Merge pull request #1995 from OneUptime/bitnami-mgr-postgres

Bitnami mgr postgres
2026-04-06 00:32:12 +02:00 · 2025-09-07 13:21:41 +01:00
parent cf2a7b9dfa 75333ef36c
commit 34cc8a43ab
15 changed files with 474 additions and 37 deletions
--- a/HelmChart/Docs/Clickhouse.md
+++ b/HelmChart/Docs/Clickhouse.md
@@ -36,4 +36,18 @@ GROUP BY
    database,
    table
 ORDER BY size DESC;
+```
+
+
+#### Check the size fo used and free space in Clickhouse
+
+```sql
+SELECT
+    d.name AS disk_name,
+    formatReadableSize(d.free_space) AS free_space,
+    formatReadableSize(d.total_space) AS total_space,
+    formatReadableSize(d.total_space - d.free_space) AS used_space,
+    round((d.total_space - d.free_space) / d.total_space * 100, 2) AS used_percent
+FROM system.disks d
+ORDER BY used_percent DESC;
 ```
--- a/HelmChart/Docs/Postgres.md
+++ b/HelmChart/Docs/Postgres.md
@@ -71,3 +71,14 @@ ALTER SYSTEM SET max_connections = 200;

 Then you need to restart the postgres pod. 

+
+### Check used and free space in Postgres
+
+```sql
+SELECT
+    datname AS database_name,
+    pg_size_pretty(pg_database_size(datname)) AS used_space
+FROM pg_database
+ORDER BY pg_database_size(datname) DESC;
+```
+
--- a/HelmChart/Public/oneuptime/Chart.lock
+++ b/HelmChart/Public/oneuptime/Chart.lock
@@ -1,9 +1,6 @@
 dependencies:
- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 14.0.0
 - name: keda
  repository: https://kedacore.github.io/charts
  version: 2.17.2
-digest: sha256:34f00b81a7b81860cc76ee73a2a8f9a2c1fb67e33e0536f9f3593b501ffb0b41
-generated: "2025-09-03T20:17:46.11322+01:00"
+digest: sha256:0487fc2994d58e6a2958a38de76740b0a2a0d6f2a644e89f03097e7f2645f976
+generated: "2025-09-04T17:55:10.534534+01:00"
--- a/HelmChart/Public/oneuptime/Chart.yaml
+++ b/HelmChart/Public/oneuptime/Chart.yaml
@@ -34,10 +34,6 @@ annotations:


 dependencies:
- name: postgresql
-  version: "14.0.0"
-  repository: "https://charts.bitnami.com/bitnami"
-  condition: postgresql.enabled
 - name: keda
  version: "2.17.2"
  repository: "https://kedacore.github.io/charts"
--- a/HelmChart/Public/oneuptime/README.md
+++ b/HelmChart/Public/oneuptime/README.md
@@ -140,18 +140,59 @@ If you need to use SSL/TLS certificates, follow these steps:

 ## Using External Databases

-### Postgres
+### PostgreSQL

-If you would like to use an external postgres database, please add these env vars to your values.yaml file. 
+OneUptime includes a built-in PostgreSQL deployment using the official PostgreSQL Docker image. PostgreSQL is used for storing application data, user data, and configuration.
+
+#### Built-in PostgreSQL Configuration
+
+The default configuration provides a standalone PostgreSQL instance with authentication enabled:

 ```yaml
-
 postgresql:
-  # Set Internal Postgres enabled to false, so we dont install the postgres database in your cluster
+  enabled: true
+  image:
+    repository: postgres
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  auth:
+    username: oneuptime
+    database: oneuptimedb
+    # Will be auto-generated if not provided
+    password: 
+  architecture: standalone
+  primary:
+    service:
+      type: ClusterIP
+      ports:
+        postgresql: "5432"
+    terminationGracePeriodSeconds: 0
+    persistence:
+      enabled: true
+      size: 25Gi
+      storageClass: ""
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  resources: {}
+  # Optional PostgreSQL configuration
+  # configuration: |-
+  #   max_connections = 100
+  #   shared_buffers = 128MB
+  #   effective_cache_size = 4GB
+```
+
+#### External PostgreSQL Configuration
+
+If you would like to use an external PostgreSQL database, please add these env vars to your values.yaml file:
+
+```yaml
+postgresql:
+  # Set Internal PostgreSQL enabled to false, so we dont install PostgreSQL in your cluster
  enabled: false 

-# External Postgres Configuration
-# You need to set postgresql.enabled to false if you're using an external postgres database.
+# External PostgreSQL Configuration
+# You need to set postgresql.enabled to false if you're using an external postgresql database.
 externalPostgres: 
  host: 
  port: 
@@ -377,10 +418,8 @@ postgresql:
  image:
    tag: <specific-version>
 redis:
-  master:
-    image:
-      tag: <specific-version>
-
+  image:
+    tag: <specific-version>
 clickhouse:
  image:
    tag: <specific-version>
@@ -402,7 +441,6 @@ We use these charts as dependencies for some components. You dont need to instal

 | Chart | Description | Repository | 
 | ----- | ----------- | ---------- | 
-| `postgresql` | PostgreSQL database | https://charts.bitnami.com/bitnami |
 | `keda` | Kubernetes Event-driven Autoscaling | https://kedacore.github.io/charts |


--- a/HelmChart/Public/oneuptime/charts/postgresql-14.0.0.tgz
+++ b/HelmChart/Public/oneuptime/charts/postgresql-14.0.0.tgz
--- a/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/clickhouse-statefulset.yaml
@@ -44,12 +44,32 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- if .Values.clickhouse.podSecurityContext }}
+      {{- with .Values.clickhouse.podSecurityContext }}
      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else if .Values.podSecurityContext }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
      containers:
      - name: clickhouse
        image: "{{ .Values.clickhouse.image.repository }}:{{ .Values.clickhouse.image.tag }}"
        imagePullPolicy: {{ .Values.clickhouse.image.pullPolicy }}
+        {{- if .Values.clickhouse.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.clickhouse.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- else if .Values.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- end }}
        ports:
        - name: http
          containerPort: 8123
--- a/HelmChart/Public/oneuptime/templates/postgresql-primary-configmap.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-primary-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-postgresql-primary-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+data:
+  postgresql.conf: |
+{{ .Values.postgresql.primary.configuration | indent 4 }}
+{{- end }}
--- a/HelmChart/Public/oneuptime/templates/postgresql-primary-hba-configmap.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-primary-hba-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-postgresql-primary-hba
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+data:
+  pg_hba.conf: |
+{{ .Values.postgresql.primary.hbaConfiguration | indent 4 }}
+{{- end }}
--- a/HelmChart/Public/oneuptime/templates/postgresql-service.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-service.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.postgresql.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-postgresql
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+spec:
+  type: {{ .Values.postgresql.primary.service.type | default "ClusterIP" }}
+  ports:
+  - port: {{ .Values.postgresql.primary.service.ports.postgresql | int }}
+    targetPort: postgresql
+    protocol: TCP
+    name: postgresql
+  selector:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/component: postgresql
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-postgresql-headless
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+  - port: {{ .Values.postgresql.primary.service.ports.postgresql | int }}
+    targetPort: postgresql
+    protocol: TCP
+    name: postgresql
+  selector:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/component: postgresql
+{{- end }}
--- a/HelmChart/Public/oneuptime/templates/postgresql-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-statefulset.yaml
@@ -0,0 +1,168 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Release.Name }}-postgresql
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+    helm.sh/release-name: {{ .Release.Name }}
+    helm.sh/release-namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/resource-policy: keep
+spec:
+  serviceName: {{ .Release.Name }}-postgresql-headless
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-postgresql
+      app.kubernetes.io/component: postgresql
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-postgresql
+        app.kubernetes.io/part-of: oneuptime
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: postgresql
+        appname: oneuptime
+      annotations:
+        checksum/postgresql-config: {{ include (print $.Template.BasePath "/postgresql-primary-configmap.yaml") . | sha256sum }}
+        checksum/postgresql-hba: {{ include (print $.Template.BasePath "/postgresql-primary-hba-configmap.yaml") . | sha256sum }}
+    spec:
+      {{- with .Values.postgresql.primary.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.postgresql.primary.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.postgresql.primary.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.postgresql.primary.podSecurityContext }}
+      {{- with .Values.postgresql.primary.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else if .Values.podSecurityContext }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      containers:
+      - name: postgresql
+        image: "{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}"
+        imagePullPolicy: {{ .Values.postgresql.image.pullPolicy }}
+        args:
+          - "-c"
+          - "config_file=/etc/postgresql/postgresql.conf"
+          - "-c"
+          - "hba_file=/etc/postgresql/pg_hba.conf"
+        {{- if .Values.postgresql.primary.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.postgresql.primary.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- else if .Values.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- end }}
+        ports:
+        - name: postgresql
+          containerPort: 5432
+          protocol: TCP
+        env:
+        - name: POSTGRES_USER
+          value: "postgres"
+        - name: POSTGRES_DB
+          value: {{ .Values.postgresql.auth.database | quote }}
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Release.Name }}-postgresql
+              key: postgres-password
+        - name: PGDATA
+          value: "/var/lib/postgresql/data/data"
+        - name: POSTGRES_INITDB_ARGS
+          value: "--auth-host=md5"
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - exec pg_isready -U "postgres" -d "dbname={{ .Values.postgresql.auth.database }}" -h 127.0.0.1 -p 5432
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 6
+          successThreshold: 1
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - exec pg_isready -U "postgres" -d "dbname={{ .Values.postgresql.auth.database }}" -h 127.0.0.1 -p 5432
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 6
+          successThreshold: 1
+        {{- if .Values.postgresql.primary.terminationGracePeriodSeconds }}
+        terminationGracePeriodSeconds: {{ .Values.postgresql.primary.terminationGracePeriodSeconds }}
+        {{- end }}
+        {{- with .Values.postgresql.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        - name: postgresql-config
+          mountPath: /etc/postgresql/postgresql.conf
+          subPath: postgresql.conf
+        - name: postgresql-hba
+          mountPath: /etc/postgresql/pg_hba.conf
+          subPath: pg_hba.conf
+      volumes:
+      - name: postgresql-config
+        configMap:
+          name: {{ .Release.Name }}-postgresql-primary-config
+      - name: postgresql-hba
+        configMap:
+          name: {{ .Release.Name }}-postgresql-primary-hba
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+      labels:
+        app: {{ .Release.Name }}-postgresql
+        app.kubernetes.io/part-of: oneuptime
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: postgresql
+        appname: oneuptime
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      {{- if .Values.postgresql.primary.persistence.storageClass }}
+      {{- if (eq "-" .Values.postgresql.primary.persistence.storageClass) }}
+      storageClassName: ""
+      {{- else }}
+      storageClassName: {{ .Values.postgresql.primary.persistence.storageClass }}
+      {{- end }}
+      {{- else }}
+      {{- if .Values.global.storageClass }}
+      storageClassName: {{ .Values.global.storageClass }}
+      {{- end }}
+      {{- end }}
+      resources:
+        requests:
+          storage: {{ .Values.postgresql.primary.persistence.size }}
+{{- end }}
--- a/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/redis-statefulset.yaml
@@ -38,10 +38,32 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- if .Values.redis.master.podSecurityContext }}
+      {{- with .Values.redis.master.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- else if .Values.podSecurityContext }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
      containers:
      - name: redis
        image: "{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}"
        imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
+        {{- if .Values.redis.master.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.redis.master.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- else if .Values.containerSecurityContext }}
+        securityContext:
+          {{- with .Values.containerSecurityContext }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- end }}
        command:
          - sh
          - -c
--- a/HelmChart/Public/oneuptime/templates/secrets.yaml
+++ b/HelmChart/Public/oneuptime/templates/secrets.yaml
@@ -164,6 +164,47 @@ stringData:
 {{- end }}
 ---

+{{- if .Values.postgresql.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-postgresql
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+stringData:
+  {{- if .Release.IsUpgrade }}
+  {{- if .Values.postgresql.auth.postgresPassword }}
+  postgres-password: {{ .Values.postgresql.auth.postgresPassword | quote }}
+  {{- else if .Values.postgresql.auth.password }}
+  postgres-password: {{ .Values.postgresql.auth.password | quote }}
+  {{- else }}
+  {{- if (index (lookup "v1" "Secret" $.Release.Namespace (printf "%s-postgresql" $.Release.Name)).data "postgres-password") }}
+  postgres-password: {{ index (lookup "v1" "Secret" $.Release.Namespace (printf "%s-postgresql" $.Release.Name)).data "postgres-password" | b64dec }}
+  {{- else }}
+  postgres-password: {{ randAlphaNum 32 | quote }}
+  {{- end }}
+  {{- end }}
+  {{- else }}
+  {{- if .Values.postgresql.auth.postgresPassword }}
+  postgres-password: {{ .Values.postgresql.auth.postgresPassword | quote }}
+  {{- else if .Values.postgresql.auth.password }}
+  postgres-password: {{ .Values.postgresql.auth.password | quote }}
+  {{- else }}
+  postgres-password: {{ randAlphaNum 32 | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
+---
+
 {{- if .Values.clickhouse.enabled }}
 apiVersion: v1
 kind: Secret
--- a/HelmChart/Public/oneuptime/values.yaml
+++ b/HelmChart/Public/oneuptime/values.yaml
@@ -1,9 +1,7 @@
 global:
  storageClass:
  clusterDomain: &global-cluster-domain cluster.local
-  # Tempory fix to allow insecure images from bitnami while we migrate to new images and charts.
-  security:
-    allowInsecureImages: true
+

 # Please change this to the domain name / IP where OneUptime server is hosted on.
 host: localhost
@@ -61,25 +59,55 @@ nginx:


 postgresql:
-  image:
-    repository: bitnamilegacy/postgresql
  enabled: true # Set this to false if you're using an external postgresql database.
-  clusterDomain: *global-cluster-domain
+  image:
+    repository: postgres
+    tag: latest
+    pullPolicy: IfNotPresent
  auth:
-    username: oneuptime
    database: oneuptimedb
-  architecture: standalone
+    # Username is fixed to "postgres"
+    # Will be auto-generated if not provided
+    postgresPassword: 
  primary:
    service:
+      type: ClusterIP
      ports:
-         postgresql: "5432"
-    terminationGracePeriodSeconds: 0 # We do this because we do not want to wait for the pod to terminate in case of node failure. https://medium.com/tailwinds-navigator/kubernetes-tip-how-statefulsets-behave-differently-than-deployments-when-node-fails-d29e36bca7d5
-    persistence:
-      size: 25Gi
-  readReplicas:
+        postgresql: "5432"
    terminationGracePeriodSeconds: 0 # We do this because we do not want to wait for the pod to terminate in case of node failure. https://medium.com/tailwinds-navigator/kubernetes-tip-how-statefulsets-behave-differently-than-deployments-when-node-fails-d29e36bca7d5
    persistence:
+      enabled: true
      size: 25Gi
+      storageClass: ""
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+  # Optional: override global security contexts just for the PostgreSQL pod/container
+  # podSecurityContext:
+  #   runAsUser: 999
+  #   runAsGroup: 999
+  #   fsGroup: 999
+  # containerSecurityContext:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   capabilities:
+  #     drop: ["ALL"]
+    resources: {}
+    configuration: |-
+      # Network and connection settings
+      listen_addresses = '*'
+      port = 5432
+      # Core tuning (adjust as needed)
+      max_connections = 100
+      shared_buffers = 128MB
+    # pg_hba.conf rules. These enable password auth (md5) from any host/IP.
+    # Tighten these for production to your pod/service/network CIDRs.
+    hbaConfiguration: |-
+      # Allow all IPv4 and IPv6 clients with md5 password auth
+      host    all             all             0.0.0.0/0               md5
+      host    all             all             ::/0                    md5
+
+  

 clickhouse:
  enabled: true
@@ -92,7 +120,7 @@ clickhouse:
    tag: latest
    pullPolicy: IfNotPresent
  service:
-    type: LoadBalancer
+    type: ClusterIP
    ports:
      http: "8123"
      tcp: "9000"
@@ -106,6 +134,16 @@ clickhouse:
  nodeSelector: {}
  tolerations: []
  affinity: {}
+  # Optional: override global security contexts just for the ClickHouse pod/container
+  # podSecurityContext:
+  #   runAsUser: 101
+  #   runAsGroup: 101
+  #   fsGroup: 101
+  # containerSecurityContext:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   capabilities:
+  #     drop: ["ALL"]
  resources: {}
  # Custom ClickHouse configuration
  configuration: |-
@@ -157,7 +195,7 @@ redis:
    pullPolicy: IfNotPresent
  master:
    service:
-      type: LoadBalancer
+      type: ClusterIP
      ports:
        redis: "6379"
    persistence:
@@ -167,6 +205,16 @@ redis:
    nodeSelector: {}
    tolerations: []
    affinity: {}
+  # Optional: override global security contexts just for the Redis pod/container
+  # podSecurityContext:
+  #   runAsUser: 999
+  #   runAsGroup: 999
+  #   fsGroup: 999
+  # containerSecurityContext:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   capabilities:
+  #     drop: ["ALL"]
    resources: {}
  commonConfiguration: |-
   appendonly no
--- a/HelmChart/Tests/ci-values.yaml
+++ b/HelmChart/Tests/ci-values.yaml
@@ -5,4 +5,6 @@ host: localhost
 httpProtocol: http

 image:
-  tag: test
+  tag: test
+  registry: ghcr.io
+  repository: oneuptime