Skip to content

POC WIP Cloud native pg #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

POC WIP Cloud native pg #319

wants to merge 17 commits into from

Conversation

johnoloughlin
Copy link
Contributor

@johnoloughlin johnoloughlin commented May 14, 2025
edited
Loading

testing if cloud native postgres would be a better solution than bitnami

Description

Please include a summary of the changes and the related issue. List any dependencies that are required for this change.

Fixes # (issue)

Any Newly Introduced Dependencies

Please describe any newly introduced 3rd party dependencies in this change. List their name, license information and how they are used in the project.

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

Checklist:

  • I agree to use the APACHE-2.0 license for my code changes
  • I have not introduced any 3rd party dependency changes
  • I have performed a self-review of my code

@johnoloughlin
first commit
2c92881 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
add quotes
9283689 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
configs
b05c171 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
update
3ec3b57 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
change server sync
9ee9d48 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
add cluster
51873d1 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
update
ae93f3d 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin johnoloughlin changed the title Cloud native pg PCO WIP Cloud native pg May 14, 2025
@johnoloughlin johnoloughlin changed the title PCO WIP Cloud native pg POC WIP Cloud native pg May 14, 2025
@johnoloughlin
Merge branch 'main' into cloud_native_pg
a73b418
@johnoloughlin
add cluster
6eb23d3 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
test
6ead90b 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
move
da9a19a 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
Merge branch 'main' into cloud_native_pg
7942720
@johnoloughlin
Update postgresql-cloudnative-cluster.yaml
7b10c6f
@johnoloughlin
Merge branch 'main' into cloud_native_pg
9924c34
@johnoloughlin
change service
ed05dc0 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
@johnoloughlin
upload backup job
a364b12 
Signed-off-by: OLoughlin, John <john.oloughlin@intel.com>
johnoloughlin
johnoloughlin commented May 23, 2025
View reviewed changes
restore_postgres_job.yaml
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file needs to be moved to a better DIR

github-advanced-security[bot]
github-advanced-security bot found potential problems May 23, 2025
View reviewed changes
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

Can elevate its own privileges Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV001
Severity: MEDIUM
Message: Container 'psql' of Job 'pg-restore-job' should set 'securityContext.allowPrivilegeEscalation' to false
Link: KSV001
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check notice

Code scanning / Trivy

Default capabilities: some containers do not drop all Low

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV003
Severity: LOW
Message: Container 'psql' of Job 'pg-restore-job' should add 'ALL' to 'securityContext.capabilities.drop'
Link: KSV003
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check notice

Code scanning / Trivy

Default capabilities: some containers do not drop any Low

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV004
Severity: LOW
Message: Container 'psql' of 'job' 'pg-restore-job' in 'orch-database' namespace should set securityContext.capabilities.drop
Link: KSV004
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check notice

Code scanning / Trivy

CPU not limited Low

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV011
Severity: LOW
Message: Container 'psql' of Job 'pg-restore-job' should set 'resources.limits.cpu'
Link: KSV011
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

Runs as root user Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV012
Severity: MEDIUM
Message: Container 'psql' of Job 'pg-restore-job' should set 'securityContext.runAsNonRoot' to true
Link: KSV012
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

All container images must start with a GCR domain Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV033
Severity: MEDIUM
Message: container psql of job pg-restore-job in orch-database namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries
Link: KSV033
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

Container images from public registries used Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV034
Severity: MEDIUM
Message: Container 'psql' of Job 'pg-restore-job' should restrict container image to use private registries
Link: KSV034
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

All container images must start with an ECR domain Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV035
Severity: MEDIUM
Message: Container 'psql' of Job 'pg-restore-job' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html
Link: KSV035
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check warning

Code scanning / Trivy

Seccomp policies disabled Medium

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV104
Severity: MEDIUM
Message: container "psql" of job "pg-restore-job" in "orch-database" namespace should specify a seccomp profile
Link: KSV104
restore_postgres_job.yaml
Comment on lines +14 to +25
- name: psql
image: postgres:15
command: ["sh", "-c", "psql -h postgresql-cloudnative-cluster-rw -U postgres -f /sql/orch-database_postgresql-0_backup.sql"]
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: postgresql-cloudnative-cluster-superuser
key: password
volumeMounts:
- name: sql-volume
mountPath: /sql

Check notice

Code scanning / Trivy

Container capabilities must only include NET_BIND_SERVICE Low

Artifact: restore_postgres_job.yaml
Type: kubernetes
Vulnerability KSV106
Severity: LOW
Message: container should drop all
Link: KSV106
@ajaythakurintel ajaythakurintel added this to the 3.1 milestone May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@se-chris-thach se-chris-thach Awaiting requested review from se-chris-thach se-chris-thach will be requested when the pull request is marked ready for review se-chris-thach is a code owner

@mdbalvin mdbalvin Awaiting requested review from mdbalvin mdbalvin will be requested when the pull request is marked ready for review mdbalvin is a code owner

@rad-szulim rad-szulim Awaiting requested review from rad-szulim rad-szulim will be requested when the pull request is marked ready for review rad-szulim is a code owner

@charlesmcchan charlesmcchan Awaiting requested review from charlesmcchan charlesmcchan will be requested when the pull request is marked ready for review charlesmcchan is a code owner

@yi-tseng-intel yi-tseng-intel Awaiting requested review from yi-tseng-intel yi-tseng-intel will be requested when the pull request is marked ready for review yi-tseng-intel is a code owner

@ashridatta ashridatta Awaiting requested review from ashridatta ashridatta will be requested when the pull request is marked ready for review ashridatta is a code owner

@teone teone Awaiting requested review from teone teone will be requested when the pull request is marked ready for review teone is a code owner

@callumnobleintel callumnobleintel Awaiting requested review from callumnobleintel callumnobleintel will be requested when the pull request is marked ready for review callumnobleintel is a code owner

@daniele-moro daniele-moro Awaiting requested review from daniele-moro daniele-moro will be requested when the pull request is marked ready for review daniele-moro is a code owner

@SeanCondon SeanCondon Awaiting requested review from SeanCondon SeanCondon will be requested when the pull request is marked ready for review SeanCondon is a code owner

@pierventre pierventre Awaiting requested review from pierventre pierventre will be requested when the pull request is marked ready for review pierventre is a code owner

@cgoea cgoea Awaiting requested review from cgoea cgoea will be requested when the pull request is marked ready for review cgoea is a code owner

@palade palade Awaiting requested review from palade palade will be requested when the pull request is marked ready for review palade is a code owner

@pperycz pperycz Awaiting requested review from pperycz pperycz will be requested when the pull request is marked ready for review pperycz is a code owner

@ltalarcz ltalarcz Awaiting requested review from ltalarcz ltalarcz will be requested when the pull request is marked ready for review ltalarcz is a code owner

@jakubsikorski jakubsikorski Awaiting requested review from jakubsikorski jakubsikorski will be requested when the pull request is marked ready for review jakubsikorski is a code owner

@sys-orch-approve sys-orch-approve Awaiting requested review from sys-orch-approve sys-orch-approve will be requested when the pull request is marked ready for review sys-orch-approve is a code owner

@ahalimx86 ahalimx86 Awaiting requested review from ahalimx86 ahalimx86 will be requested when the pull request is marked ready for review ahalimx86 is a code owner

@garyloug garyloug Awaiting requested review from garyloug garyloug will be requested when the pull request is marked ready for review garyloug is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
DO NOT MERGE
Projects
None yet
Milestone
3.1
Development

Successfully merging this pull request may close these issues.
2 participants
@johnoloughlin @ajaythakurintel