Merge pull request #42 from small-hack/reduce-chart-functionality

update chart functionality to only do test app and certs

Author: jessebot

README.md

@@ -1,26 +1,100 @@
 # CloudNativePG Cluster Chart
 
-This [helm chart](https://small-hack.github.io/cloudnative-pg-tenant-chart/) is intended to be the Cluster helm chart component to the [CloudNativePG operator helm chart](https://github.com/cloudnative-pg/charts).
+This [helm chart](https://small-hack.github.io/cloudnative-pg-tenant-chart/) was intended to be the Cluster helm chart component to the [CloudNativePG operator helm chart](https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg), but now serves mostly as a wrapper for their official [CloudNativePG cluster helm chart](https://github.com/cloudnative-pg/charts/tree/main/charts/cluster) that provides certificate and test app functionality.
 
-Docs autogeneratated from the [values.yaml](charts/cloudnative-pg-cluster/values.yaml) are slowly being put together in the chart directory's [README.md](./charts/cloudnative-pg-cluster/README.md).
+Docs auto-generated from the [values.yaml](charts/cloudnative-pg-cluster/values.yaml) are available in the chart directory's [README.md](./charts/cloudnative-pg-cluster/README.md).
 
 ## TLDR
 
 ```bash
 # add the helm repo locally
-helm repo add cnpg https://small-hack.github.io/cloudnative-pg-cluster-chart
+helm repo add cnpg-wrapper https://small-hack.github.io/cloudnative-pg-cluster-chart
 
 # get the values and edit them if needed
-helm show values cnpg/cnpg-cluster > values.yaml
+helm show values cnpg-wrapper/cnpg-cluster > values.yaml
 
 # install the chart
-helm install cnpg cnpg/cnpg-cluster --values values.yaml
+helm install cnpg cnpg-wrapper/cnpg-cluster --values values.yaml
 ```
 
 ## Notes
 
-### You must specify a bootstrap section
+### Using the certficates
 
-To use this chart you _have_ to specify either `bootstrap.initdb.database`/`bootstrap.initdb.owner` OR `bootstrap.recovery.source` in your helm parameters or values.yaml but you can't do both.
+Certificates are generated using [CertManager](https://cert-manager.io/) to bootstrap self-signed CAs, Issuers and certs. To use them, please provide the following via your helm `values.yaml`:
 
-You can see checkout the [CloudNativePG docs](https://cloudnative-pg.io/documentation/1.23/bootstrap/) for more info on the bootstrap section.
+```yaml
+# -- name to use for templating certs
+name: "app-postgres"
+
+certificates:
+  server:
+    # -- enable using server certificates
+    enabled: true
+    # -- generate server certs using cert-manager. if true the following
+    # are ignored: certificates.serverTLSSecret, certificates.serverCASecret
+    generate: true
+    # -- name of existing Kubernetes Secret for the postgresql server TLS cert,
+    # ignored if certificates.generate is true
+    serverTLSSecret: ""
+    # -- name of existing Kubernetes Secret for the postgresql server Certificate
+    # Authority cert, ignored if certificates.generate is true
+    serverCASecret: ""
+  client:
+    # -- enable using client certificates
+    enabled: true
+    # -- generate client certs using cert-manager. if true the following are
+    # ignored: certificates.clientCASecret, certificates.replicationTLSSecret
+    generate: true
+    # -- name of existing Kubernetes Secret for the postgresql client Certificate
+    # Authority cert, ignored if certificates.generate is true
+    clientCASecret: ""
+    # -- name of existing Kubernetes Secret for the postgresql replication TLS
+    # cert ignored if certificates.generate is true
+    replicationTLSSecret: ""
+  user:
+    # -- create a certificate for a user to connect to postgres using CertManager
+    # requires server and client certificate generation enabled
+    enabled: true
+    # -- List of names of users to create a cert for, eg: the DbOwner specified earlier.
+    # This data populated into the commonName field of the certificate.
+    username:
+      - "my-app"
+```
+
+Then, if you're using our bundled upstream CNPG cluster chart, make sure you provide the following:
+
+```yaml
+cnpgCluster:
+  # -- enable this to deploy the official CNPG cluster helm chart dep
+  # All other values here are passed directly to the their chart. See:
+  # https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml
+  enabled: true
+  type: postgresql
+  mode: standalone
+  # -- see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate
+  certificates:
+    ## examples if using our certificates features of this chart.
+    ## NOTE: app-postgres should be replaced with whatever you set Values.name to
+    serverTLSSecret: "app-postgres-server-cert"
+    serverCASecret: "app-postgres-server-ca-key-pair"
+    clientCASecret: "app-postgres-client-ca-key-pair"
+    replicationTLSSecret: "app-postgres-client-cert"
+    
+  postgresql:
+    # -- records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+    # this states that certs are required for access to the cluster,
+    # but you can change it to still allow passwords if you'd like
+    pg_hba:
+      - hostnossl all all 0.0.0.0/0 reject
+      - hostssl all all 0.0.0.0/0 cert clientcert=verify-full
+```
+
+### Using the test app
+
+The test app may be enabled by certificates as well as setting `testApp.enabled=true` in your helm parameters or in the `values.yaml` like this:
+```yaml
+testApp:
+  enabled: true
+```
+This will create a very basic Deployment of `ghcr.io/cloudnative-pg/webtest` [as described in the official docs](https://cloudnative-pg.io/docs/1.28/ssl_connections#testing-the-connection-via-a-tls-certificate) that attempts to connect to your postgres cluster using full mTLS.

charts/cloudnative-pg-cluster/Chart.yaml

@@ -2,10 +2,17 @@ apiVersion: v2
 name: cnpg-cluster
 description: Create postgres tenant clusters managed by the CNPG Operator
 type: application
-version: 0.8.0
+version: 1.0.0
+
+dependencies:
+  - name: cluster
+    alias: cnpgCluster
+    version: 0.5.0
+    repository: https://cloudnative-pg.github.io/charts
+    condition: cnpgCluster.enabled
 
 maintainers:
   - name: "cloudymax"
-    url: "https://github.com/cloudymax"
+    url: "https://cloudydev.net"
   - name: "jessebot"
     url: "https://jessebot.work"

charts/cloudnative-pg-cluster/README.md

@@ -1,23 +1,26 @@
 # cnpg-cluster
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Create postgres tenant clusters managed by the CNPG Operator
 
 ## Maintainers
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| cloudymax |  | <https://github.com/cloudymax> |
+| cloudymax |  | <https://cloudydev.net> |
 | jessebot |  | <https://jessebot.work> |
 
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://cloudnative-pg.github.io/charts | cnpgCluster(cluster) | 0.5.0 |
+
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| annotations."cnpg.io/skipEmptyWalArchiveCheck" | string | `"enabled"` |  |
-| backup | object | `{}` | if we should backup up this cluster, please see values.yaml for example |
-| bootstrap | object | `{}` | boostrap method. see: https://cloudnative-pg.io/documentation/1.23/bootstrap/ |
 | certificates.client.clientCASecret | string | `""` | name of existing Kubernetes Secret for the postgresql client Certificate Authority cert, ignored if certificates.generate is true |
 | certificates.client.enabled | bool | `false` | enable using client certificates |
 | certificates.client.generate | bool | `false` | generate client certs using cert-manager. if true the following are ignored: certificates.clientCASecret, certificates.replicationTLSSecret |
@@ -28,26 +31,20 @@ Create postgres tenant clusters managed by the CNPG Operator
 | certificates.server.serverTLSSecret | string | `""` | name of existing Kubernetes Secret for the postgresql server TLS cert, ignored if certificates.generate is true |
 | certificates.user.enabled | bool | `false` | create a certificate for a user to connect to postgres using CertManager requires server and client certificate generation enabled |
 | certificates.user.username | list | `["app"]` | List of names of users to create a cert for, eg: the DbOwner specified earlier. This data populated into the commonName field of the certificate. |
-| enableSuperuserAccess | bool | `false` | CNPG disables the postgres superuser by default must be explicitly enabled |
-| externalClusters | list | `[]` |  |
-| imageCatalog.create | bool | `true` | Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored. |
-| imageCatalog.images | list | `[]` | List of images to be provisioned in an image catalog. |
-| instances | int | `3` | number of postgres replicas minimum 1 required |
-| managed | object | `{"roles":[]}` | See https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-RoleConfiguration for explanation of all options |
-| monitoring.enablePodMonitor | bool | `false` | enable monitoring via Prometheus |
-| name | string | `"cnpg"` |  |
-| postgresGID | int | `-1` | The GID of the postgres user inside the image, defaults to 26 |
-| postgresUID | int | `-1` | The UID of the postgres user inside the image, defaults to 26 |
-| postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html |
-| primaryUpdateStrategy | string | `"unsupervised"` |  |
-| resources | object | `{}` |  |
-| scheduledBackup | object | `{}` | schduled backups section, please see values.yaml for example |
-| storage.size | string | `"1Gi"` | how much storage to allocate to the postgresql cluster |
-| storage.storageClass | string | `"default"` | set the storage class of the PVC. |
-| superuserSecret | string | `""` | name of existing secret to use as superuser redentials will be randomly generated if not specified. |
+| cnpgCluster.additionalEnv[0].name | string | `"AWS_REQUEST_CHECKSUM_CALCULATION"` |  |
+| cnpgCluster.additionalEnv[0].value | string | `"when_required"` |  |
+| cnpgCluster.additionalEnv[1].name | string | `"AWS_RESPONSE_CHECKSUM_VALIDATION"` |  |
+| cnpgCluster.additionalEnv[1].value | string | `"when_required"` |  |
+| cnpgCluster.certificates | object | `{}` | see: https://cloudnative-pg.io/docs/1.28/certificates#client-certificate |
+| cnpgCluster.cluster.instances | int | `3` | Number of instances |
+| cnpgCluster.enabled | bool | `false` | enable this to deploy the official CNPG cluster helm chart dep All other values here are passed directly to the their chart. See: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/values.yaml |
+| cnpgCluster.mode | string | `"standalone"` |  |
+| cnpgCluster.postgresql.pg_hba | list | `["hostnossl all all 0.0.0.0/0 reject","hostssl all all 0.0.0.0/0 cert clientcert=verify-full"]` | records for the pg_hba.conf file. ref: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html |
+| cnpgCluster.primaryUpdateStrategy | string | `"unsupervised"` |  |
+| cnpgCluster.type | string | `"postgresql"` |  |
+| cnpgCluster.version.postgresql | string | `"16"` |  |
+| name | string | `"app-postgres"` | name to use for templating certs |
 | testApp.enabled | bool | `false` |  |
-| type | string | `"postgresql"` | Type of the CNPG database. Available types: * `postgresql` * `postgis` * `timescaledb` |
-| version.postgresql | int | `17` | version of postgres to run in all tenant pods |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)