primary_host={{ include "postgresql.v1.primary.fullname" . }}-0.{{ include "postgresql.v1.primary.svc.headless" . }}
|
|
info "Starting password update job"
|
|
{{- if .Values.auth.enablePostgresUser }}
|
|
if [[ -f /job-status/postgres-password-changed ]]; then
|
|
info "Postgres password already updated. Skipping"
|
|
else
|
|
info "Updating postgres password"
|
|
echo "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_NEW_POSTGRES_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "" postgres $POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
|
|
touch /job-status/postgres-password-changed
|
|
info "Postgres password successfully updated"
|
|
fi
|
|
{{- end }}
|
|
{{- if and (not (empty $customUser)) (ne $customUser "postgres") }}
|
|
if [[ -f /job-status/password-changed ]]; then
|
|
info "User password already updated. Skipping"
|
|
else
|
|
info "Updating user password"
|
|
echo "ALTER USER {{ $customUser }} WITH PASSWORD '$POSTGRESQL_NEW_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "{{ $customDatabase }}" $POSTGRESQL_USER $POSTGRESQL_PREVIOUS_PASSWORD
|
|
touch /job-status/password-changed
|
|
info "User password successfully updated"
|
|
fi
|
|
{{- end }}
|
|
{{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }}
|
|
if [[ -f /job-status/replication-password-changed ]]; then
|
|
info "Replication password already updated. Skipping"
|
|
else
|
|
info "Updating replication password"
|
|
echo "ALTER USER $POSTGRESQL_REPLICATION_USER WITH PASSWORD '$POSTGRESQL_NEW_REPLICATION_PASSWORD';" | postgresql_remote_execute $primary_host {{ .Values.containerPorts.postgresql }} "{{ $customDatabase }}" $POSTGRESQL_REPLICATION_USER $POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
|
|
touch /job-status/replication-password-changed
|
|
info "Replication password successfully updated"
|
|
fi
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.extraCommands }}
|
|
info "Running extra commmands"
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }}
|
|
{{- end }}
|
|
info "Password update job finished successfully"
|
|
{{- end }}
|
|
env:
|
|
- name: BITNAMI_DEBUG
|
|
value: {{ ternary "true" "false" .Values.image.debug | quote }}
|
|
{{- if not .Values.auth.usePasswordFiles }}
|
|
- name: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
|
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
|
- name: POSTGRESQL_NEW_POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
|
|
key: {{ include "postgresql.v1.adminPasswordKey" . }}
|
|
{{- end }}
|
|
{{- if not (empty .Values.auth.username) }}
|
|
- name: POSTGRESQL_USER
|
|
value: {{ .Values.auth.username | quote }}
|
|
{{- if not .Values.auth.usePasswordFiles }}
|
|
- name: POSTGRESQL_PREVIOUS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
|
|
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
|
- name: POSTGRESQL_NEW_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
|
|
key: {{ include "postgresql.v1.userPasswordKey" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq .Values.architecture "replication" }}
|
|
- name: POSTGRESQL_REPLICATION_USER
|
|
value: {{ .Values.auth.replicationUsername | quote }}
|
|
{{- if not .Values.auth.usePasswordFiles }}
|
|
- name: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.previousSecretName" . }}
|
|
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
|
- name: POSTGRESQL_NEW_REPLICATION_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "postgresql.v1.update-job.newSecretName" . }}
|
|
key: {{ include "postgresql.v1.replicationPasswordKey" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.extraEnvVars }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraEnvVars "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if or .Values.passwordUpdateJob.extraEnvVarsCM .Values.passwordUpdateJob.extraEnvVarsSecret }}
|
|
envFrom:
|
|
{{- if .Values.passwordUpdateJob.extraEnvVarsCM }}
|
|
- configMapRef:
|
|
name: {{ .Values.passwordUpdateJob.extraEnvVarsCM }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.extraEnvVarsSecret }}
|
|
- secretRef:
|
|
name: {{ .Values.passwordUpdateJob.extraEnvVarsSecret }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.containerSecurityContext.enabled }}
|
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.containerSecurityContext "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.customLivenessProbe }}
|
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customLivenessProbe "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.customReadinessProbe }}
|
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customReadinessProbe "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.customStartupProbe }}
|
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customStartupProbe "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: empty-dir
|
|
mountPath: /job-status
|
|
subPath: job-dir
|
|
{{- if .Values.auth.usePasswordFiles }}
|
|
- name: postgresql-previous-credentials
|
|
mountPath: /bitnami/postgresql/secrets/previous
|
|
- name: postgresql-new-credentials
|
|
mountPath: /bitnami/postgresql/secrets/new
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.extraVolumeMounts }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumeMounts "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.resources }}
|
|
resources: {{- toYaml .Values.passwordUpdateJob.resources | nindent 12 }}
|
|
{{- else if ne .Values.passwordUpdateJob.resourcesPreset "none" }}
|
|
resources: {{- include "common.resources.preset" (dict "type" .Values.passwordUpdateJob.resourcesPreset) | nindent 12 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: empty-dir
|
|
emptyDir: {}
|
|
{{- if .Values.auth.usePasswordFiles }}
|
|
- name: postgresql-previous-credentials
|
|
secret:
|
|
secretName: {{ template "postgresql.update-job.previousSecretName" . }}
|
|
items:
|
|
- key: postgresql-root-password
|
|
path: POSTGRESQL_PREVIOUS_POSTGRES_PASSWORD
|
|
- key: postgresql-password
|
|
path: POSTGRESQL_PREVIOUS_PASSWORD
|
|
{{- if eq .Values.architecture "replication" }}
|
|
- key: postgresql-replication-password
|
|
path: POSTGRESQL_PREVIOUS_REPLICATION_PASSWORD
|
|
{{- end }}
|
|
- name: postgresql-new-credentials
|
|
secret:
|
|
secretName: {{ template "postgresql.update-job.newSecretName" . }}
|
|
items:
|
|
- key: postgresql-root-password
|
|
path: POSTGRESQL_NEW_POSTGRES_PASSWORD
|
|
- key: postgresql-password
|
|
path: POSTGRESQL_NEW_PASSWORD
|
|
{{- if eq .Values.architecture "replication" }}
|
|
- key: postgresql-replication-password
|
|
path: POSTGRESQL_NEW_REPLICATION_PASSWORD
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.passwordUpdateJob.extraVolumes }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumes "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|