Rework postgresql/postgis

CHANGELOG.md

@@ -15,6 +15,11 @@ For releases `< 1.0.0` minor version step indicate breaking changes.
 ### Changed
 
 - Minor docs update for CKAN api token values
+- Update PostGIS chart to PostgreSQL 15, PostGIS 3.3
+- Reworked database initialization scripts
+- DB users for CKAN and datastore databases are no longer superusers.
+  Separate credentials for the postgres database superuser can now be
+  specified in values.
 
 ### Removed
 

charts/sddi-ckan/Chart.yaml

@@ -9,8 +9,8 @@ sources:
   - https://github.com/tum-gis/sddi-ckan-k8s
   - https://www.asg.ed.tum.de/en/gis/projects/smart-district-data-infrastructure
 
-version: 0.4.0
-appVersion: "0.0.1"
+version: 0.5.0
+appVersion: "0.0.2"
 kubeVersion: ">= 1.23.0"
 
 maintainers:

charts/sddi-ckan/README.md

@@ -1,6 +1,6 @@
 # sddi-ckan
 
-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.2](https://img.shields.io/badge/AppVersion-0.0.2-informational?style=flat-square)
 
 Helm Chart for a SDDI enabled CKAN catalog. See [CHANGELOG](https://github.com/tum-gis/sddi-ckan-k8s/blob/main/CHANGELOG.md) for changes.
 
@@ -40,18 +40,21 @@ Kubernetes: `>= 1.23.0`
 | certIssuer.enabled | bool | `true` | Enable/disable namespace Issuers for cert-manager. |
 | datapusher.enabled | bool | `true` | Enable/disable Datapusher |
 | fullnameOverride | string | `""` | Override fullname |
-| global.datastore.auth.ro.password | string | `"changeMe"` | CKAN datastore database read-only password. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.auth.ro.username | string | `"datastore_ro"` | CKAN datastore database read-only username. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.auth.rw.password | string | `"changeMe"` | CKAN datastore database read-write password. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.auth.rw.username | string | `"datastore_rw"` | CKAN datastore database read-write username. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.dbname | string | `"datastore"` | CKAN datastore database name. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.host | string | `"postgis-hl"` | CKAN datastore database host. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.datastore.port | int | `5432` | CKAN datastore database port. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.db.auth.password | string | `"changeMe"` | Database password of the ro user. Database RO username for CKAN and CKAN datastore DB. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.db.auth.username | string | `"ckan"` | Database password of the ro user. Database RO username for CKAN and CKAN datastore DB. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.db.dbname | string | `"ckan_default"` | Database name. This is used in database charts for CKAN database initialization. If set, this values will overwrite the value in the database chart. |
-| global.db.host | string | `"postgis-hl"` | CKAN database host. |
-| global.db.port | int | `5432` | CKAN database port. |
+| global.datastore.auth.ro.password | string | `"changeMe"` | CKAN datastore database read-only password. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.auth.ro.username | string | `"datastore_ro"` | CKAN datastore database read-only username. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.auth.rw.password | string | `"changeMe"` | CKAN datastore database read-write password. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.auth.rw.username | string | `"datastore_rw"` | CKAN datastore database read-write username. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.dbname | string | `"datastore"` | CKAN datastore database name. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.host | string | `"postgis-hl"` | CKAN datastore database host. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.datastore.port | int | `5432` | CKAN datastore database port. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.auth.password | string | `"changeMe"` | Database password for the CKAN database user. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.auth.postgresPassword | string | `"changeMe"` | Postgres database password. This is the password of the database superuser. Used to set `POSTGRES_PASSWORD`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.auth.postgresUsername | string | `"postgres"` | Postgres database username. This is the username of the database superuser. Used to set `POSTGRES_USERNAME`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.auth.username | string | `"ckan"` | Database username for the CKAN database. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.dbname | string | `"ckan_default"` | Database name of the CKAN database. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
+| global.db.host | string | `"postgis-hl"` | Database host of the CKAN database. |
+| global.db.port | int | `5432` | Database port of the CKAN database. |
+| global.db.postgresDbname | string | `"postgres"` | Postgres database username. This is the name of the default superuser database. Used to set `POSTGRES_DB`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. This is used in the PostGIS chart for database initialization. If set, this values will overwrite the value in the PostGIS chart. |
 | global.ingress.certManager.issuerEmail | string | `"[email protected]"` | eMail address for ACME registration with Let's Encrypt. Only used for issuerType = namespace. |
 | global.ingress.certManager.issuerName | string | `"letsencrypt-staging"` | Name of the Issuer to use. For certManager.type = namespace `letsencrypt-staging`, `letsencrypt-production` and `self-signed` are available. |
 | global.ingress.certManager.issuerType | string | `"namespace"` | Type of [cert-manager](https://cert-manager.io/docs/) Issuer: Use either "namespace" or "cluster". |

charts/sddi-ckan/charts/postgis/Chart.yaml

@@ -8,8 +8,8 @@ sources:
   - https://github.com/tum-gis/sddi-ckan-k8s/tree/main/sddi-ckan/charts/charts/postgis
   - https://registry.hub.docker.com/r/postgis/postgis/
 
-version: 0.4.3
-appVersion: "14-3.3-alpine"
+version: 0.5.0
+appVersion: "15-3.3-alpine"
 
 maintainers:
   - email: [email protected]

charts/sddi-ckan/charts/postgis/README.md

@@ -1,6 +1,6 @@
 # postgis
 
-![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 14-3.3-alpine](https://img.shields.io/badge/AppVersion-14--3.3--alpine-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 15-3.3-alpine](https://img.shields.io/badge/AppVersion-15--3.3--alpine-informational?style=flat-square)
 
 A Helm chart for sa simple PostGIS database pre-configured for CKAN.
 
@@ -28,11 +28,13 @@ A Helm chart for sa simple PostGIS database pre-configured for CKAN.
 | datastore.auth.rw.password | string | `"changeMe"` | CKAN datastore database read-write password. Note: This values is overwritten by `global.datastore.auth.rw.password`, if set. |
 | datastore.auth.rw.username | string | `"datastore_rw"` | CKAN datastore database read-write username. Note: This values is overwritten by `global.datastore.auth.rw.username`, if set. |
 | datastore.dbname | string | `"datastore"` | CKAN datastore database name. Note: This values is overwritten by `global.datastore.dbname`, if set. |
-| datastore.port | int | `5432` | CKAN datastore database port. Note: This values is overwritten by `global.datastore.port`, if set. |
-| db.auth.password | string | `"changeMe"` | CKAN database username. Note: This values is overwritten by `global.db.auth.password`, if set. |
-| db.auth.username | string | `"ckan"` | CKAN database username. Note: This values is overwritten by `global.db.auth.username`, if set. |
-| db.dbname | string | `"ckan_default"` | CKAN database name. Note: This values is overwritten by `global.db.dbname`, if set. |
-| db.port | int | `5432` | CKAN database port. Note: This values is overwritten by `global.db.port`, if set. |
+| db.auth.password | string | `"changeMe"` | Database password for the CKAN database user. Note: This values is overwritten by `global.db.auth.password`, if set. |
+| db.auth.postgresPassword | string | `"changeMe"` | Postgres database password. This is the password of the database superuser. Used to set `POSTGRES_PASSWORD`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. Note: This values is overwritten by `global.db.auth.postgresPassword`, if set. |
+| db.auth.postgresUsername | string | `"postgres"` | Postgres database username. This is the username of the database superuser. Used to set `POSTGRES_USERNAME`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. Note: This values is overwritten by `global.db.auth.postgresUsername`, if set. |
+| db.auth.username | string | `"ckan"` | Database username for the CKAN database. Note: This values is overwritten by `global.db.auth.username`, if set. |
+| db.dbname | string | `"ckan_default"` | Database name of the CKAN database. Note: This values is overwritten by `global.db.dbname`, if set. |
+| db.port | int | `5432` | Database port. Note: This values is overwritten by `global.db.port`, if set. |
+| db.postgresDbname | string | `"postgres"` | Postgres database username. This is the name of the default superuser database. Used to set `POSTGRES_DB`, see [Postgres Docker docs](https://hub.docker.com/_/postgres/) for more. Note: This values is overwritten by `global.db.postgresDbname`, if set. |
 | enabled | bool | `true` | Enable/disable PostGIS database |
 | extraEnv | object | `{}` | Extra environment variables for PostGIS. |
 | fullnameOverride | string | `"postgis"` | Override fullname |

charts/sddi-ckan/charts/postgis/templates/postgis-configMap-init.yml

@@ -9,21 +9,73 @@ metadata:
     app.kubernetes.io/part-of: sddi-ckan
     app.kubernetes.io/component: {{ .Values.component }}
 data:
-  initdb.sql: |-
-    -- Create PostGIS extension in default (=CKAN) database
-    CREATE EXTENSION POSTGIS;
+  01_createRoles.sh: |
+    #!/bin/bash
+    set -e
+
+    echo "create roles..."
+
+    export PGPASSWORD="$POSTGRES_PASSWORD"
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+
+    -- CKAN role
+    CREATE ROLE {{ .Values.global.db.auth.username | default .Values.db.auth.username | quote }}
+      NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN
+      PASSWORD {{ .Values.global.db.auth.password | default .Values.db.auth.password | squote }};
+
+    -- Datastore RW
+    CREATE ROLE {{ .Values.global.datastore.auth.rw.username | default .Values.datastore.auth.rw.username | quote }}
+      NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN
+      PASSWORD {{ .Values.global.datastore.auth.rw.password | default .Values.datastore.auth.rw.password | squote }};
+
+    -- Datastore RO
+    CREATE ROLE {{ .Values.global.datastore.auth.ro.username | default .Values.datastore.auth.ro.username | quote }}
+      NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN
+      PASSWORD {{ .Values.global.datastore.auth.ro.password | default .Values.datastore.auth.ro.password | squote }};
+
+    EOSQL
+
+    echo "Create roles...done!"
+
+  02_createDatabases.sh: |
+    #!/bin/bash
+    set -e
+
+    echo "Create databases..."
+
+    export PGPASSWORD="$POSTGRES_PASSWORD"
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+
+    -- CKAN database
+    CREATE DATABASE {{ .Values.global.db.dbname | default .Values.db.dbname | quote }}
+    OWNER {{ .Values.global.db.auth.username | default .Values.db.auth.username | quote }}
+    ENCODING 'utf-8';
+
+    -- Datastore database
+    CREATE DATABASE {{ .Values.global.datastore.dbname | default .Values.datastore.dbname | quote }}
+    OWNER {{ .Values.global.datastore.auth.rw.username | default .Values.datastore.auth.rw.username | quote }}
+    ENCODING 'utf-8';
+
+    EOSQL
+
+    echo "Create databases...done!"
+
+  03_createPostGIS.sh: |
+    #!/bin/bash
+    set -e
+
+    echo "Create PostGIS..."
+
+    export PGPASSWORD="$POSTGRES_PASSWORD"
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" \
+      --dbname {{ .Values.global.db.dbname | default .Values.db.dbname | quote }} <<-EOSQL
+
+    CREATE EXTENSION postgis;
     ALTER VIEW geometry_columns OWNER TO {{ .Values.global.db.auth.username | default .Values.db.auth.username | quote }};
     ALTER TABLE spatial_ref_sys OWNER TO {{ .Values.global.db.auth.username | default .Values.db.auth.username | quote }};
 
-    -- Create datastore users
-    -- read-only
-    CREATE ROLE {{ .Values.global.datastore.auth.ro.username | default .Values.datastore.auth.ro.username | quote }}
-      NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD {{ .Values.global.datastore.auth.ro.password | default .Values.datastore.auth.ro.password | squote }};
+    EOSQL
 
-    -- read-write
-    CREATE ROLE {{ .Values.global.datastore.auth.rw.username | default .Values.datastore.auth.rw.username | quote }}
-      SUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD {{ .Values.global.datastore.auth.rw.password | default .Values.datastore.auth.rw.password | squote }};
+    echo "Create PostGIS...done!"
 
-    CREATE DATABASE {{ .Values.global.datastore.dbname | default .Values.datastore.dbname | quote }} OWNER
-      {{ .Values.global.datastore.auth.rw.username | default .Values.datastore.auth.rw.username | quote }} ENCODING 'utf-8';
 {{- end -}}

charts/sddi-ckan/charts/postgis/templates/postgis-configMap.yml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/part-of: sddi-ckan
     app.kubernetes.io/component: database
 data:
-  POSTGRES_DB: {{ .Values.global.db.dbname | default .Values.db.dbname | quote }}
+  POSTGRES_DB: {{ .Values.global.db.postgresDbname | default .Values.db.postgresDbname | quote }}
   PGDATA: "{{ .Values.persistence.mountPath }}{{ .Values.persistence.pgdataSubPath }}"
   {{- with .Values.extraEnv }}
     {{- toYaml . | nindent 2 }}

charts/sddi-ckan/charts/postgis/templates/postgis-secret.yml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/part-of: sddi-ckan
     app.kubernetes.io/component: {{ .Values.component }}
 type: Opaque
-data:
-  POSTGRES_USER: {{ .Values.global.db.auth.username | default .Values.db.auth.username | b64enc }}
-  POSTGRES_PASSWORD: {{ .Values.global.db.auth.password | default .Values.db.auth.password | b64enc }}
+stringData:
+  POSTGRES_USER: {{ .Values.global.db.auth.postgresUsername | default .Values.db.auth.postgresUsername }}
+  POSTGRES_PASSWORD: {{ .Values.global.db.auth.postgresPassword | default .Values.db.auth.postgresPassword }}
 {{- end -}}