chore(deps): update helm release csi-s3 to v0.41.1

argocd/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 images:
   - name: argocd
     newName: code.icb4dc0.de/infrastructure/images/argocd
-    newTag: v2.11.3
+    newTag: v2.12.6
 
 labels:
 - includeSelectors: true
@@ -26,7 +26,7 @@ helmCharts:
     repo: https://argoproj.github.io/argo-helm
     releaseName: argo-cd
     namespace: argo-system
-    version: "7.3.3"
+    version: "7.6.12"
     valuesFile: config/values.argo-cd.yaml
     apiVersions:
       - monitoring.coreos.com/v1

cert-manager/kustomization.yaml

@@ -12,7 +12,7 @@ resources:
 helmCharts:
   - name: cert-manager
     repo: https://charts.jetstack.io
-    version: "v1.15.1"
+    version: "v1.16.1"
     releaseName: cert-manager
     namespace: kube-system
     valuesFile: config/values.cert-manager.yaml

cnpg/.gitattributes

@@ -0,0 +1 @@
+**/secrets/*.y*ml filter=age diff=age merge=age -text

cnpg/cluster/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - resources/secrets/cnpg-backup-creds.yaml
+  - resources/secrets/ext-pgo-admin.yaml
+  - resources/cluster.yaml
+  - resources/backup.yaml
+  - resources/pool.yaml

cnpg/cluster/resources/backup.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: daily-backup
+  namespace: postgres
+spec:
+  schedule: "0 0 */6 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: app-cluster

cnpg/cluster/resources/cluster.yaml

@@ -0,0 +1,86 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: app-cluster
+  namespace: postgres
+spec:
+  instances: 2
+
+  postgresql:
+    parameters:
+      max_connections: "150"
+
+  managed:
+    roles:
+      - name: ext_pgo_admin
+        ensure: present
+        login: true
+        superuser: true
+        createrole: true
+        createdb: true
+        inherit: true
+        connectionLimit: -1
+        passwordSecret:
+          name: ext-pgo-admin
+
+  storage:
+    size: 10Gi
+    storageClass: hcloud-volumes
+
+  bootstrap:
+    recovery:
+      source: app-cluster
+
+  externalClusters:
+    - name: app-cluster
+      barmanObjectStore:
+        destinationPath: "s3://cnpg/"
+        endpointURL: "http://garage.garage.svc:3900"
+        s3Credentials:
+          accessKeyId:
+            name: cnpg-backup-creds
+            key: ACCESS_KEY_ID
+          secretAccessKey:
+            name: cnpg-backup-creds
+            key: ACCESS_SECRET_KEY
+          region:
+            name: cnpg-backup-creds
+            key: AWS_REGION
+        wal:
+          compression: snappy
+          maxParallel: 8
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://1661580-backup/cnpg/gen2/"
+      endpointURL: "https://fsn1.your-objectstorage.com"
+      s3Credentials:
+        accessKeyId:
+          name: cnpg-backup-creds
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: cnpg-backup-creds
+          key: ACCESS_SECRET_KEY
+        region:
+          name: cnpg-backup-creds
+          key: AWS_REGION
+      wal:
+        compression: snappy
+    retentionPolicy: "7d"
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 600Mi
+    limits:
+      cpu: 500m
+      memory: 900Mi
+
+  affinity:
+    enablePodAntiAffinity: true
+    topologyKey: kubernetes.io/hostname
+    podAntiAffinityType: preferred
+
+  enablePDB: true
+  monitoring:
+    enablePodMonitor: true

cnpg/cluster/resources/pool.yaml

@@ -0,0 +1,19 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Pooler
+metadata:
+  name: app-cluster-pooler-rw
+  namespace: postgres
+spec:
+  cluster:
+    name: app-cluster
+
+  instances: 3
+  type: rw
+  pgbouncer:
+    poolMode: session
+    parameters:
+      max_client_conn: "1000"
+      default_pool_size: "10"
+      ignore_startup_parameters: "search_path"
+  monitoring:
+    enablePodMonitor: true

cnpg/cluster/resources/secrets/cnpg-backup-creds.yaml

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 BsI1yprcAPepOsRWaihi/lrhaD12WLvt5p8cA3AZLgk
+QyW7iOBgMW8RiXxm42izLX1Ku9KC7N7sSP9zIFKMFG8
+-> X25519 XLB4V4p+Z6Gf0gkpNj4MiP8ExA1fTUxKlCL9JN0W8mc
+6+y7aNi6zoqi+B8ISRTYjvoqrRgZSBdUoj8j3ux/KW4
+--- GGkdAmteXdRO/0IREqgLbxEa+yZ/epxxlgdotdPeExw
+&ª÷>¦n¸}8wëÔ¿¡5éÂùà1ÿœ~Ödý±¹úK‹â4éy ±„`¿iܧŸÀB½kVF˜üFÓg£ÒÈ
^R<>ñu}¿³qpòûò*
20w7u¯áµõµŒøðöR$
"k-c„Ϭ˜ñò–íd°!xÅ_=ò¶´pBÙ0û¶øŸ/»Á›KG©9Ô«2h	uЯ]ÓVÅÏã°;×ê…<*Ý×'|Š5«Ò“éc[Çâ AÂ~‘VŒªki}ßÒžï|(‚=é®MáÚ°¨”VSUô6°JÃÇk¢¾{ì"xD|šò‰&6V¸Œ¹iðW+‡„ñ.§
+¯¼…?

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cluster
+  repository: https://cloudnative-pg.github.io/grafana-dashboards
+  version: 0.0.2
+digest: sha256:fcf16ad357c17be3dd79c138723e78e9e101fecc5d07d9371299c32b9f85dbd9
+generated: "2024-04-25T12:32:36.61779032-04:00"

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+appVersion: 1.24.0
+dependencies:
+- alias: monitoring
+  condition: monitoring.grafanaDashboard.create
+  name: cluster
+  repository: https://cloudnative-pg.github.io/grafana-dashboards
+  version: "0.0"
+description: CloudNativePG Operator Helm Chart
+home: https://cloudnative-pg.io
+icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
+keywords:
+- operator
+- controller
+- postgresql
+- postgres
+- database
+maintainers:
+- email: p.scorsolini@gmail.com
+  name: phisco
+name: cloudnative-pg
+sources:
+- https://github.com/cloudnative-pg/charts
+type: application
+version: 0.22.0

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 1.16.0
+description: CloudNativePG Grafana Cluster Dashboard.
+name: cluster
+type: application
+version: 0.0.2

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/README.md

@@ -0,0 +1,59 @@
+<!-- THIS FILE IS AUTOMATICALLY GENERATED. Make changes to README.md.gotmpl instead. -->
+
+# cluster
+
+![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+![Grafana CloudNativePG Cluster Overview](../../images/overview.png)
+
+Getting Started
+---------------
+
+_**Note,** this dashboard is already included in the [CloudNativePG Operator Helm Chart][operator]._
+
+There are 4 ways to use the CloudNativePG Grafana Cluster Dashboard:
+
+0. Install the [CloudNativePG Operator Helm Chart][operator]
+
+1. Install manually via [Grafana.com](https://grafana.com/grafana/dashboards/20417-cloudnativepg/).
+
+2. Install manually via the [Grafana JSON](https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json):
+
+```
+https://raw.githubusercontent.com/cloudnative-pg/grafana-dashboards/main/charts/cluster/grafana-dashboard.json
+```
+
+3. Install directly in your cluster as a Helm Chart:
+
+```bash
+helm repo add cnpg-grafana https://cloudnative-pg.github.io/grafana-dashboards
+helm upgrade
+  --install \
+  --namespace monitoring \
+  cnpg-grafana-cluster cnpg-grafana/cluster
+```
+
+2. As as a dependency to an existing chart:
+
+```yaml
+dependencies:
+  - name: cluster
+    alias: cnpg-grafana-cluster-dashboard
+    version: "0.0"
+    repository: https://cloudnative-pg.github.io/grafana-dashboards
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| fullnameOverride | string | `""` |  |
+| grafanaDashboard.annotations | object | `{}` | Annotations that ConfigMaps can have to get configured in Grafana. |
+| grafanaDashboard.configMapName | string | `"cnpg-grafana-dashboard"` | The name of the ConfigMap containing the dashboard. |
+| grafanaDashboard.labels | object | `{}` | Labels that ConfigMaps should have to get configured in Grafana. |
+| grafanaDashboard.namespace | string | `""` | Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release. |
+| grafanaDashboard.sidecarLabel | string | `"grafana_dashboard"` | Label that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead. |
+| grafanaDashboard.sidecarLabelValue | string | `"1"` | Label value that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead. |
+| nameOverride | string | `""` |  |
+
+[operator]: https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/README.md.gotmpl

@@ -0,0 +1,59 @@
+<!-- THIS FILE IS AUTOMATICALLY GENERATED. Make changes to README.md.gotmpl instead. -->
+
+{{ template "chart.header" . }}
+
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+![Grafana CloudNativePG Cluster Overview](../../images/overview.png)
+
+Getting Started
+---------------
+
+_**Note,** this dashboard is already included in the [CloudNativePG Operator Helm Chart][operator]._
+
+There are 4 ways to use the CloudNativePG Grafana Cluster Dashboard:
+
+0. Install the [CloudNativePG Operator Helm Chart][operator]
+
+1. Install manually via [Grafana.com](https://grafana.com/grafana/dashboards/20417-cloudnativepg/).
+
+2. Install manually via the [Grafana JSON](https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json):
+
+```
+https://raw.githubusercontent.com/cloudnative-pg/grafana-dashboards/main/charts/cluster/grafana-dashboard.json
+```
+
+3. Install directly in your cluster as a Helm Chart:
+
+```bash
+helm repo add cnpg-grafana https://cloudnative-pg.github.io/grafana-dashboards
+helm upgrade
+  --install \
+  --namespace monitoring \
+  cnpg-grafana-cluster cnpg-grafana/cluster
+```
+
+2. As as a dependency to an existing chart:
+
+```yaml
+dependencies:
+  - name: cluster
+    alias: cnpg-grafana-cluster-dashboard
+    version: "0.0"
+    repository: https://cloudnative-pg.github.io/grafana-dashboards
+```
+
+
+{{ template "chart.requirementsSection" . }}
+
+
+{{ template "chart.valuesSection" . }}
+
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
+
+[operator]: https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/templates/NOTES.txt

@@ -0,0 +1,5 @@
+CloudNativePG Grafana Dashboard installed successfully.
+
+{{- if (or .Values.grafanaDashboard.sidecarLabel .Values.grafanaDashboard.sidecarLabelValue) }}
+DEPRECATION NOTICE: The grafanaDashboard.sidecarLabel is deprecated and will be removed in a future release. Use the grafanaDashboard.labels instead.
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/templates/sidecar-configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.grafanaDashboard.configMapName }}
+  namespace: {{ default .Release.Namespace .Values.grafanaDashboard.namespace }}
+  {{- if (or .Values.grafanaDashboard.labels .Values.grafanaDashboard.sidecarLabel) }}
+  labels:
+    {{- if .Values.grafanaDashboard.sidecarLabel }}
+    {{ .Values.grafanaDashboard.sidecarLabel }}: {{ .Values.grafanaDashboard.sidecarLabelValue | quote }}
+    {{- end }}
+    {{- with .Values.grafanaDashboard.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.grafanaDashboard.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+    cnp.json: |-
+{{ .Files.Get "grafana-dashboard.json" | indent 6 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/values.schema.json

@@ -0,0 +1,35 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "type": "object",
+    "properties": {
+        "fullnameOverride": {
+            "type": "string"
+        },
+        "grafanaDashboard": {
+            "type": "object",
+            "properties": {
+                "annotations": {
+                    "type": "object"
+                },
+                "configMapName": {
+                    "type": "string"
+                },
+                "labels": {
+                    "type": "object"
+                },
+                "namespace": {
+                    "type": "string"
+                },
+                "sidecarLabel": {
+                    "type": "string"
+                },
+                "sidecarLabelValue": {
+                    "type": "string"
+                }
+            }
+        },
+        "nameOverride": {
+            "type": "string"
+        }
+    }
+}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/values.yaml

@@ -0,0 +1,20 @@
+# Default values for cluster.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+grafanaDashboard:
+  # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+  namespace: ""
+  # -- The name of the ConfigMap containing the dashboard.
+  configMapName: "cnpg-grafana-dashboard"
+  # -- Label that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead.
+  sidecarLabel: "grafana_dashboard"
+  # -- Label value that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead.
+  sidecarLabelValue: "1"
+  # -- Labels that ConfigMaps should have to get configured in Grafana.
+  labels: {}
+  # -- Annotations that ConfigMaps can have to get configured in Grafana.
+  annotations: {}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/monitoring/grafana-dashboard.json

@@ -0,0 +1,3 @@
+The JSON file has been moved to a dedicated repository for CloudNativePG dashboards located at:
+
+https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/NOTES.txt

@@ -0,0 +1,18 @@
+
+CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
+You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+
+cat <<EOF | kubectl apply -f -
+# Example of PostgreSQL cluster
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: cluster-example
+spec:
+  instances: 3
+  storage:
+    size: 1Gi
+EOF
+
+kubectl get cluster
+

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cloudnative-pg.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cloudnative-pg.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cloudnative-pg.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cloudnative-pg.labels" -}}
+helm.sh/chart: {{ include "cloudnative-pg.chart" . }}
+{{ include "cloudnative-pg.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cloudnative-pg.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cloudnative-pg.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cloudnative-pg.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cloudnative-pg.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/config.yaml

@@ -0,0 +1,45 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.config.create }}
+{{- if not .Values.config.secret }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.config.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- toYaml .Values.config.data | nindent 2 }}
+{{- else }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ .Values.config.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+stringData:
+  {{- toYaml .Values.config.data | nindent 2 }}
+{{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/deployment.yaml

@@ -0,0 +1,147 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "cloudnative-pg.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- end }}
+      {{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
+      containers:
+      - args:
+        - controller
+        - --leader-elect
+        {{- if .Values.config.name }}
+        {{- if not .Values.config.secret }}
+        - --config-map-name={{ .Values.config.name }}
+        {{- else }}
+        - --secret-name={{ .Values.config.name }}
+        {{- end }}
+        {{- end }}
+        - --webhook-port={{ .Values.webhook.port }}
+        {{- range .Values.additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        command:
+        - /manager
+        env:
+        - name: OPERATOR_IMAGE_NAME
+          value: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MONITORING_QUERIES_CONFIGMAP
+          value: "{{ .Values.monitoringQueriesConfigMap.name }}"
+        {{- if .Values.additionalEnv }}
+        {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.webhook.port }}
+            scheme: HTTPS
+          {{- if .Values.webhook.livenessProbe.initialDelaySeconds }}
+          initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
+          {{- end }}
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.webhook.port }}
+          name: webhook-server
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.webhook.port }}
+            scheme: HTTPS
+          {{- if .Values.webhook.readinessProbe.initialDelaySeconds }}
+          initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
+          {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        volumeMounts:
+        - mountPath: /controller
+          name: scratch-data
+        - mountPath: /run/secrets/cnpg.io/webhook
+          name: webhook-certificates
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "cloudnative-pg.serviceAccountName" . }}
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      - emptyDir: {}
+        name: scratch-data
+      - name: webhook-certificates
+        secret:
+          defaultMode: 420
+          optional: true
+          secretName: cnpg-webhook-cert
+
+

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/monitoring-configmap.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.monitoringQueriesConfigMap.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    cnpg.io/reload: ""
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  queries: {{- toYaml .Values.monitoringQueriesConfigMap.queries | nindent 4 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,92 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.webhook.mutating.create }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cnpg-mutating-webhook-configuration
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-backup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-cluster
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-scheduledbackup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mscheduledbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - scheduledbackups
+  sideEffects: None
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/podmonitor.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.monitoring.podMonitorEnabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- with .Values.monitoring.podMonitorAdditionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end}}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
+  podMetricsEndpoints:
+    - port: metrics
+      {{- with .Values.monitoring.podMonitorMetricRelabelings }}
+      metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.monitoring.podMonitorRelabelings }}
+      relabelings:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/rbac.yaml

@@ -0,0 +1,439 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cloudnative-pg.serviceAccountName" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusterimagecatalogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - imagecatalogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - scheduledbackups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cloudnative-pg.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cloudnative-pg.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-view
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-edit
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/service.yaml

@@ -0,0 +1,34 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.service.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - port: {{ .Values.service.port }}
+    targetPort: webhook-server
+    name: webhook-server
+  selector:
+    {{- include "cloudnative-pg.selectorLabels" . | nindent 4 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/validatingwebhookconfiguration.yaml

@@ -0,0 +1,113 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.webhook.validating.create }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: cnpg-validating-webhook-configuration
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-backup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-cluster
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-scheduledbackup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vscheduledbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - scheduledbackups
+  sideEffects: None
+- admissionReviewVersions:
+    - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-pooler
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vpooler.cnpg.io
+  rules:
+    - apiGroups:
+        - postgresql.cnpg.io
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - poolers
+  sideEffects: None
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/values.schema.json

@@ -0,0 +1,281 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "type": "object",
+    "properties": {
+        "additionalArgs": {
+            "type": "array"
+        },
+        "additionalEnv": {
+            "type": "array"
+        },
+        "affinity": {
+            "type": "object"
+        },
+        "commonAnnotations": {
+            "type": "object"
+        },
+        "config": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                },
+                "data": {
+                    "type": "object"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "secret": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "containerSecurityContext": {
+            "type": "object",
+            "properties": {
+                "allowPrivilegeEscalation": {
+                    "type": "boolean"
+                },
+                "capabilities": {
+                    "type": "object",
+                    "properties": {
+                        "drop": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    }
+                },
+                "readOnlyRootFilesystem": {
+                    "type": "boolean"
+                },
+                "runAsGroup": {
+                    "type": "integer"
+                },
+                "runAsUser": {
+                    "type": "integer"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        },
+        "crds": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "dnsPolicy": {
+            "type": "string"
+        },
+        "fullnameOverride": {
+            "type": "string"
+        },
+        "hostNetwork": {
+            "type": "boolean"
+        },
+        "image": {
+            "type": "object",
+            "properties": {
+                "pullPolicy": {
+                    "type": "string"
+                },
+                "repository": {
+                    "type": "string"
+                },
+                "tag": {
+                    "type": "string"
+                }
+            }
+        },
+        "imagePullSecrets": {
+            "type": "array"
+        },
+        "monitoring": {
+            "type": "object",
+            "properties": {
+                "grafanaDashboard": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object"
+                        },
+                        "configMapName": {
+                            "type": "string"
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "labels": {
+                            "type": "object"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "sidecarLabel": {
+                            "type": "string"
+                        },
+                        "sidecarLabelValue": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "podMonitorAdditionalLabels": {
+                    "type": "object"
+                },
+                "podMonitorEnabled": {
+                    "type": "boolean"
+                },
+                "podMonitorMetricRelabelings": {
+                    "type": "array"
+                },
+                "podMonitorRelabelings": {
+                    "type": "array"
+                }
+            }
+        },
+        "monitoringQueriesConfigMap": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string"
+                },
+                "queries": {
+                    "type": "string"
+                }
+            }
+        },
+        "nameOverride": {
+            "type": "string"
+        },
+        "nodeSelector": {
+            "type": "object"
+        },
+        "podAnnotations": {
+            "type": "object"
+        },
+        "podLabels": {
+            "type": "object"
+        },
+        "podSecurityContext": {
+            "type": "object",
+            "properties": {
+                "runAsNonRoot": {
+                    "type": "boolean"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        },
+        "priorityClassName": {
+            "type": "string"
+        },
+        "rbac": {
+            "type": "object",
+            "properties": {
+                "aggregateClusterRoles": {
+                    "type": "boolean"
+                },
+                "create": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "replicaCount": {
+            "type": "integer"
+        },
+        "resources": {
+            "type": "object"
+        },
+        "service": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string"
+                },
+                "port": {
+                    "type": "integer"
+                },
+                "type": {
+                    "type": "string"
+                }
+            }
+        },
+        "serviceAccount": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                }
+            }
+        },
+        "tolerations": {
+            "type": "array"
+        },
+        "webhook": {
+            "type": "object",
+            "properties": {
+                "livenessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "mutating": {
+                    "type": "object",
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "port": {
+                    "type": "integer"
+                },
+                "readinessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "validating": {
+                    "type": "object",
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/values.yaml

@@ -0,0 +1,628 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Default values for CloudNativePG.
+# This is a YAML-formatted file.
+# Please declare variables to be passed to your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/cloudnative-pg/cloudnative-pg
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+hostNetwork: false
+dnsPolicy: ""
+
+crds:
+  # -- Specifies whether the CRDs should be created when installing the chart.
+  create: true
+
+# -- The webhook configuration.
+webhook:
+  port: 9443
+  mutating:
+    create: true
+    failurePolicy: Fail
+  validating:
+    create: true
+    failurePolicy: Fail
+  livenessProbe:
+    initialDelaySeconds: 3
+  readinessProbe:
+    initialDelaySeconds: 3
+
+# -- Operator configuration.
+config:
+  # -- Specifies whether the secret should be created.
+  create: true
+  # -- The name of the configmap/secret to use.
+  name: cnpg-controller-manager-config
+  # -- Specifies whether it should be stored in a secret, instead of a configmap.
+  secret: false
+  # -- The content of the configmap/secret, see
+  # https://cloudnative-pg.io/documentation/current/operator_conf/#available-options
+  # for all the available options.
+  data: {}
+  # INHERITED_ANNOTATIONS: categories
+  # INHERITED_LABELS: environment, workload, app
+  # WATCH_NAMESPACE: namespace-a,namespace-b
+
+# -- Additinal arguments to be added to the operator's args list.
+additionalArgs: []
+
+# -- Array containing extra environment variables which can be templated.
+# For example:
+#  - name: RELEASE_NAME
+#    value: "{{ .Release.Name }}"
+#  - name: MY_VAR
+#    value: "mySpecialKey"
+additionalEnv: []
+
+serviceAccount:
+  # -- Specifies whether the service account should be created.
+  create: true
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+rbac:
+  # -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
+  create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
+
+# -- Annotations to be added to all other resources.
+commonAnnotations: {}
+# -- Annotations to be added to the pod.
+podAnnotations: {}
+# -- Labels to be added to the pod.
+podLabels: {}
+
+# -- Container Security Context.
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - "ALL"
+
+# -- Security Context for the whole pod.
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  # fsGroup: 2000
+
+# -- Priority indicates the importance of a Pod relative to other Pods.
+priorityClassName: ""
+
+service:
+  type: ClusterIP
+  # -- DO NOT CHANGE THE SERVICE NAME as it is currently used to generate the certificate
+  # and can not be configured
+  name: cnpg-webhook-service
+  port: 443
+
+resources: {}
+  # If you want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  #
+  # limits:
+  #   cpu: 100m
+  #   memory: 200Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 100Mi
+
+# -- Nodeselector for the operator to be installed.
+nodeSelector: {}
+
+# -- Tolerations for the operator to be installed.
+tolerations: []
+
+# -- Affinity for the operator to be installed.
+affinity: {}
+
+monitoring:
+
+  # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
+  podMonitorEnabled: false
+  # -- Metrics relabel configurations to apply to samples before ingestion.
+  podMonitorMetricRelabelings: []
+  # -- Relabel configurations to apply to samples before scraping.
+  podMonitorRelabelings: []
+  # -- Additional labels for the podMonitor
+  podMonitorAdditionalLabels: {}
+
+  grafanaDashboard:
+    create: false
+    # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+    namespace: ""
+    # -- The name of the ConfigMap containing the dashboard.
+    configMapName: "cnpg-grafana-dashboard"
+    # -- Label that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabel: "grafana_dashboard"
+    # -- Label value that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabelValue: "1"
+    # -- Labels that ConfigMaps should have to get configured in Grafana.
+    labels: {}
+    # -- Annotations that ConfigMaps can have to get configured in Grafana.
+    annotations: {}
+
+# Default monitoring queries
+monitoringQueriesConfigMap:
+  # -- The name of the default monitoring configmap.
+  name: cnpg-default-monitoring
+  # -- A string representation of a YAML defining monitoring queries.
+  queries: |
+    backends:
+      query: |
+       SELECT sa.datname
+           , sa.usename
+           , sa.application_name
+           , states.state
+           , COALESCE(sa.count, 0) AS total
+           , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds
+           FROM ( VALUES ('active')
+               , ('idle')
+               , ('idle in transaction')
+               , ('idle in transaction (aborted)')
+               , ('fastpath function call')
+               , ('disabled')
+               ) AS states(state)
+           LEFT JOIN (
+               SELECT datname
+                   , state
+                   , usename
+                   , COALESCE(application_name, '') AS application_name
+                   , COUNT(*)
+                   , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs
+               FROM pg_catalog.pg_stat_activity
+               GROUP BY datname, state, usename, application_name
+           ) sa ON states.state = sa.state
+           WHERE sa.usename IS NOT NULL
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - usename:
+            usage: "LABEL"
+            description: "Name of the user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - state:
+            usage: "LABEL"
+            description: "State of the backend"
+        - total:
+            usage: "GAUGE"
+            description: "Number of backends"
+        - max_tx_duration_seconds:
+            usage: "GAUGE"
+            description: "Maximum duration of a transaction in seconds"
+
+    backends_waiting:
+      query: |
+       SELECT count(*) AS total
+       FROM pg_catalog.pg_locks blocked_locks
+       JOIN pg_catalog.pg_locks blocking_locks
+         ON blocking_locks.locktype = blocked_locks.locktype
+         AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database
+         AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation
+         AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page
+         AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple
+         AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid
+         AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid
+         AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid
+         AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid
+         AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid
+         AND blocking_locks.pid != blocked_locks.pid
+       JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid
+       WHERE NOT blocked_locks.granted
+      metrics:
+        - total:
+            usage: "GAUGE"
+            description: "Total number of backends that are currently waiting on other queries"
+
+    pg_database:
+      query: |
+        SELECT datname
+          , pg_catalog.pg_database_size(datname) AS size_bytes
+          , pg_catalog.age(datfrozenxid) AS xid_age
+          , pg_catalog.mxid_age(datminmxid) AS mxid_age
+        FROM pg_catalog.pg_database
+        WHERE datallowconn
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - size_bytes:
+            usage: "GAUGE"
+            description: "Disk space used by the database"
+        - xid_age:
+            usage: "GAUGE"
+            description: "Number of transactions from the frozen XID to the current one"
+        - mxid_age:
+            usage: "GAUGE"
+            description: "Number of multiple transactions (Multixact) from the frozen XID to the current one"
+
+    pg_postmaster:
+      query: |
+        SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time
+        FROM pg_catalog.pg_postmaster_start_time()
+      metrics:
+        - start_time:
+            usage: "GAUGE"
+            description: "Time at which postgres started (based on epoch)"
+
+    pg_replication:
+      query: "SELECT CASE WHEN (
+                NOT pg_catalog.pg_is_in_recovery()
+                OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn())
+              THEN 0
+              ELSE GREATEST (0,
+                EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp())))
+              END AS lag,
+              pg_catalog.pg_is_in_recovery() AS in_recovery,
+              EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up,
+              (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas"
+      metrics:
+        - lag:
+            usage: "GAUGE"
+            description: "Replication lag behind primary in seconds"
+        - in_recovery:
+            usage: "GAUGE"
+            description: "Whether the instance is in recovery"
+        - is_wal_receiver_up:
+            usage: "GAUGE"
+            description: "Whether the instance wal_receiver is up"
+        - streaming_replicas:
+            usage: "GAUGE"
+            description: "Number of streaming replicas connected to the instance"
+
+    pg_replication_slots:
+      query: |
+        SELECT slot_name,
+          slot_type,
+          database,
+          active,
+          (CASE pg_catalog.pg_is_in_recovery()
+            WHEN TRUE THEN pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_last_wal_receive_lsn(), restart_lsn)
+            ELSE pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn)
+          END) as pg_wal_lsn_diff
+        FROM pg_catalog.pg_replication_slots
+        WHERE NOT temporary
+      metrics:
+        - slot_name:
+            usage: "LABEL"
+            description: "Name of the replication slot"
+        - slot_type:
+            usage: "LABEL"
+            description: "Type of the replication slot"
+        - database:
+            usage: "LABEL"
+            description: "Name of the database"
+        - active:
+            usage: "GAUGE"
+            description: "Flag indicating whether the slot is active"
+        - pg_wal_lsn_diff:
+            usage: "GAUGE"
+            description: "Replication lag in bytes"
+
+    pg_stat_archiver:
+      query: |
+        SELECT archived_count
+          , failed_count
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure
+          , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time
+          , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_archiver
+      metrics:
+        - archived_count:
+            usage: "COUNTER"
+            description: "Number of WAL files that have been successfully archived"
+        - failed_count:
+            usage: "COUNTER"
+            description: "Number of failed attempts for archiving WAL files"
+        - seconds_since_last_archival:
+            usage: "GAUGE"
+            description: "Seconds since the last successful archival operation"
+        - seconds_since_last_failure:
+            usage: "GAUGE"
+            description: "Seconds since the last failed archival operation"
+        - last_archived_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving succeeded"
+        - last_failed_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving failed"
+        - last_archived_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Archived WAL start LSN"
+        - last_failed_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Last failed WAL LSN"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_bgwriter:
+      runonserver: "<17.0.0"
+      query: |
+        SELECT checkpoints_timed
+          , checkpoints_req
+          , checkpoint_write_time
+          , checkpoint_sync_time
+          , buffers_checkpoint
+          , buffers_clean
+          , maxwritten_clean
+          , buffers_backend
+          , buffers_backend_fsync
+          , buffers_alloc
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - checkpoint_write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds"
+        - checkpoint_sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds"
+        - buffers_checkpoint:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints"
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_backend:
+            usage: "COUNTER"
+            description: "Number of buffers written directly by a backend"
+        - buffers_backend_fsync:
+            usage: "COUNTER"
+            description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+
+    pg_stat_bgwriter_17:
+      runonserver: ">=17.0.0"
+      name: pg_stat_bgwriter
+      query: |
+        SELECT buffers_clean
+          , maxwritten_clean
+          , buffers_alloc
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_checkpointer:
+      runonserver: ">=17.0.0"
+      query: |
+        SELECT num_timed AS checkpoints_timed
+          , num_requested AS checkpoints_req
+          , restartpoints_timed
+          , restartpoints_req
+          , restartpoints_done
+          , write_time
+          , sync_time
+          , buffers_written
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_checkpointer
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - restartpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it"
+        - restartpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested restartpoints that have been performed"
+        - restartpoints_done:
+            usage: "COUNTER"
+            description: "Number of restartpoints that have been performed"
+        - write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds"
+        - sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds"
+        - buffers_written:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints and restartpoints"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_database:
+      query: |
+        SELECT datname
+          , xact_commit
+          , xact_rollback
+          , blks_read
+          , blks_hit
+          , tup_returned
+          , tup_fetched
+          , tup_inserted
+          , tup_updated
+          , tup_deleted
+          , conflicts
+          , temp_files
+          , temp_bytes
+          , deadlocks
+          , blk_read_time
+          , blk_write_time
+        FROM pg_catalog.pg_stat_database
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of this database"
+        - xact_commit:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been committed"
+        - xact_rollback:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been rolled back"
+        - blks_read:
+            usage: "COUNTER"
+            description: "Number of disk blocks read in this database"
+        - blks_hit:
+            usage: "COUNTER"
+            description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)"
+        - tup_returned:
+            usage: "COUNTER"
+            description: "Number of rows returned by queries in this database"
+        - tup_fetched:
+            usage: "COUNTER"
+            description: "Number of rows fetched by queries in this database"
+        - tup_inserted:
+            usage: "COUNTER"
+            description: "Number of rows inserted by queries in this database"
+        - tup_updated:
+            usage: "COUNTER"
+            description: "Number of rows updated by queries in this database"
+        - tup_deleted:
+            usage: "COUNTER"
+            description: "Number of rows deleted by queries in this database"
+        - conflicts:
+            usage: "COUNTER"
+            description: "Number of queries canceled due to conflicts with recovery in this database"
+        - temp_files:
+            usage: "COUNTER"
+            description: "Number of temporary files created by queries in this database"
+        - temp_bytes:
+            usage: "COUNTER"
+            description: "Total amount of data written to temporary files by queries in this database"
+        - deadlocks:
+            usage: "COUNTER"
+            description: "Number of deadlocks detected in this database"
+        - blk_read_time:
+            usage: "COUNTER"
+            description: "Time spent reading data file blocks by backends in this database, in milliseconds"
+        - blk_write_time:
+            usage: "COUNTER"
+            description: "Time spent writing data file blocks by backends in this database, in milliseconds"
+
+    pg_stat_replication:
+      primary: true
+      query: |
+       SELECT usename
+         , COALESCE(application_name, '') AS application_name
+         , COALESCE(client_addr::text, '') AS client_addr
+         , COALESCE(client_port::text, '') AS client_port
+         , EXTRACT(EPOCH FROM backend_start) AS backend_start
+         , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes
+         , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes
+         , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds
+       FROM pg_catalog.pg_stat_replication
+      metrics:
+        - usename:
+            usage: "LABEL"
+            description: "Name of the replication user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - client_addr:
+            usage: "LABEL"
+            description: "Client IP address"
+        - client_port:
+            usage: "LABEL"
+            description: "Client TCP port"
+        - backend_start:
+            usage: "COUNTER"
+            description: "Time when this process was started"
+        - backend_xmin_age:
+            usage: "COUNTER"
+            description: "The age of this standby's xmin horizon"
+        - sent_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location sent on this connection"
+        - write_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location written to disk by this standby server"
+        - flush_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server"
+        - replay_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server"
+        - write_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it"
+        - flush_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it"
+        - replay_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it"
+
+    pg_settings:
+      query: |
+        SELECT name,
+        CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting
+        FROM pg_catalog.pg_settings
+        WHERE vartype IN ('integer', 'real', 'bool')
+        ORDER BY 1
+      metrics:
+        - name:
+            usage: "LABEL"
+            description: "Name of the setting"
+        - setting:
+            usage: "GAUGE"
+            description: "Setting value"

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.3.3
+description: 'A Helm chart for the External Postgres operator  helm repo add ext-postgres-operator
+  https://movetokube.github.io/postgres-operator/ helm upgrade --install -n operators
+  ext-postgres-operator  ext-postgres-operator/ext-postgres-operator --version 1.2.3 '
+name: ext-postgres-operator
+type: application
+version: 1.2.6

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/crds/db.movetokube.com_postgres_crd.yaml

@@ -0,0 +1,90 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: postgres.db.movetokube.com
+spec:
+  group: db.movetokube.com
+  names:
+    kind: Postgres
+    listKind: PostgresList
+    plural: postgres
+    singular: postgres
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Postgres is the Schema for the postgres API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresSpec defines the desired state of Postgres
+            properties:
+              database:
+                type: string
+              dropOnDelete:
+                type: boolean
+              extensions:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              masterRole:
+                type: string
+              schemas:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - database
+            type: object
+          status:
+            description: PostgresStatus defines the observed state of Postgres
+            properties:
+              extensions:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              roles:
+                description: PostgresRoles stores the different group roles for database
+                properties:
+                  owner:
+                    type: string
+                  reader:
+                    type: string
+                  writer:
+                    type: string
+                required:
+                - owner
+                - reader
+                - writer
+                type: object
+              schemas:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              succeeded:
+                type: boolean
+            required:
+            - roles
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -0,0 +1,79 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: postgresusers.db.movetokube.com
+spec:
+  group: db.movetokube.com
+  names:
+    kind: PostgresUser
+    listKind: PostgresUserList
+    plural: postgresusers
+    singular: postgresuser
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PostgresUser is the Schema for the postgresusers API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresUserSpec defines the desired state of PostgresUser
+            properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                type: object
+              database:
+                type: string
+              privileges:
+                type: string
+              role:
+                type: string
+              secretName:
+                type: string
+              secretTemplate:
+                additionalProperties:
+                  type: string
+                type: object
+            required:
+            - database
+            - role
+            - secretName
+            type: object
+          status:
+            description: PostgresUserStatus defines the observed state of PostgresUser
+            properties:
+              databaseName:
+                type: string
+              postgresGroup:
+                type: string
+              postgresLogin:
+                type: string
+              postgresRole:
+                type: string
+              succeeded:
+                type: boolean
+            required:
+            - databaseName
+            - postgresGroup
+            - postgresLogin
+            - postgresRole
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "chart.selectorLabelsDev" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}-dev
+app.kubernetes.io/instance: {{ .Release.Name }}-dev
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- end }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/operator.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "chart.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ include "chart.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command:
+          - postgres-operator
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - secretRef:
+                {{- if .Values.existingSecret }}
+                name: {{ .Values.existingSecret }}
+                {{- else }}
+                name: {{ include "chart.fullname" . }}
+                {{- end }}
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{ .Values.watchNamespace | default "" }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: {{ include "chart.fullname" . }}
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- if .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml .Values.volumeMounts | nindent 12 }}
+          {{- end }}
+      {{- if .Values.volumes }}
+      volumes:
+        {{- toYaml .Values.volumes | nindent 8 }}
+      {{- end }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/role.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resourceNames:
+  - ext-postgres-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - db.movetokube.com
+  resources:
+  - '*'
+  verbs:
+  - '*'

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/role_binding.yaml

@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "chart.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "chart.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/secret.yaml

@@ -0,0 +1,20 @@
+{{- if (not .Values.existingSecret) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: {{ include "chart.fullname" . }}
+  namespace: {{ .Release.namespace }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+type: Opaque
+data:
+  POSTGRES_HOST: {{ .Values.postgres.host | b64enc | quote }}
+  POSTGRES_USER: {{ .Values.postgres.user | b64enc | quote }}
+  POSTGRES_PASS: {{ .Values.postgres.password | b64enc | quote }}
+  POSTGRES_URI_ARGS: {{ .Values.postgres.uri_args | b64enc | quote }}
+  POSTGRES_CLOUD_PROVIDER: {{ .Values.postgres.cloud_provider | b64enc | quote }}
+  POSTGRES_DEFAULT_DATABASE: {{ .Values.postgres.default_database | b64enc | quote }}
+{{- end }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chart.serviceAccountName" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/values.yaml

@@ -0,0 +1,77 @@
+# Default values for chart.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/movetokube/postgres-operator
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+# Override chart name, defaults to Chart.name
+nameOverride: ""
+# Full chart name override
+fullnameOverride: ""
+
+serviceAccount:
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+# Additionnal labels to add to the pod.
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# Which namespace to watch in kubernetes, empty string means all namespaces
+watchNamespace: ""
+
+# Define connection to postgres database server
+postgres:
+  # postgres hostname
+  host: "localhost"
+  # postgres admin user and password
+  user: "admin"
+  password: "password"
+  # additional connection args to pg driver
+  uri_args: ""
+  # postgres cloud provider, could be AWS, Azure, GCP or empty (default)
+  cloud_provider: ""
+  # default database to use
+  default_database: "postgres"
+
+# Volumes to add to the pod.
+volumes: []
+
+# Volumes to mount onto the pod.
+volumeMounts: []
+
+# Existing secret where values to connect to Postgres are defined.
+# If not set a new secret will be created, filled with information under the postgres key above.
+existingSecret: ""
+
+# Additionnal environment variables to add to the pod (map of key / value)
+env: {}
+
+nodeSelector: {}
+
+tolerations: []

cnpg/operators/config/values.cnpg.yaml

@@ -0,0 +1,7 @@
+replicaCount: 2
+
+monitoring:
+  podMonitorEnabled: true
+  grafanaDashboard:
+    create: true
+    namespace: observability-system

cnpg/operators/config/values.ext-pgo.yaml

@@ -0,0 +1,3 @@
+replicaCount: 2
+
+existingSecret: ext-postgres-operator

cnpg/operators/kustomization.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - resources/namespace.yaml
+  - resources/secrets/ext-pgo-creds.yaml
+  - resources/secrets/ext-pgo-admin.yaml
+
+helmCharts:
+  - releaseName: cnpg
+    name: cloudnative-pg
+    repo: https://cloudnative-pg.github.io/charts
+    version: 0.22.1
+    valuesFile: config/values.cnpg.yaml
+    namespace: postgres-system
+    includeCRDs: true
+
+  - releaseName: ext-pgo
+    name: ext-postgres-operator
+    repo: https://movetokube.github.io/postgres-operator/
+    version: 1.2.6
+    valuesFile: config/values.ext-pgo.yaml
+    namespace: postgres-system
+    includeCRDs: true

cnpg/operators/resources/namespace.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres-system
+  labels:
+    prometheus: default
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres
+  labels:
+    prometheus: default

coder/config/values.coder.yml

@@ -10,8 +10,8 @@ coder:
     - name: CODER_PG_CONNECTION_URL
       valueFrom:
         secretKeyRef:
-          name: default-cluster-pguser-coder
-          key: uri
+          name: coder-db-credentials-coder
+          key: PQ_URL
     - name: CODER_DISABLE_PASSWORD_AUTH
       value: "true"
     - name: CODER_OIDC_ISSUER_URL

coder/kustomization.yaml

@@ -7,12 +7,14 @@ resources:
   - "resources/namespace.yaml"
   - "resources/http_routes.yaml"
   - "resources/secret.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
 
 helmCharts:
   - name: coder
     repo: https://helm.coder.com/v2
     releaseName: coder
     namespace: coder
-    version: "2.12.3"
+    version: "2.16.0"
     valuesFile: config/values.coder.yml
     skipTests: true

coder/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: coder
+spec:
+  database: coder
+  dropOnDelete: false

coder/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: coder
+spec:
+  role: coder
+  database: coder
+  secretName: coder-db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@{{.Host}}:5432/{{.Database}}?sslmode=require&search_path=coder"

contour/crds/contour.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: contourconfigurations.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -120,6 +120,12 @@ spec:
                               defaults to 3.
                             format: int32
                             type: integer
+                          perHostMaxConnections:
+                            description: |-
+                              PerHostMaxConnections is the maximum number of connections
+                              that Envoy will allow to each individual host in a cluster.
+                            format: int32
+                            type: integer
                         type: object
                       dnsLookupFamily:
                         description: |-
@@ -600,9 +606,9 @@ spec:
                 description: |-
                   FeatureFlags defines toggle to enable new contour features.
                   Available toggles are:
-                  useEndpointSlices - configures contour to fetch endpoint data
-                  from k8s endpoint slices. defaults to false and reading endpoint
-                  data from the k8s endpoints.
+                  useEndpointSlices - Configures contour to fetch endpoint data
+                  from k8s endpoint slices. defaults to true,
+                  If false then reads endpoint data from the k8s endpoints.
                 items:
                   type: string
                 type: array
@@ -1141,8 +1147,10 @@ spec:
                   type:
                     description: |-
                       Defines the XDSServer to use for `contour serve`.
-                      Values: `contour` (default), `envoy`.
+                      Values: `envoy` (default), `contour (deprecated)`.
                       Other values will produce an error.
+                      Deprecated: this field will be removed in a future release when
+                      the `contour` xDS server implementation is removed.
                     type: string
                 type: object
             type: object
@@ -1360,7 +1368,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: contourdeployments.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -1814,6 +1822,8 @@ spec:
                             to container and the other way around.
                             When not set, MountPropagationNone is used.
                             This field is beta in 1.10.
+                            When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                            (which defaults to None).
                           type: string
                         name:
                           description: This must match the Name of a Volume.
@@ -1823,6 +1833,21 @@ spec:
                             Mounted read-only if true, read-write otherwise (false or unspecified).
                             Defaults to false.
                           type: boolean
+                        recursiveReadOnly:
+                          description: |-
+                            RecursiveReadOnly specifies whether read-only mounts should be handled
+                            recursively.
+                            If ReadOnly is false, this field has no meaning and must be unspecified.
+                            If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                            recursively read-only.  If this field is set to IfPossible, the mount is made
+                            recursively read-only, if it is supported by the container runtime.  If this
+                            field is set to Enabled, the mount is made recursively read-only if it is
+                            supported by the container runtime, otherwise the pod will not be started and
+                            an error will be generated to indicate the reason.
+                            If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                            None (or be unspecified, which defaults to None).
+                            If this field is not specified, it is treated as an equivalent of Disabled.
+                          type: string
                         subPath:
                           description: |-
                             Path within the volume from which the container's volume should be mounted.
@@ -1950,6 +1975,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             path:
                               description: 'path is Optional: Used as the mounted
                                 root, rather than the full Ceph tree, default is /'
@@ -1971,10 +1997,15 @@ spec:
                                 More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2010,10 +2041,15 @@ spec:
                                 to OpenStack.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2078,11 +2114,17 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             name:
+                              default: ""
                               description: |-
                                 Name of the referent.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
                                 TODO: Add other useful fields. apiVersion, kind, uid?
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                               type: string
                             optional:
                               description: optional specify whether the ConfigMap
@@ -2115,10 +2157,15 @@ spec:
                                 secret object contains more than one secret, all secret references are passed.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2162,8 +2209,8 @@ spec:
                                 properties:
                                   fieldRef:
                                     description: 'Required: Selects a field of the
-                                      pod: only annotations, labels, name and namespace
-                                      are supported.'
+                                      pod: only annotations, labels, name, namespace
+                                      and uid are supported.'
                                     properties:
                                       apiVersion:
                                         description: Version of the schema the FieldPath
@@ -2222,6 +2269,7 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         emptyDir:
                           description: |-
@@ -2313,6 +2361,7 @@ spec:
                                       items:
                                         type: string
                                       type: array
+                                      x-kubernetes-list-type: atomic
                                     dataSource:
                                       description: |-
                                         dataSource field can be used to specify either:
@@ -2457,11 +2506,13 @@ spec:
                                                 items:
                                                   type: string
                                                 type: array
+                                                x-kubernetes-list-type: atomic
                                             required:
                                             - key
                                             - operator
                                             type: object
                                           type: array
+                                          x-kubernetes-list-type: atomic
                                         matchLabels:
                                           additionalProperties:
                                             type: string
@@ -2489,7 +2540,7 @@ spec:
                                         If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                         set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                         exists.
-                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
                                         (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
                                       type: string
                                     volumeMode:
@@ -2533,6 +2584,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             wwids:
                               description: |-
                                 wwids Optional: FC volume world wide identifiers (wwids)
@@ -2540,6 +2592,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         flexVolume:
                           description: |-
@@ -2576,10 +2629,15 @@ spec:
                                 scripts.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2760,6 +2818,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             readOnly:
                               description: |-
                                 readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -2770,10 +2829,15 @@ spec:
                                 target and initiator authentication
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2944,11 +3008,13 @@ spec:
                                                   items:
                                                     type: string
                                                   type: array
+                                                  x-kubernetes-list-type: atomic
                                               required:
                                               - key
                                               - operator
                                               type: object
                                             type: array
+                                            x-kubernetes-list-type: atomic
                                           matchLabels:
                                             additionalProperties:
                                               type: string
@@ -3027,11 +3093,17 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                       name:
+                                        default: ""
                                         description: |-
                                           Name of the referent.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          This field is effectively required, but due to backwards compatibility is
+                                          allowed to be empty. Instances of this type with an empty value here are
+                                          almost certainly wrong.
                                           TODO: Add other useful fields. apiVersion, kind, uid?
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                         type: string
                                       optional:
                                         description: optional specify whether the
@@ -3054,7 +3126,7 @@ spec:
                                             fieldRef:
                                               description: 'Required: Selects a field
                                                 of the pod: only annotations, labels,
-                                                name and namespace are supported.'
+                                                name, namespace and uid are supported.'
                                               properties:
                                                 apiVersion:
                                                   description: Version of the schema
@@ -3118,6 +3190,7 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                     type: object
                                   secret:
                                     description: secret information about the secret
@@ -3161,11 +3234,17 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                       name:
+                                        default: ""
                                         description: |-
                                           Name of the referent.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          This field is effectively required, but due to backwards compatibility is
+                                          allowed to be empty. Instances of this type with an empty value here are
+                                          almost certainly wrong.
                                           TODO: Add other useful fields. apiVersion, kind, uid?
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                         type: string
                                       optional:
                                         description: optional field specify whether
@@ -3204,6 +3283,7 @@ spec:
                                     type: object
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         quobyte:
                           description: quobyte represents a Quobyte mount on the host
@@ -3274,6 +3354,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             pool:
                               description: |-
                                 pool is the rados pool name.
@@ -3294,10 +3375,15 @@ spec:
                                 More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3341,10 +3427,15 @@ spec:
                                 sensitive information. If this is not provided, Login operation will fail.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3429,6 +3520,7 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             optional:
                               description: optional field specify whether the Secret
                                 or its keys must be defined
@@ -3460,10 +3552,15 @@ spec:
                                 credentials.  If not specified, default values will be attempted.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3805,6 +3902,12 @@ spec:
                                   Service; defaults to 3.
                                 format: int32
                                 type: integer
+                              perHostMaxConnections:
+                                description: |-
+                                  PerHostMaxConnections is the maximum number of connections
+                                  that Envoy will allow to each individual host in a cluster.
+                                format: int32
+                                type: integer
                             type: object
                           dnsLookupFamily:
                             description: |-
@@ -4285,9 +4388,9 @@ spec:
                     description: |-
                       FeatureFlags defines toggle to enable new contour features.
                       Available toggles are:
-                      useEndpointSlices - configures contour to fetch endpoint data
-                      from k8s endpoint slices. defaults to false and reading endpoint
-                      data from the k8s endpoints.
+                      useEndpointSlices - Configures contour to fetch endpoint data
+                      from k8s endpoint slices. defaults to true,
+                      If false then reads endpoint data from the k8s endpoints.
                     items:
                       type: string
                     type: array
@@ -4828,8 +4931,10 @@ spec:
                       type:
                         description: |-
                           Defines the XDSServer to use for `contour serve`.
-                          Values: `contour` (default), `envoy`.
+                          Values: `envoy` (default), `contour (deprecated)`.
                           Other values will produce an error.
+                          Deprecated: this field will be removed in a future release when
+                          the `contour` xDS server implementation is removed.
                         type: string
                     type: object
                 type: object
@@ -4923,7 +5028,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: extensionservices.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -4968,6 +5073,39 @@ spec:
             description: ExtensionServiceSpec defines the desired state of an ExtensionService
               resource.
             properties:
+              circuitBreakerPolicy:
+                description: |-
+                  CircuitBreakerPolicy specifies the circuit breaker budget across the extension service.
+                  If defined this overrides the global circuit breaker budget.
+                properties:
+                  maxConnections:
+                    description: The maximum number of connections that a single Envoy
+                      instance allows to the Kubernetes Service; defaults to 1024.
+                    format: int32
+                    type: integer
+                  maxPendingRequests:
+                    description: The maximum number of pending requests that a single
+                      Envoy instance allows to the Kubernetes Service; defaults to
+                      1024.
+                    format: int32
+                    type: integer
+                  maxRequests:
+                    description: The maximum parallel requests a single Envoy instance
+                      allows to the Kubernetes Service; defaults to 1024
+                    format: int32
+                    type: integer
+                  maxRetries:
+                    description: The maximum number of parallel retries a single Envoy
+                      instance allows to the Kubernetes Service; defaults to 3.
+                    format: int32
+                    type: integer
+                  perHostMaxConnections:
+                    description: |-
+                      PerHostMaxConnections is the maximum number of connections
+                      that Envoy will allow to each individual host in a cluster.
+                    format: int32
+                    type: integer
+                type: object
               loadBalancerPolicy:
                 description: |-
                   The policy for load balancing GRPC service requests. Note that the
@@ -5371,7 +5509,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: httpproxies.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -8226,6 +8364,7 @@ spec:
                           x-kubernetes-list-type: atomic
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                 type: object
             type: object
         required:
@@ -8241,7 +8380,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: tlscertificatedelegations.projectcontour.io
 spec:
   preserveUnknownFields: false

contour/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: projectcontour
 images:
 - name: contour
   newName: ghcr.io/projectcontour/contour
-  newTag: v1.29.1
+  newTag: v1.30.0
 
 resources:
   - crds/contour.yaml

descheduler/config/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion: "descheduler/v1alpha2"
+kind: "DeschedulerPolicy"
+profiles:
+  - name: ProfileName
+    pluginConfig:
+      - name: "DefaultEvictor"
+      - name: "RemovePodsViolatingInterPodAntiAffinity"
+      - name: "RemoveDuplicates"
+      - name: "LowNodeUtilization"
+        args:
+          thresholds:
+            "cpu": 30
+            "memory": 30
+            "pods": 30
+          targetThresholds:
+            "cpu": 60
+            "memory": 60
+            "pods": 60
+    plugins:
+      balance:
+        enabled:
+          - "LowNodeUtilization"
+          - "RemoveDuplicates"
+      deschedule:
+        enabled:
+          - "RemovePodsViolatingInterPodAntiAffinity"

descheduler/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+  - https://github.com/kubernetes-sigs/descheduler/kubernetes/deployment?ref=v0.30.1
+
+configMapGenerator:
+  - name: descheduler-policy-configmap
+    namespace: kube-system
+    behavior: merge
+    options:
+      disableNameSuffixHash: true
+    files:
+      - config/policy.yaml

dragonfly-operator/kustomization.yaml

@@ -9,7 +9,7 @@ images:
   newTag: v0.16.0
 - name: dragonfly-operator
   newName: docker.dragonflydb.io/dragonflydb/operator
-  newTag: v1.1.4
+  newTag: v1.1.7
 
 
 resources:

ente/config/museum.yaml

@@ -1,77 +1,80 @@
-log-file: "/var/log/ente/museum.log"
+# log-file: "/var/log/ente/museum.log"
 
 # HTTP connection parameters
 http:
-    # If true, bind to 443 and use TLS.
-    # By default, this is false, and museum will bind to 8080 without TLS.
-    # use-tls: true
+  # If true, bind to 443 and use TLS.
+  # By default, this is false, and museum will bind to 8080 without TLS.
+  # use-tls: true
 
 # Specify the base endpoints for various apps
 apps:
-    # Default is https://albums.ente.io
-    #
-    # If you're running a self hosted instance and wish to serve public links,
-    # set this to the URL where your albums web app is running.
-    public-albums: https://albums.ente.icb4dc0.de
+  # Default is https://albums.ente.io
+  #
+  # If you're running a self hosted instance and wish to serve public links,
+  # set this to the URL where your albums web app is running.
+  public-albums: https://albums.ente.icb4dc0.de
 
+cache:
+  type: redis
+  connectionString: redis://ente-musuem-cache:6379/0
 
 # Various low-level configuration options
 internal:
-    # If false (the default), then museum will notify the external world of
-    # various events. E.g, email users about their storage being full, send
-    # alerts to Discord, etc.
-    #
-    # It can be set to true when running a "read only" instance like a backup
-    # restoration test, where we want to be able to access data but otherwise
-    # minimize external side effects.
-    silent: false
-    # If provided, this external healthcheck url is periodically pinged.
-    health-check-url:
-    # Hardcoded verification codes, useful for logging in when developing.
-    #
-    # Uncomment this and set these to your email ID or domain so that you don't
-    # need to peek into the server logs for obtaining the OTP when trying to log
-    # into an instance you're developing on.
-    # hardcoded-ott:
-    #     emails:
-    #         - "example@example.org,123456"
-    #     # When running in a local environment, hardcode the verification code to
-    #     # 123456 for email addresses ending with @example.org
-    #     local-domain-suffix: "@example.org"
-    #     local-domain-value: 123456
-    # List of user IDs that can use the admin API endpoints.
-    admins:
-        - 1580559962386438
+  # If false (the default), then museum will notify the external world of
+  # various events. E.g, email users about their storage being full, send
+  # alerts to Discord, etc.
+  #
+  # It can be set to true when running a "read only" instance like a backup
+  # restoration test, where we want to be able to access data but otherwise
+  # minimize external side effects.
+  silent: false
+  # If provided, this external healthcheck url is periodically pinged.
+  health-check-url:
+  # Hardcoded verification codes, useful for logging in when developing.
+  #
+  # Uncomment this and set these to your email ID or domain so that you don't
+  # need to peek into the server logs for obtaining the OTP when trying to log
+  # into an instance you're developing on.
+  # hardcoded-ott:
+  #     emails:
+  #         - "example@example.org,123456"
+  #     # When running in a local environment, hardcode the verification code to
+  #     # 123456 for email addresses ending with @example.org
+  #     local-domain-suffix: "@example.org"
+  #     local-domain-value: 123456
+  # List of user IDs that can use the admin API endpoints.
+  admins:
+    - 1580559962386438
 
 # Replication config
 #
 # If enabled, replicate each file to 2 other data centers after it gets
 # successfully uploaded to the primary hot storage.
 replication:
-    enabled: false
-    # The Cloudflare worker to use to download files from the primary hot
-    # bucket. Must be specified if replication is enabled.
-    worker-url:
-    # Number of go routines to spawn for replication
-    # This is not related to the worker-url above.
-    # Optional, default value is indicated here.
-    worker-count: 6
-    # Where to store temporary objects during replication v3
-    # Optional, default value is indicated here.
-    tmp-storage: tmp/replication
+  enabled: false
+  # The Cloudflare worker to use to download files from the primary hot
+  # bucket. Must be specified if replication is enabled.
+  worker-url:
+  # Number of go routines to spawn for replication
+  # This is not related to the worker-url above.
+  # Optional, default value is indicated here.
+  worker-count: 6
+  # Where to store temporary objects during replication v3
+  # Optional, default value is indicated here.
+  tmp-storage: tmp/replication
 
 # Configuration for various background / cron jobs.
 jobs:
-    cron:
-        # Instances run various cleanup, sending emails and other cron jobs. Use
-        # this flag to disable all these cron jobs.
-        skip: false
-    remove-unreported-objects:
-        # Number of go routines to spawn for object cleanup
-        # Optional, default value is indicated here.
-        worker-count: 1
-    clear-orphan-objects:
-        # By default, this job is disabled.
-        enabled: false
-        # If provided, only objects that begin with this prefix are pruned.
-        prefix: ""
+  cron:
+    # Instances run various cleanup, sending emails and other cron jobs. Use
+    # this flag to disable all these cron jobs.
+    skip: false
+  remove-unreported-objects:
+    # Number of go routines to spawn for object cleanup
+    # Optional, default value is indicated here.
+    worker-count: 1
+  clear-orphan-objects:
+    # By default, this job is disabled.
+    enabled: false
+    # If provided, only objects that begin with this prefix are pruned.
+    prefix: ""

ente/kustomization.yaml

@@ -5,31 +5,38 @@ namespace: ente
 namePrefix: ente-
 
 images:
+  # - name: museum
+  #   newName: ghcr.io/ente-io/server
+  #   newTag: cdbf8c5f0971cb383df03c6b2f72ffb85387beef
   - name: museum
-    newName: ghcr.io/ente-io/server
-    newTag: 3f9107c497bec8ae1ef297e73633a2baa7d7aeb0
+    newName: code.icb4dc0.de/infrastructure/images/ente/musuem
+    newTag: latest
+    digest: sha256:08b6fd823efc15a38592a808840012a7ad13cccb645f88dfe981c50fcca8798a
   - name: photos
     newName: code.icb4dc0.de/infrastructure/images/ente/photos
-    newTag: v0.9.2
+    newTag: v0.9.49
   - name: cast
     newName: code.icb4dc0.de/infrastructure/images/ente/cast
-    newTag: v0.9.2
+    newTag: v0.9.49
 
 labels:
-- includeSelectors: true
-  pairs:
-    app.kubernetes.io/instance: ente
-    app.kubernetes.io/managed-by: kustomize
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/instance: ente
+      app.kubernetes.io/managed-by: kustomize
 
 resources:
-- resources/namespace.yaml
-- resources/museum/deployment.yaml
-- resources/museum/service.yaml
-- resources/photos/deployment.yaml
-- resources/photos/service.yaml
-- resources/cast/deployment.yaml
-- resources/cast/service.yaml
-- resources/http_routes.yaml
+  - resources/namespace.yaml
+  - resources/museum/db/db.yaml
+  - resources/museum/db/user.yaml
+  - resources/museum/cache.yaml
+  - resources/museum/deployment.yaml
+  - resources/museum/service.yaml
+  - resources/photos/deployment.yaml
+  - resources/photos/service.yaml
+  - resources/cast/deployment.yaml
+  - resources/cast/service.yaml
+  - resources/http_routes.yaml
 
 configMapGenerator:
   - name: museum-config

ente/resources/cast/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   name: cast
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: cast

ente/resources/museum/cache.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: musuem-cache
+  labels:
+    app.kubernetes.io/name: museum-cache
+    app.kubernetes.io/instance: museum
+    app.kubernetes.io/part-of: ente
+spec:
+  replicas: 2
+  nodeSelector:
+    kubernetes.io/arch: arm64
+  resources:
+    requests:
+      cpu: 50m
+      memory: 50Mi
+    limits:
+      cpu: 100m
+      memory: 350Mi

ente/resources/museum/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: ente
+spec:
+  database: ente
+  dropOnDelete: false

ente/resources/museum/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: ente
+spec:
+  role: ente
+  database: ente-ente
+  secretName: ente-db-credentials
+  privileges: OWNER

ente/resources/museum/deployment.yaml

@@ -4,6 +4,7 @@ metadata:
   name: museum
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: museum
@@ -15,62 +16,62 @@ spec:
         app.kubernetes.io/part-of: ente
     spec:
       containers:
-      - name: museum
-        image: museum
-        env:
-          - name: ENTE_CREDENTIALS_FILE
-            value: /credentials.yaml
-          - name: ENTE_DB_HOST
-            valueFrom:
-              secretKeyRef:
-                name: default-cluster-pguser-ente
-                key: host
-          - name: ENTE_DB_NAME
-            valueFrom:
-              secretKeyRef:
-                name: default-cluster-pguser-ente
-                key: dbname
-          - name: ENTE_DB_USER
-            valueFrom:
-              secretKeyRef:
-                name: default-cluster-pguser-ente
-                key: user
-          - name: ENTE_DB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: default-cluster-pguser-ente
-                key: password
-          - name: ENTE_DB_SSLMODE
-            value: require
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "50m"
-          limits:
-            memory: "128Mi"
-            cpu: "250m"
-        ports:
-        - name: api
-          containerPort: 8080
-        - name: metrics
-          containerPort: 2112
-        readinessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-        livenessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-        volumeMounts:
-          - name: logs
-            mountPath: /var/log/ente
-          - name: config
-            mountPath: /museum.yaml
-            subPath: museum.yaml
-          - name: credentials
-            mountPath: /credentials.yaml
-            subPath: credentials.yaml
+        - name: museum
+          image: museum
+          env:
+            - name: ENTE_CREDENTIALS_FILE
+              value: /credentials.yaml
+            - name: ENTE_DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: HOST
+            - name: ENTE_DB_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: DATABASE_NAME
+            - name: ENTE_DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: LOGIN
+            - name: ENTE_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: PASSWORD
+            - name: ENTE_DB_SSLMODE
+              value: require
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "250m"
+          ports:
+            - name: api
+              containerPort: 8080
+            - name: metrics
+              containerPort: 2112
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+          volumeMounts:
+            - name: logs
+              mountPath: /var/log/ente
+            - name: config
+              mountPath: /museum.yaml
+              subPath: museum.yaml
+            - name: credentials
+              mountPath: /credentials.yaml
+              subPath: credentials.yaml
       volumes:
         - name: logs
           emptyDir: {}
@@ -87,4 +88,4 @@ spec:
               - key: credentials.yaml
                 path: credentials.yaml
       nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/arch: arm64

ente/resources/photos/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   name: photos
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: photos

external-dns/kustomization.yaml

@@ -12,7 +12,7 @@ labels:
 images:
   - name: external-dns
     newName: registry.k8s.io/external-dns/external-dns
-    newTag: v0.14.2
+    newTag: v0.15.0
 
 resources:
   - resources/rbac/service_account.yaml

fider/kustomization.yaml

@@ -11,6 +11,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_routes.yaml"

fider/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: fider
+spec:
+  database: fider
+  dropOnDelete: false

fider/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: fider
+spec:
+  role: fider
+  database: fider
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

fider/resources/deployment.yaml

@@ -26,6 +26,11 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-credentials-fider
+                  key: PQ_URL
           envFrom:
             - secretRef:
                 name: fider-config

fider/resources/http_routes.yaml

@@ -28,10 +28,56 @@ spec:
   parentRefs:
   - name: contour
     namespace: projectcontour
+    sectionName: https
   hostnames:
   - fider.icb4dc0.de
-  - login.fider.icb4dc0.de
-  - community.buildr.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: fider-login-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: fider-login
+  hostnames:
+  - fider.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: inetmock-fider-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: inetmock-fider-community
+  hostnames:
+  - community.inetmock.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: buildr-fider-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: buildr-fider-community
+  hostnames:
   - community.inetmock.icb4dc0.de
   rules:
   - backendRefs:

forgejo/config/values.forgejo.yaml

@@ -50,29 +50,29 @@ gitea:
       DOMAIN: code.icb4dc0.de
       PROTOCOL: http
       ROOT_URL: https://code.icb4dc0.de/
-      LFS_START_SERVER: 'true'
+      LFS_START_SERVER: "true"
       LANDING_PAGE: explore
-      ENABLE_GZIP: 'true'
-      ENABLE_PPROF: 'true'
+      ENABLE_GZIP: "true"
+      ENABLE_PPROF: "true"
       SSH_LISTEN_PORT: 2222
     service:
-      DISABLE_REGISTRATION: 'true'
-      DEFAULT_KEEP_EMAIL_PRIVATE: 'true'
-      DEFAULT_ALLOW_CREATE_ORGANIZATION: 'false'
-      DEFAULT_USER_IS_RESTRICTED: 'true'
+      DISABLE_REGISTRATION: "true"
+      DEFAULT_KEEP_EMAIL_PRIVATE: "true"
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: "false"
+      DEFAULT_USER_IS_RESTRICTED: "true"
     session:
       PROVIDER: redis
       PROVIDER_CONFIG: redis://forgejo-session.forgejo.svc:6379/0?pool_size=100&idle_timeout=180s&
     storage:
       STORAGE_TYPE: minio
-      MINIO_ENDPOINT: garage.garage.svc:3900
-      MINIO_BUCKET: forgejo
-      MINIO_LOCATION: hel1
-      MINIO_USE_SSL: 'false'
+      MINIO_ENDPOINT: fsn1.your-objectstorage.com:443
+      MINIO_BUCKET: 1661580-forgejo
+      MINIO_LOCATION: auto
+      MINIO_USE_SSL: "true"
     indexer:
       ISSUE_INDEXER_TYPE: meilisearch
       ISSUE_INDEXER_NAME: gitea_issues
-      REPO_INDEXER_ENABLED: 'true'
+      REPO_INDEXER_ENABLED: "true"
       REPO_INDEXER_REPO_TYPES: sources,forks,mirrors,templates
       REPO_INDEXER_TYPE: bleve
       REPO_INDEXER_PATH: indexers/repos.bleve
@@ -84,16 +84,16 @@ gitea:
       MINIO_ENDPOINT: garage.garage.svc:3900
       MINIO_BUCKET: forgejo
       MINIO_LOCATION: hel1
-      MINIO_USE_SSL: 'false'
+      MINIO_USE_SSL: "false"
     actions:
-      ENABLED: 'true'
+      ENABLED: "true"
       DEFAULT_ACTIONS_URL: github
       STORAGE_TYPE: minio
     database:
       DB_TYPE: postgres
-      HOST: default-cluster-primary.postgres.svc
+      HOST: app-cluster-pooler-rw.postgres.svc
       NAME: forgejo
-      USER: forgejo
+      USER: forgejo-Dkh0h3
       SSL_MODE: require
       log_sql: "false"
     cache:
@@ -121,7 +121,7 @@ affinity:
       - weight: 1
         preference:
           matchExpressions:
-          - key: kubernetes.io/arch
-            operator: In
-            values:
-            - arm64
+            - key: kubernetes.io/arch
+              operator: In
+              values:
+                - arm64

forgejo/kustomization.yaml

@@ -12,12 +12,14 @@ labels:
 images:
   - name: act_runner
     newName: code.forgejo.org/forgejo/runner
-    newTag: "3.5.0"
+    newTag: "3.5.1"
   - name: dind
     newName: docker
-    newTag: 27.0.2-dind
+    newTag: 27.3.1-dind
 
 resources:
+  - resources/db/db.yaml
+  - resources/db/user.yaml
   - resources/secrets/admin-credentials.yaml
   - resources/secrets/infra-credentials.yaml
   - resources/secrets/meili-credentials.yaml
@@ -46,7 +48,7 @@ helmCharts:
     repo: oci://codeberg.org/forgejo-contrib
     releaseName: forgejo
     namespace: forgejo
-    version: "7.0.1"
+    version: "10.0.0"
     valuesFile: config/values.forgejo.yaml
     skipTests: true
     apiVersions:
@@ -55,6 +57,6 @@ helmCharts:
     repo: https://meilisearch.github.io/meilisearch-kubernetes
     releaseName: forgejo-indexer
     namespace: forgejo
-    version: "0.7.0"
+    version: "0.10.1"
     valuesFile: config/values.meilisearch.yaml
     skipTests: true

forgejo/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: forgejo
+spec:
+  database: forgejo
+  dropOnDelete: false

forgejo/resources/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: forgejo
+spec:
+  role: forgejo
+  database: forgejo
+  secretName: forgejo-db-credentials
+  privileges: OWNER

forgejo/resources/runners/act-cache.yaml

@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/name: act-runner-cache
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: act-runner-cache

forgejo/resources/runners/act-runner-amd64.yaml

@@ -9,6 +9,7 @@ spec:
       app.kubernetes.io/name: act-runner
       app.kubernetes.io/instance: amd64
   replicas: 1
+  revisionHistoryLimit: 3
   strategy:
     type: Recreate
   template:

forgejo/resources/runners/act-runner-arm64.yaml

@@ -9,6 +9,7 @@ spec:
       app.kubernetes.io/name: act-runner
       app.kubernetes.io/instance: arm64
   replicas: 2
+  revisionHistoryLimit: 3
   strategy:
     type: Recreate
   template:

garage/backup/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: garage
 images:
   - name: rclone
     newName: rclone/rclone
-    newTag: "1.67"
+    newTag: "1.68"
 
 resources:
 - resources/cronjob.yaml

garage/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: garage
 images:
   - name: garage
     newName: dxflrs/garage
-    newTag: v1.0.0
+    newTag: v1.0.1
 
 labels:
 - includeSelectors: true

garage/migrate/resources/job.migrate.yaml

@@ -2,29 +2,29 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: sync-garage-snips
+  name: sync-garage-forgejo
   namespace: garage
 spec:
   ttlSecondsAfterFinished: 100
   template:
     spec:
       containers:
-      - name: rclone
-        image: rclone/rclone
-        args:
-          - sync
-          - -P
-          - --update
-          - --no-update-modtime
-          - --no-update-dir-modtime
-          - --ignore-errors
-          - -s3-upload-concurrency 64
-          - -v
-          - r2:backup/snips
-          - garage:backup/snips
-        volumeMounts:
-          - name: rclone-config
-            mountPath: /config/rclone
+        - name: rclone
+          image: rclone/rclone
+          args:
+            - sync
+            - -P
+            - --update
+            - --no-update-modtime
+            - --no-update-dir-modtime
+            - --ignore-errors
+            - -s3-upload-concurrency 64
+            - -v
+            - garage:forgejo
+            - hcloud:1661580-forgejo
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
       restartPolicy: Never
       volumes:
         - name: rclone-config

garage/resources/workload.yaml

@@ -16,53 +16,45 @@ spec:
       serviceAccountName: garage
       priorityClassName: system-cluster-critical
       containers:
-      - name: garage
-        image: garage
-        env:
-          - name: GARAGE_ADMIN_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: garage-secrets
-                key: admin-token
-          - name: GARAGE_RPC_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: garage-secrets
-                key: rpc-secret
-        ports:
-        - containerPort: 3900
-          name: s3-api
-        - containerPort: 3902
-          name: s3-web
-        - containerPort: 3903
-          name: metrics
-        volumeMounts:
-        - name: garage-data
-          mountPath: /srv/garage
-        - name: garage-config
-          mountPath: /etc/garage.toml
-          subPath: garage.toml
-          readOnly: true
-        resources:
-          requests:
-            cpu: 300m
-            memory: 280Mi
-          limits:
-            cpu: 750m
-            memory: 500Mi
-        readinessProbe:
-          httpGet:
-            port: 3903
-            path: /health
-        livenessProbe:
-          httpGet:
-            port: 3903
-            path: /health
-        securityContext:
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
+        - name: garage
+          image: garage
+          env:
+            - name: GARAGE_ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: garage-secrets
+                  key: admin-token
+            - name: GARAGE_RPC_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: garage-secrets
+                  key: rpc-secret
+          ports:
+            - containerPort: 3900
+              name: s3-api
+            - containerPort: 3902
+              name: s3-web
+            - containerPort: 3903
+              name: metrics
+          volumeMounts:
+            - name: garage-data
+              mountPath: /srv/garage
+            - name: garage-config
+              mountPath: /etc/garage.toml
+              subPath: garage.toml
+              readOnly: true
+          resources:
+            requests:
+              cpu: 300m
+              memory: 280Mi
+            limits:
+              cpu: 750m
+              memory: 500Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
       nodeSelector:
         k8s.icb4dc0.de/storage-node: "true"
       affinity:
@@ -77,15 +69,15 @@ spec:
                       - arm64
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                - key: app.kubernetes.io/name
-                  operator: In
-                  values:
-                  - fider
-              topologyKey: topology.kubernetes.io/zone
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/name
+                      operator: In
+                      values:
+                        - fider
+                topologyKey: topology.kubernetes.io/zone
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
@@ -99,11 +91,11 @@ spec:
               - key: garage.toml
                 path: garage.toml
   volumeClaimTemplates:
-  - metadata:
-      name: garage-data
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      storageClassName: hcloud-volumes-xfs
-      resources:
-        requests:
-          storage: 20Gi
+    - metadata:
+        name: garage-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: hcloud-volumes-xfs
+        resources:
+          requests:
+            storage: 20Gi

hcloud/kustomization.yaml

@@ -12,12 +12,12 @@ helmCharts:
     repo: https://charts.hetzner.cloud
     releaseName: hccm
     namespace: kube-system
-    version: "1.19.0"
+    version: "1.20.0"
     valuesFile: config/values.ccm.yaml
 
   - name: hcloud-csi
     repo: https://charts.hetzner.cloud
     releaseName: hcloud-csi-driver
     namespace: kube-system
-    version: "2.8.0"
+    version: "2.9.0"
     valuesFile: config/values.csi.yaml

hedgedoc/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: hedgedoc
 images:
 - name: hedgedoc
   newName: quay.io/hedgedoc/hedgedoc
-  newTag: "1.9.9"
+  newTag: "1.10.0"
 
 labels:
 - includeSelectors: true
@@ -16,6 +16,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_routes.yaml"

hedgedoc/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: hedgedoc
+spec:
+  database: hedgedoc
+  dropOnDelete: false

hedgedoc/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: hedgedoc
+spec:
+  role: hedgedoc
+  database: hedgedoc
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

hedgedoc/resources/deployment.yaml

@@ -19,8 +19,8 @@ spec:
           - name: CMD_DB_URL
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-hedgedoc
-                key: uri
+                name: db-credentials-hedgedoc
+                key: PQ_URL
           - name: NODE_EXTRA_CA_CERTS
             value: /certs/ca.crt
         envFrom:

kube-prometheus/config/values.prometheus.yaml

@@ -15,24 +15,9 @@ prometheus:
     retention: 7d
     nodeSelector:
       kubernetes.io/arch: arm64
-    serviceMonitorNamespaceSelector:
-      matchLabels:
-        prometheus: default
-    serviceMonitorSelector:
-      matchLabels:
-        prometheus: default
-    ruleSelector:
-      matchLabels:
-        prometheus: default
-    ruleNamespaceSelector:
-      matchLabels:
-        prometheus: default
-    podMonitorSelector:
-      matchLabels:
-        prometheus: default
-    podMonitorNamespaceSelector:
-      matchLabels:
-        prometheus: default
+    serviceMonitorSelectorNilUsesHelmValues: false
+    podMonitorSelectorNilUsesHelmValues: false
+    ruleSelectorNilUsesHelmValues: false
     resources:
       requests:
         memory: 1500Mi
@@ -89,17 +74,17 @@ grafana:
     enabled: false
   envFromSecrets:
     - name: grafana-auth
-    - name: grafana-db
+    - name: db-credentials-grafana
   grafana.ini:
     server:
       domain: grafana.icb4dc0.de
       root_url: "https://%(domain)s"
     database:
       type: postgres
-      host: default-cluster-primary.postgres.svc:5432
-      name: grafana
-      user: "${GF_DB_USER}"
-      password: "${GF_DB_PASSWORD}"
+      host: app-cluster-pooler-rw.postgres.svc:5432
+      name: "${DATABASE_NAME}"
+      user: "${LOGIN}"
+      password: "${PASSWORD}"
       ssl_mode: require
     auth:
       disable_login_form: true