feat: Add pg_hba.conf configuration and corresponding ConfigMap for PostgreSQL

2026-04-06 00:32:12 +02:00 · 2025-09-07 12:32:47 +01:00
parent 604776551b
commit 7ddc4be319
3 changed files with 35 additions and 7 deletions
--- a/HelmChart/Public/oneuptime/templates/postgresql-hba-configmap.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-hba-configmap.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-postgresql-hba
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/part-of: oneuptime
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: postgresql
+    appname: oneuptime
+data:
+  pg_hba.conf: |
+{{ .Values.postgresql.hbaConfiguration | indent 4 }}
+{{- end }}
--- a/HelmChart/Public/oneuptime/templates/postgresql-statefulset.yaml
+++ b/HelmChart/Public/oneuptime/templates/postgresql-statefulset.yaml
@@ -31,6 +31,7 @@ spec:
        appname: oneuptime
      annotations:
        checksum/postgresql-config: {{ include (print $.Template.BasePath "/postgresql-configmap.yaml") . | sha256sum }}
+        checksum/postgresql-hba: {{ include (print $.Template.BasePath "/postgresql-hba-configmap.yaml") . | sha256sum }}
    spec:
      {{- with .Values.postgresql.nodeSelector }}
      nodeSelector:
@@ -57,6 +58,8 @@ spec:
        args:
          - "-c"
          - "config_file=/etc/postgresql/postgresql.conf"
+          - "-c"
+          - "hba_file=/etc/postgresql/pg_hba.conf"
        {{- if .Values.postgresql.primary.containerSecurityContext }}
        securityContext:
          {{- with .Values.postgresql.primary.containerSecurityContext }}
@@ -121,10 +124,16 @@ spec:
        - name: postgresql-config
          mountPath: /etc/postgresql/postgresql.conf
          subPath: postgresql.conf
+        - name: postgresql-hba
+          mountPath: /etc/postgresql/pg_hba.conf
+          subPath: pg_hba.conf
      volumes:
      - name: postgresql-config
        configMap:
          name: {{ .Release.Name }}-postgresql-config
+      - name: postgresql-hba
+        configMap:
+          name: {{ .Release.Name }}-postgresql-hba
  volumeClaimTemplates:
  - metadata:
      name: data
--- a/HelmChart/Public/oneuptime/values.yaml
+++ b/HelmChart/Public/oneuptime/values.yaml
@@ -84,15 +84,18 @@ postgresql:
  affinity: {}
  resources: {}
  configuration: |-
+    # Network and connection settings
+    listen_addresses = '*'
+    port = 5432
+    # Core tuning (adjust as needed)
    max_connections = 100
    shared_buffers = 128MB
-  #   effective_cache_size = 4GB
-  #   maintenance_work_mem = 64MB
-  #   checkpoint_completion_target = 0.9
-  #   wal_buffers = 16MB
-  #   default_statistics_target = 100
-  #   random_page_cost = 1.1
-  #   effective_io_concurrency = 200
+  # pg_hba.conf rules. These enable password auth (md5) from any host/IP.
+  # Tighten these for production to your pod/service/network CIDRs.
+  hbaConfiguration: |-
+    # Allow all IPv4 and IPv6 clients with md5 password auth
+    host    all             all             0.0.0.0/0               md5
+    host    all             all             ::/0                    md5

 clickhouse:
  enabled: true