(postgresql) set db admin password at startup

- Make the default to run the postgres database as the uid 999 which the default image maps to the 'postgres' user - If the database is already initialized, before starting postgres set the 'postgres' database user password to match the declared intended password Change-Id: I7b0ea7a86246b098f38ef4c03dd157731f61e066
2019-02-05 16:55:49 -06:00 · 2019-02-05 16:55:49 -06:00 · 4a505e213c
commit 4a505e213c
parent 2eb745d53a
3 changed files with 28 additions and 2 deletions
--- a/postgresql/templates/bin/_start.sh.tpl
+++ b/postgresql/templates/bin/_start.sh.tpl
@ -16,6 +16,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-set -ex
+# Disable echo mode while setting the password
+# unless we are in debug mode
+{{- if .Values.conf.debug }}
+set -x
+{{- end }}
+set -e

-exec /docker-entrypoint.sh postgres -N {{ .Values.conf.postgresql.max_connections }} -B {{ .Values.conf.postgresql.shared_buffers }}
+POSTGRES_DB=${POSTGRES_DB:-"postgres"}
+
+# Check if the Postgres data directory exists before attempting to
+# set the password
+if [[ -d "$PGDATA" && -s "$PGDATA/PG_VERSION" ]]
+then
+  postgres --single -D "$PGDATA" "$POSTGRES_DB" <<EOF
+ALTER ROLE $POSTGRES_USER WITH PASSWORD '$POSTGRES_PASSWORD'
+EOF
+
+fi
+
+set -x
+
+exec /docker-entrypoint.sh postgres -N {{ .Values.conf.postgresql.max_connections | quote }} -B {{ .Values.conf.postgresql.shared_buffers | quote }}
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@ -40,6 +40,8 @@ spec:
 {{ tuple $envAll "postgresql" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
      serviceAccountName: {{ $serviceAccountName }}
+      securityContext:
+{{ toYaml $envAll.Values.pod.security.server | indent 8 }}
      affinity:
 {{ tuple $envAll "postgresql" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -19,6 +19,10 @@
 release_group: null

 pod:
+  security:
+    server:
+      runAsUser: 999
+      allowPrivilegeEscalation: false
  affinity:
    anti:
      type:
@ -141,6 +145,7 @@ monitoring:
      scrape: true

 conf:
+  debug: false
  postgresql:
    max_connections: 100
    shared_buffers: 128MB