blob: fc7478081eb0a1fab1897a32a4db0a3e6f061c93 [file] [log] [blame] [view]
Giorgi Lekveishvili4ec4c022024-08-17 15:09:24 +04001<!--- app-name: PostgreSQL -->
2
3# PostgreSQL packaged by Bitnami
4
5PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures.
6
7[Overview of PostgreSQL](http://www.postgresql.org)
8
9Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
10
11## TL;DR
12
13```console
14helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql
15```
16
17## Introduction
18
19This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
20
21For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha)
22
23Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
24
25## Prerequisites
26
27- Kubernetes 1.19+
28- Helm 3.2.0+
29- PV provisioner support in the underlying infrastructure
30
31## Installing the Chart
32
33To install the chart with the release name `my-release`:
34
35```console
36helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql
37```
38
39The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
40
41> **Tip**: List all releases using `helm list`
42
43## Uninstalling the Chart
44
45To uninstall/delete the `my-release` deployment:
46
47```console
48helm delete my-release
49```
50
51The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
52
53To delete the PVC's associated with `my-release`:
54
55```console
56kubectl delete pvc -l release=my-release
57```
58
59> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
60
61## Parameters
62
63### Global parameters
64
65| Name | Description | Value |
66| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
67| `global.imageRegistry` | Global Docker image registry | `""` |
68| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
69| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
70| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` |
71| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` |
72| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` |
73| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` |
74| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` |
75| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
76| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
77| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
78| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
79
80### Common parameters
81
82| Name | Description | Value |
83| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- |
84| `kubeVersion` | Override Kubernetes version | `""` |
85| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
86| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
87| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
88| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` |
89| `commonLabels` | Add labels to all the deployed resources | `{}` |
90| `commonAnnotations` | Add annotations to all the deployed resources | `{}` |
91| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` |
92| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` |
93| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` |
94
95### PostgreSQL common parameters
96
97| Name | Description | Value |
98| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
99| `image.registry` | PostgreSQL image registry | `docker.io` |
100| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
101| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r7` |
102| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
103| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` |
104| `image.pullSecrets` | Specify image pull secrets | `[]` |
105| `image.debug` | Specify if debug values should be set | `false` |
106| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` |
107| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` |
108| `auth.username` | Name for a custom user to create | `""` |
109| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` |
110| `auth.database` | Name for a custom database to create | `""` |
111| `auth.replicationUsername` | Name of the replication user | `repl_user` |
112| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` |
113| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
114| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
115| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
116| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
117| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` |
118| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
119| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
120| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` |
121| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
122| `containerPorts.postgresql` | PostgreSQL container port | `5432` |
123| `audit.logHostname` | Log client hostnames | `false` |
124| `audit.logConnections` | Add client log-in operations to the log file | `false` |
125| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` |
126| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` |
127| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` |
128| `audit.clientMinMessages` | Message log level to share with the user | `error` |
129| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` |
130| `audit.logTimezone` | Timezone for the log timestamps | `""` |
131| `ldap.enabled` | Enable LDAP support | `false` |
132| `ldap.server` | IP address or name of the LDAP server. | `""` |
133| `ldap.port` | Port number on the LDAP server to connect to | `""` |
134| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` |
135| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` |
136| `ldap.basedn` | Root DN to begin the search for the user in | `""` |
137| `ldap.binddn` | DN of user to bind to LDAP | `""` |
138| `ldap.bindpw` | Password for the user to bind to LDAP | `""` |
139| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` |
140| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` |
141| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` |
142| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` |
143| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` |
144| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` |
145| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` |
146| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` |
147| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` |
148| `tls.enabled` | Enable TLS traffic support | `false` |
149| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
150| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
151| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` |
152| `tls.certFilename` | Certificate filename | `""` |
153| `tls.certKeyFilename` | Certificate key filename | `""` |
154| `tls.certCAFilename` | CA Certificate filename | `""` |
155| `tls.crlFilename` | File containing a Certificate Revocation List | `""` |
156
157### PostgreSQL Primary parameters
158
159| Name | Description | Value |
160| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
161| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` |
162| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` |
163| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` |
164| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` |
165| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` |
166| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` |
167| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` |
168| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` |
169| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` |
170| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` |
171| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` |
172| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` |
173| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` |
174| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` |
175| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` |
176| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` |
177| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` |
178| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` |
179| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` |
180| `primary.command` | Override default container command (useful when using custom images) | `[]` |
181| `primary.args` | Override default container args (useful when using custom images) | `[]` |
182| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` |
183| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
184| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
185| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
186| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
187| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
188| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` |
189| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
190| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
191| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
192| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
193| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
194| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` |
195| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
196| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
197| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
198| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
199| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
200| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
201| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
202| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
203| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` |
204| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` |
205| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` |
206| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` |
207| `primary.podSecurityContext.enabled` | Enable security context | `true` |
208| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
209| `primary.containerSecurityContext.enabled` | Enable container security context | `true` |
210| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
211| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` |
212| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` |
213| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
214| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` |
215| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` |
216| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` |
217| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` |
218| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
219| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
220| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
221| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` |
222| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` |
223| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` |
224| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` |
225| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` |
226| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
227| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` |
228| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
229| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` |
230| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` |
231| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` |
232| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` |
233| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` |
234| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` |
235| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` |
236| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` |
237| `primary.service.type` | Kubernetes Service type | `ClusterIP` |
238| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` |
239| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
240| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` |
241| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` |
242| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
243| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
244| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
245| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` |
246| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
247| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
248| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` |
249| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` |
250| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` |
251| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
252| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
253| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` |
254| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
255| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
256| `primary.persistence.annotations` | Annotations for the PVC | `{}` |
257| `primary.persistence.labels` | Labels for the PVC | `{}` |
258| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
259| `primary.persistence.dataSource` | Custom PVC data source | `{}` |
260
261### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`)
262
263| Name | Description | Value |
264| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- |
265| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` |
266| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` |
267| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` |
268| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` |
269| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` |
270| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` |
271| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` |
272| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` |
273| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` |
274| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` |
275| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
276| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
277| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
278| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
279| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` |
280| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
281| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
282| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
283| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
284| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
285| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` |
286| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
287| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
288| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
289| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
290| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
291| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
292| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
293| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
294| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` |
295| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` |
296| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` |
297| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` |
298| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` |
299| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` |
300| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` |
301| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` |
302| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` |
303| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` |
304| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` |
305| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` |
306| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` |
307| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` |
308| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` |
309| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
310| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
311| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` |
312| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` |
313| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` |
314| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` |
315| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` |
316| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` |
317| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
318| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` |
319| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
320| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` |
321| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` |
322| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` |
323| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` |
324| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` |
325| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` |
326| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` |
327| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` |
328| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` |
329| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` |
330| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` |
331| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` |
332| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` |
333| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` |
334| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
335| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` |
336| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` |
337| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
338| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
339| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` |
340| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` |
341| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` |
342| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` |
343| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` |
344| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` |
345| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
346| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
347| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` |
348| `readReplicas.persistence.labels` | Labels for the PVC | `{}` |
349| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
350| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` |
351
352### NetworkPolicy parameters
353
354| Name | Description | Value |
355| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
356| `networkPolicy.enabled` | Enable network policies | `false` |
357| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` |
358| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
359| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
360| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` |
361| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` |
362| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` |
363| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` |
364| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` |
365| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` |
366| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` |
367| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` |
368| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
369| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` |
370
371### Volume Permissions parameters
372
373| Name | Description | Value |
374| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
375| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` |
376| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
377| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` |
378| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r120` |
379| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
380| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
381| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` |
382| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
383| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
384| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` |
385
386### Other Parameters
387
388| Name | Description | Value |
389| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
390| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` |
391| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` |
392| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
393| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
394| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
395| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
396| `rbac.rules` | Custom RBAC rules to set | `[]` |
397| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
398
399### Metrics Parameters
400
401| Name | Description | Value |
402| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- |
403| `metrics.enabled` | Start a prometheus exporter | `false` |
404| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` |
405| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` |
406| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.12.0-debian-11-r91` |
407| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
408| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` |
409| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` |
410| `metrics.customMetrics` | Define additional custom metrics | `{}` |
411| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` |
412| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` |
413| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` |
414| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` |
415| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` |
416| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
417| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
418| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
419| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
420| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
421| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` |
422| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
423| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
424| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
425| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
426| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
427| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` |
428| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
429| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
430| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
431| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
432| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
433| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
434| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
435| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
436| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` |
437| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` |
438| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` |
439| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` |
440| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
441| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
442| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` |
443| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` |
444| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` |
445| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
446| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
447| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
448| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
449| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` |
450| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` |
451| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
452| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
453| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` |
454| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` |
455| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` |
456| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` |
457
458Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
459
460```console
461helm install my-release \
462 --set auth.postgresPassword=secretpassword
463 oci://registry-1.docker.io/bitnamicharts/postgresql
464```
465
466The above command sets the PostgreSQL `postgres` account password to `secretpassword`.
467
468> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available.
469> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details
470
471Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
472
473```console
474helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/postgresql
475```
476
477> **Tip**: You can use the default [values.yaml](values.yaml)
478
479## Configuration and installation details
480
481### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
482
483It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
484
485Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
486
487### Customizing primary and read replica services in a replicated configuration
488
489At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object.
490
491### Use a different PostgreSQL version
492
493To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/).
494
495### postgresql.conf / pg_hba.conf files as configMap
496
497This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`.
498
499You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter.
500
501In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options.
502
503### Initialize a fresh instance
504
505The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string.
506
507In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter.
508
509The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
510
511### Securing traffic using TLS
512
513TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
514
515- `tls.enabled`: Enable TLS support. Defaults to `false`
516- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
517- `tls.certFilename`: Certificate filename. No defaults.
518- `tls.certKeyFilename`: Certificate key filename. No defaults.
519
520For example:
521
522- First, create the secret with the cetificates files:
523
524 ```console
525 kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
526 ```
527
528- Then, use the following parameters:
529
530 ```console
531 volumePermissions.enabled=true
532 tls.enabled=true
533 tls.certificatesSecret="certificates-tls-secret"
534 tls.certFilename="cert.crt"
535 tls.certKeyFilename="cert.key"
536 ```
537
538 > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
539
540### Sidecars
541
542If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
543
544```yaml
545# For the PostgreSQL primary
546primary:
547 sidecars:
548 - name: your-image-name
549 image: your-image
550 imagePullPolicy: Always
551 ports:
552 - name: portname
553 containerPort: 1234
554# For the PostgreSQL replicas
555readReplicas:
556 sidecars:
557 - name: your-image-name
558 image: your-image
559 imagePullPolicy: Always
560 ports:
561 - name: portname
562 containerPort: 1234
563```
564
565### Metrics
566
567The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
568
569The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
570
571### Use of global variables
572
573In more complex scenarios, we may have the following tree of dependencies
574
575```text
576 +--------------+
577 | |
578 +------------+ Chart 1 +-----------+
579 | | | |
580 | --------+------+ |
581 | | |
582 | | |
583 | | |
584 | | |
585 v v v
586+-------+------+ +--------+------+ +--------+------+
587| | | | | |
588| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
589| | | | | |
590+--------------+ +---------------+ +---------------+
591```
592
593The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
594
595```text
596postgresql.auth.username=testuser
597subchart1.postgresql.auth.username=testuser
598subchart2.postgresql.auth.username=testuser
599postgresql.auth.password=testpass
600subchart1.postgresql.auth.password=testpass
601subchart2.postgresql.auth.password=testpass
602postgresql.auth.database=testdb
603subchart1.postgresql.auth.database=testdb
604subchart2.postgresql.auth.database=testdb
605```
606
607If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
608
609```text
610global.postgresql.auth.username=testuser
611global.postgresql.auth.password=testpass
612global.postgresql.auth.database=testdb
613```
614
615This way, the credentials will be available in all of the subcharts.
616
617## Persistence
618
619The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
620
621Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
622See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
623
624If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished.
625
626## NetworkPolicy
627
628To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
629
630For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
631
632```console
633kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
634```
635
636With NetworkPolicy enabled, traffic will be limited to just port 5432.
637
638For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
639This label will be displayed in the output of a successful install.
640
641## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
642
643- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
644- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
645- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false
646- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary.
647 podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false
648
649### Setting Pod's affinity
650
651This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
652
653As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters.
654
655## Troubleshooting
656
657Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
658
659## Upgrading
660
661### To 12.0.0
662
663This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x.
664
665### To any previous version
666
667Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).
668
669## License
670
671Copyright &copy; 2023 Bitnami
672
673Licensed under the Apache License, Version 2.0 (the "License");
674you may not use this file except in compliance with the License.
675You may obtain a copy of the License at
676
677<http://www.apache.org/licenses/LICENSE-2.0>
678
679Unless required by applicable law or agreed to in writing, software
680distributed under the License is distributed on an "AS IS" BASIS,
681WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
682See the License for the specific language governing permissions and
683limitations under the License.