fix pg_stat_statement query: add queryid to make it unique

charts/metal-control-plane/Chart.yaml

@@ -3,4 +3,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for deploying the metal control plane in K8s
 name: metal-control-plane
-version: 0.4.1
+version: 0.4.3

charts/metal-control-plane/templates/ipam.yaml

@@ -0,0 +1,73 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ipam
+spec:
+  selector:
+    matchLabels:
+      app: ipam
+  template:
+    metadata:
+      labels:
+        app: ipam
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/path: /metrics
+        prometheus.io/port: '2112'
+    spec:
+      containers:
+      - name: ipam
+        args:
+          - postgres
+        image: {{ .Values.images.ipam.image }}:{{ .Values.images.ipam.tag }}
+        imagePullPolicy: {{ .Values.images.ipam.imagePullPolicy }}
+        env:
+          - name: GOIPAM_GRPC_SERVER_ENDPOINT
+            value: {{ .Values.ipam.grpc_server_endpoint }}
+          - name: GOIPAM_PG_HOST
+            value: {{ .Values.ipam.db_host }}
+          - name: GOIPAM_PG_PORT
+            value: "{{ .Values.ipam.db_port }}"
+          - name: GOIPAM_PG_DBNAME
+            value: {{ .Values.ipam.db_name }}
+          - name: GOIPAM_PG_PASSWORD
+            value: {{ .Values.ipam.db_password }}
+          - name: GOIPAM_PG_USER
+            value: {{ .Values.ipam.db_user }}
+          - name: GOIPAM_LOG_LEVEL
+            value: "{{ .Values.ipam.log_level }}"
+{{- if .Values.set_resource_limits }}
+        resources:
+{{ toYaml .Values.resources.ipam | indent 10 }}
+{{- end }}
+        ports:
+        - containerPort: 2112
+          protocol: TCP
+        - containerPort: 9090
+        readinessProbe:
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:9090"]
+          initialDelaySeconds: 5
+        livenessProbe:
+          exec:
+            command: ["/bin/grpc_health_probe", "-addr=:9090"]
+          initialDelaySeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ipam
+  labels:
+    app: ipam
+spec:
+  type: ClusterIP
+  ports:
+  - name: "{{ .Values.ports.ipam }}"
+    port: {{ .Values.ports.ipam }}
+    targetPort: 9090
+  - name: "{{ .Values.ports.ipam_metrics }}"
+    port: {{ .Values.ports.ipam_metrics }}
+    targetPort: 2112
+  selector:
+    app: ipam

charts/metal-control-plane/templates/metal-api.yaml

@@ -115,16 +115,8 @@ spec:
             secretKeyRef:
               name: metal-api
               key: admin_key
-        - name: METAL_API_IPAM_DB_ADDR
-          value: {{ .Values.metal_api.ipam_db_address }}
-        - name: METAL_API_IPAM_DB_PORT
-          value: "{{ .Values.metal_api.ipam_db_port }}"
-        - name: METAL_API_IPAM_DB_NAME
-          value: {{ .Values.metal_api.ipam_db_name }}
-        - name: METAL_API_IPAM_DB_PASSWORD
-          value: {{ .Values.metal_api.ipam_db_password }}
-        - name: METAL_API_IPAM_DB_USER
-          value: {{ .Values.metal_api.ipam_db_user }}
+        - name: METAL_API_IPAM_GRPC_SERVER_ENDPOINT
+          value: {{ .Values.metal_api.ipam_grpc_server_endpoint }}
         - name: METAL_API_PROVIDER_TENANT
           value: "{{ .Values.masterdata_api.provider_tenant }}"
         - name: METAL_API_NSQLOOKUPD_ADDR
@@ -197,6 +189,10 @@ spec:
           value: /certs/masterdata-api/client-key.pem
         - name: METAL_API_PASSWORD_REASON_MINLENGTH
           value: "{{ .Values.metal_api.password_reason_minlength }}"
+{{- if .Values.metal_api.release_version }}
+        - name: METAL_API_RELEASE_VERSION
+          value: "{{ .Values.metal_api.release_version }}"
+{{- end }}
         - name: METAL_API_MINIMUM_CLIENT_VERSION
           value: "{{ .Values.metal_api.minimum_client_version }}"
 {{- if .Values.auditing.enabled }}
@@ -551,16 +547,8 @@ spec:
               value: {{ .Values.metal_api.db_address }}
             - name: METAL_API_DB_PASSWORD
               value: {{ .Values.metal_api.db_password }}
-            - name: METAL_API_IPAM_DB_ADDR
-              value: {{ .Values.metal_api.ipam_db_address }}
-            - name: METAL_API_IPAM_DB_PORT
-              value: "{{ .Values.metal_api.ipam_db_port }}"
-            - name: METAL_API_IPAM_DB_NAME
-              value: {{ .Values.metal_api.ipam_db_name }}
-            - name: METAL_API_IPAM_DB_PASSWORD
-              value: {{ .Values.metal_api.ipam_db_password }}
-            - name: METAL_API_IPAM_DB_USER
-              value: {{ .Values.metal_api.ipam_db_user }}
+            - name: METAL_API_IPAM_GRPC_SERVER_ENDPOINT
+              value: {{ .Values.metal_api.ipam_grpc_server_endpoint }}
             - name: METAL_API_NSQLOOKUPD_ADDR
               value: {{ .Values.metal_api.nsq.lookupd_address }}
             - name: METAL_API_NSQD_TCP_ADDR

charts/metal-control-plane/values.yaml

@@ -13,6 +13,10 @@ images:
     image: ghcr.io/metal-stack/masterdata-api
     imagePullPolicy: IfNotPresent
     tag: latest
+  ipam:
+    image: ghcr.io/metal-stack/go-ipam
+    imagePullPolicy: IfNotPresent
+    tag: latest
   metalctl:
     image: ghcr.io/metal-stack/metalctl
     imagePullPolicy: IfNotPresent
@@ -37,6 +41,13 @@ resources:
     limits:
       memory: "64Mi"
       cpu: "200m"
+  ipam:
+    requests:
+      memory: "32Mi"
+      cpu: "50m"
+    limits:
+      memory: "64Mi"
+      cpu: "200m"
   metal_console:
     requests:
       memory: "64Mi"
@@ -59,18 +70,16 @@ ports:
   masterdata_api: 8443
   masterdata_api_metrics: 2113
   metal_console: 10001
+  ipam: 9090
+  ipam_metrics: 2112
 
 metal_api:
   replicas: 3
   base_path: "/"
   log_level: info
   db_address: ""
   db_password: ""
-  ipam_db_address: ""
-  ipam_db_port: 5432
-  ipam_db_name: ""
-  ipam_db_user: ""
-  ipam_db_password: ""
+  ipam_grpc_server_endpoint: ""
   dex_address: ""
   dex_clientid: ""
   view_key: ""
@@ -114,6 +123,16 @@ metal_api:
     internal_api_address: ""
     control_plane_address: ""
   minimum_client_version: ""
+  release_version: ""
+
+ipam:
+  grpc_server_endpoint: "0.0.0.0:9090"
+  log_level: "info"
+  db_host: ""
+  db_port: 5432
+  db_name: ""
+  db_user: ""
+  db_password: ""
 
 masterdata_api:
   provider_tenant: ""

charts/postgreslet/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.11.0
+version: 0.13.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.13.1"
+appVersion: "v0.15.0"

charts/postgreslet/crds/postgresql.yaml

@@ -364,6 +364,7 @@ spec:
                       - "13"
                       - "14"
                       - "15"
+                      - "16"
                   parameters:
                     type: object
                     additionalProperties:

charts/postgreslet/templates/configmap-sidecars.yaml

@@ -26,6 +26,15 @@ data:
         limits:
           cpu: {{ .Values.sidecars.exporter.resources.limits.cpu }}
           memory: {{ .Values.sidecars.exporter.resources.limits.memory }}
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       env:
         - name: DATA_SOURCE_URI
           value: 127.0.0.1:5432/postgres?sslmode=disable
@@ -52,6 +61,14 @@ data:
         limits:
           cpu: {{ .Values.sidecars.fluentbit.resources.limits.cpu }}
           memory: {{ .Values.sidecars.fluentbit.resources.limits.memory }}
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
   additional-volumes: |
     - name: empty
       mountPath: /opt/empty

charts/postgreslet/templates/configmap.yaml

@@ -4,13 +4,15 @@ data:
   DEPLOY_ETCD: {{ .Values.postgreslet.deployEtcd | quote }}
   ENABLE_BOOTSRTAP_STANDBY_FROM_S3: {{ .Values.postgreslet.enableBootsrtapStandbyFromS3 | quote  }}
   ENABLE_CRD_VALIDATION: {{ .Values.postgreslet.enableCrdValidation | quote  }}
+  ENABLE_FORCE_SHARED_IP: {{ .Values.postgreslet.enableForceSharedIP | quote  }}
   ENABLE_LB_SOURCE_RANGES: {{ .Values.postgreslet.enableLBSourceRanges | quote }}
   ENABLE_LEADER_ELECTION: {{ .Values.postgreslet.enableLeaderElection | quote }}
   ENABLE_LEGACY_STANDBY_SELECTOR: {{ .Values.postgreslet.enableLegacyStandbySelector | quote }}
   ENABLE_NETPOL: {{ .Values.postgreslet.enableNetPol | quote  }}
   ENABLE_POD_ANTIAFFINITY: {{ .Values.postgreslet.enablePodAntiaffinity | quote }}
   ENABLE_RANDOM_STORAGE_ENCRYPTION_SECRET: {{ .Values.postgreslet.enableRandomStorageEncrytionSecret | quote }}
   ENABLE_STANDBY_LEADER_SELECTOR: {{ .Values.postgreslet.enableStandbyLeaderSelector | quote }}
+  ENABLE_SUPERUSER_FOR_DBO: {{ .Values.postgreslet.enableSuperuserforDBO | quote }}
   ENABLE_WALG_ENCRYPTION: {{ .Values.postgreslet.enableWalGEncryption | quote }}
   ETCD_BACKUP_SECRET_NAME: {{ .Values.postgreslet.etcdBackupSecretName | quote  }}
 {{- if .Values.postgreslet.etcdBackupSidecarImage }}
@@ -52,6 +54,8 @@ data:
   STANDBY_CLUSTERS_SOURCE_RANGES: {{ .Values.postgreslet.standbyClustersSourceRanges | quote  }}
   STORAGE_CLASS: {{ .Values.postgreslet.storageClass | quote  }}
   TENANT: {{ .Values.postgreslet.tenant | quote }}
+  TLS_CLUSTER_ISSUER: {{ .Values.postgreslet.tlsClusterIssuer | quote  }}
+  TLS_SUB_DOMAIN: {{ .Values.postgreslet.tlsSubDomain | quote  }}
 kind: ConfigMap
 metadata:
   name: {{ include "postgreslet.fullname" . }}

charts/postgreslet/templates/podsecuritypolicy.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.pspEnabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -17,4 +18,5 @@ spec:
     - secret
     - persistentVolumeClaim
     - configMap
-    - emptyDir
+    - emptyDir
+{{- end }}