Skip to content

Commit 41f0978

Browse files
masontikhonovmasontikhonov
authored
docs(postgresql): improve SSL docs (#78)
1 parent 6097c03 commit 41f0978

File tree

7 files changed

+77
-41
lines changed

7 files changed

+77
-41
lines changed

codefresh/.ci/values/defaults-hpa.yaml renamed to codefresh/.ci/values/defaults.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ cfapi:
2222

2323
ingress:
2424
enabled: true
25-
ingressClassName: nginx-internal
25+
ingressClassName: nginx
2626
tls:
2727
enabled: false
2828

codefresh/Chart.lock

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ dependencies:
4040
version: 4.12.1
4141
- name: cluster-providers
4242
repository: oci://quay.io/codefresh/charts
43-
version: 1.17.15
43+
version: 1.17.16
4444
- name: kube-integration
4545
repository: oci://quay.io/codefresh/charts
4646
version: 1.31.19
@@ -167,5 +167,5 @@ dependencies:
167167
- name: salesforce-reporter
168168
repository: oci://quay.io/codefresh/charts
169169
version: 1.30.11
170-
digest: sha256:95f0001ae40b171eef3adecbb31dbf3a89e8bb6e62cb9ce00e94106a18d0aa65
171-
generated: "2025-06-10T08:35:23.769105+03:00"
170+
digest: sha256:15c2385008ca0ad7f16ebef784e901c00fc78002d485832eb9bfa3242cc3726f
171+
generated: "2025-06-19T09:06:31.743012+03:00"

codefresh/Chart.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: v2
22
description: Helm Chart for Codefresh On-Prem
33
name: codefresh
4-
version: 2.8.6
4+
version: 2.8.7
55
keywords:
66
- codefresh
77
home: https://codefresh.io/
@@ -18,8 +18,10 @@ annotations:
1818
# artifacthub.io/containsSecurityUpdates: "true"
1919
# supported kinds are added, changed, deprecated, removed, fixed and security.
2020
artifacthub.io/changes: |
21-
- kind: added
22-
description: "Add pre-upgrade hook to enable stable feature flags in rabbitmq"
21+
- kind: changed
22+
description: "Improve PostgreSQL configuration documentation"
23+
- kind: fixed
24+
description: "Fix global image registry prefix for runtime images"
2325
dependencies:
2426
- name: cf-common
2527
repository: oci://quay.io/codefresh/charts

codefresh/README.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
## Codefresh On-Premises
22

3-
![Version: 2.8.6](https://img.shields.io/badge/Version-2.8.6-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square)
3+
![Version: 2.8.7](https://img.shields.io/badge/Version-2.8.7-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square)
44

55
Helm chart for deploying [Codefresh On-Premises](https://codefresh.io/docs/docs/getting-started/intro-to-codefresh/) to Kubernetes.
66

@@ -409,18 +409,26 @@ postgresql:
409409
enabled: false
410410
```
411411
412-
Provide the following env vars to enable SSL connection to Postgres:
412+
##### Using SSL with a PostgreSQL
413+
414+
Provide the following env vars to enforce SSL connection to PostgresSQL:
413415
414416
```yaml
415417
global:
416418
env:
419+
# More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html
417420
PGSSLMODE: "require"
418421

419422
helm-repo-manager:
420423
env:
421424
POSTGRES_DISABLE_SSL: "false"
422425
```
423426
427+
> ⚠️ **Important!**<br />
428+
> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.<br />
429+
> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).<br />
430+
> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs)
431+
424432
#### External Redis
425433
426434
```yaml
@@ -2177,6 +2185,10 @@ Default PostgreSQL image is changed from 13.x to 17.x
21772185

21782186
If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
21792187

2188+
> ⚠️ **Important!**<br />
2189+
> The default SSL configuration may change on your provider's side when you upgrade.<br />
2190+
> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql)
2191+
21802192
⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers)
21812193

21822194
⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs:

codefresh/README.md.gotmpl

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -411,18 +411,27 @@ postgresql:
411411
enabled: false
412412
```
413413

414-
Provide the following env vars to enable SSL connection to Postgres:
414+
##### Using SSL with a PostgreSQL
415+
416+
Provide the following env vars to enforce SSL connection to PostgresSQL:
415417

416418
```yaml
417419
global:
418420
env:
421+
# More info in the official docs: https://www.postgresql.org/docs/current/libpq-envars.html
419422
PGSSLMODE: "require"
420423

421424
helm-repo-manager:
422425
env:
423426
POSTGRES_DISABLE_SSL: "false"
424427
```
425428

429+
> ⚠️ **Important!**<br />
430+
> We do not support custom CA configuration for PostgreSQL, including self-signed certificates. This may cause incompatibility with some providers' default configurations.<br />
431+
> In particular, Amazon RDS for PostgreSQL version 15 and later requires SSL encryption by default ([ref](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html#PostgreSQL.Concepts.General.SSL.Requiring)).<br />
432+
> We recommend disabling SSL on the provider side in such cases or using the following steps to mount custom CA certificates: [Mounting private CA certs](#mounting-private-ca-certs)
433+
434+
426435
#### External Redis
427436

428437
```yaml
@@ -2186,6 +2195,10 @@ Default PostgreSQL image is changed from 13.x to 17.x
21862195

21872196
If you run external PostgreSQL, follow the [official instructions](https://www.postgresql.org/docs/17/upgrading.html) to upgrade to 17.x.
21882197

2198+
> ⚠️ **Important!**<br />
2199+
> The default SSL configuration may change on your provider's side when you upgrade.<br />
2200+
> Please read the following section before the upgrade: [Using SSL with a PostgreSQL](#using-ssl-with-a-postgresql)
2201+
21892202
⚠️ ⚠️ ⚠️ 16.x version is also supported (17.x version of PostgreSQL is still in preview on multiple cloud providers)
21902203

21912204
⚠️ ⚠️ ⚠️ If you run built-in PostgreSQL `bitnami/postgresql` subchart, direct upgrade is not supported due to **incompatible breaking changes** in the database files. You will see the following error in the logs:

codefresh/templates/_helpers.tpl

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,16 @@ Return runtime image (classic runtime) with private registry prefix
5555
*/}}
5656
{{- define "codefresh.buildImageName" -}}
5757
{{- if .registry -}}
58-
{{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}}
58+
{{- $imageName := .imageFullName -}}
59+
{{- if hasPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }}
60+
{{- $imageName = trimPrefix "us-docker.pkg.dev/codefresh-inc/public-gcr-io/" $imageName }}
61+
{{- end }}
62+
{{- if hasPrefix "quay.io/" $imageName }}
63+
{{- $imageName = trimPrefix "quay.io/" $imageName }}
64+
{{- end }}
65+
{{- if hasPrefix "docker.io/" $imageName }}
66+
{{- $imageName = trimPrefix "docker.io/" $imageName | replace "library" "codefresh" }}
67+
{{- end }}
5968
{{- printf "%s/%s" .registry $imageName -}}
6069
{{- else -}}
6170
{{- printf "%s" .imageFullName -}}

codefresh/templates/configmaps/runtimeEnvironments.json.tpl

Lines changed: 30 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
"inCluster": true,
3030
"namespace": "{{ .Release.Namespace }}"
3131
},
32-
"image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
32+
"image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
3333
"command": [
3434
"npm",
3535
"run",
@@ -45,19 +45,19 @@
4545
"RUNTIME_ADDITIONAL_INTERNAL_REGISTRIES_JSON": "/etc/admin/additional-internal-registries.json",
4646
"LOGGER_LEVEL": "debug",
4747
"NODE_ENV": "kubernetes",
48-
"DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
49-
"DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
50-
"DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
51-
"CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
52-
"GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
53-
"DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
54-
"FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
55-
"COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
56-
"KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
57-
"TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
58-
"PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
59-
"CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
60-
"GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
48+
"DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
49+
"DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
50+
"DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
51+
"CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
52+
"GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
53+
"DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
54+
"FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
55+
"COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
56+
"KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
57+
"TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
58+
"PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
59+
"CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
60+
"GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
6161
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
6262
},
6363
"volumeMounts": {
@@ -109,7 +109,7 @@
109109
},
110110
"description": "System hybrid runtime environment for kubernetes",
111111
"runtimeScheduler": {
112-
"image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
112+
"image": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.ENGINE_IMAGE) }}",
113113
"command": [
114114
"npm",
115115
"run",
@@ -121,19 +121,19 @@
121121
"LOGGER_LEVEL": "debug",
122122
"NODE_ENV": "kubernetes",
123123
"METRICS_CODEFRESH_ENABLED": "true",
124-
"DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
125-
"DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
126-
"DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
127-
"CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
128-
"GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
129-
"DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
130-
"FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
131-
"COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
132-
"KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
133-
"TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
134-
"PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
135-
"CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
136-
"GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
124+
"DOCKER_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PUSHER_IMAGE) }}",
125+
"DOCKER_PULLER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_PULLER_IMAGE) }}",
126+
"DOCKER_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_BUILDER_IMAGE) }}",
127+
"CONTAINER_LOGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CONTAINER_LOGGER_IMAGE) }}",
128+
"GIT_CLONE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GIT_CLONE_IMAGE) }}",
129+
"DOCKER_TAG_PUSHER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) }}",
130+
"FS_OPS_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.FS_OPS_IMAGE) }}",
131+
"COMPOSE_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.COMPOSE_IMAGE) }}",
132+
"KUBE_DEPLOY": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.KUBE_DEPLOY) }}",
133+
"TEMPLATE_ENGINE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.TEMPLATE_ENGINE) }}",
134+
"PIPELINE_DEBUGGER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.PIPELINE_DEBUGGER_IMAGE) }}",
135+
"CR_6177_FIXER": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.CR_6177_FIXER) }}",
136+
"GC_BUILDER_IMAGE": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.GC_BUILDER_IMAGE) }}",
137137
"NO_EXT_MONITOR": "true",
138138
"DISABLE_WORKSPACE_CACHE": "true",
139139
"NODE_TLS_REJECT_UNAUTHORIZED": "0",
@@ -170,7 +170,7 @@
170170
"cluster": {
171171
"namespace": "{{ .Release.Namespace }}"
172172
},
173-
"dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.dockerRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}",
173+
"dindImage": "{{ include "codefresh.buildImageName" (dict "registry" .Values.global.imageRegistry "imageFullName" .Values.runtimeImages.DIND_IMAGE) }}",
174174
"defaultDindResources": {
175175
"requests": {
176176
"cpu": "390m",
@@ -267,6 +267,6 @@
267267
"extends": [
268268
"system/default"
269269
]
270-
}
270+
}
271271
]
272272
{{- end -}}

0 commit comments

Comments
 (0)