Merge pull request #254 from projectsyn/postgres-helm-chart-12.7.0

Harden the PostgreSQL DB container

class/defaults.yml

@@ -62,7 +62,7 @@ parameters:
         version: v2.3.0
       postgresql:
         source: https://charts.bitnami.com/bitnami
-        version: 12.6.9
+        version: 12.7.0
     # FQDN should be overwritten on the cluster level
     fqdn: keycloak.example.com
     # Disables dynamically resolving the hostname from request headers.
@@ -308,6 +308,10 @@ parameters:
           k8up.io/backupcommand: sh -c 'PGDATABASE="$POSTGRES_DB" PGUSER="$POSTGRES_USER" PGPASSWORD="$POSTGRES_PASSWORD" pg_dump --clean'
           k8up.io/file-extension: .sql
         labels: ${keycloak:labels}
+        containerSecurityContext:
+          # runAsGroup: Uses runtime default if unset for K8s and OpenShift must not have set it
+          # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#podsecuritycontext-v1-core
+          runAsGroup: null
       volumePermissions:
         enabled: ${keycloak:database:tls:enabled}
         image:

docs/modules/ROOT/pages/how-tos/openshift-4.adoc

@@ -85,6 +85,30 @@ parameters:
         securityContext: null
 ----
 
+== Parameters for built-in Postgresql database on OpenShift 4.11 and higher and the Bitnami Postgres Helm Chart 12.7.0 and higher
+
+If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters.
+
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    postgresql_helm_values:
+      primary:
+        podSecurityContext:
+          enabled: true
+          fsGroup: null
+          runAsNonRoot: true
+        containerSecurityContext:
+          enabled: true
+          runAsUser: null
+          runAsGroup: null
+      volumePermissions:
+        enabled: false
+      shmVolume:
+        enabled: false
+----
+
 == Parameters for built-in Postgresql database on OpenShift 4.11 and higher
 
 If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters.

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/postgresql/templates/primary/networkpolicy.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql-ingress
   namespace: syn-builtin
 spec:

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/postgresql/templates/primary/statefulset.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: builtin
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql
   namespace: syn-builtin
 spec:
@@ -28,7 +28,7 @@ spec:
         app.kubernetes.io/instance: keycloak
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: postgresql
-        helm.sh/chart: postgresql-12.6.9
+        helm.sh/chart: postgresql-12.7.0
       name: keycloak-postgresql
     spec:
       affinity:
@@ -128,7 +128,14 @@ spec:
               cpu: 250m
               memory: 256Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
             runAsUser: 1001
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - mountPath: /opt/bitnami/postgresql/certs
               name: postgresql-certificates
@@ -160,7 +167,11 @@ spec:
             limits: {}
             requests: {}
           securityContext:
+            runAsGroup: 0
+            runAsNonRoot: false
             runAsUser: 0
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - mountPath: /bitnami/postgresql
               name: data

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/postgresql/templates/primary/svc-headless.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
     service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true'
   name: keycloak-postgresql-hl
   namespace: syn-builtin

tests/golden/builtin/builtin/builtin/01_keycloak_helmchart/postgresql/templates/primary/svc.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql
   namespace: syn-builtin
 spec:

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/postgresql/templates/primary/networkpolicy.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql-ingress
   namespace: syn-openshift-postgres
 spec:

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/postgresql/templates/primary/statefulset.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: openshift-postgres
     app.kubernetes.io/managed-by: commodore
     app.kubernetes.io/name: keycloak
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql
   namespace: syn-openshift-postgres
 spec:
@@ -28,7 +28,7 @@ spec:
         app.kubernetes.io/instance: keycloak
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: postgresql
-        helm.sh/chart: postgresql-12.6.9
+        helm.sh/chart: postgresql-12.7.0
       name: keycloak-postgresql
     spec:
       affinity:

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/postgresql/templates/primary/svc-headless.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
     service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true'
   name: keycloak-postgresql-hl
   namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/postgresql/templates/primary/svc.yaml

@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: postgresql
-    helm.sh/chart: postgresql-12.6.9
+    helm.sh/chart: postgresql-12.7.0
   name: keycloak-postgresql
   namespace: syn-openshift-postgres
 spec:

tests/openshift-postgres.yml

@@ -15,13 +15,7 @@ parameters:
         containerSecurityContext:
           enabled: true
           runAsUser: null
-          allowPrivilegeEscalation: false
           runAsNonRoot: true
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-              - ALL
       volumePermissions:
         enabled: false
       shmVolume: