From affecd940f2c9104216f5432cb5b176c27d927f1 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Fri, 12 Jun 2026 12:44:31 +0000 Subject: [PATCH 1/4] Migrate ephemeral postgresql from bitnami chart to CloudNativePG The bitnami postgresql images are no longer publicly available, so the bitnami chart can't be used for integration test bring-up. Replace the two bitnami postgresql releases with CloudNativePG: one operator per namespace (namespace-scoped via WATCH_NAMESPACE) plus a single-instance cnpg/cluster release per namespace. The wire-server postgresql host config switches from "postgresql" to "postgresql-rw" (CNPG's primary service). PostgreSQL is pinned to 17 to match what the unpinned bitnami chart was pulling. Application database wire-server stays owned by postgres; the wire-server role and the dyn-N databases are created via postInitSQL. --- hack/helm_vars/postgresql/values.yaml.gotmpl | 25 +++++-- hack/helm_vars/wire-server/values.yaml.gotmpl | 6 +- hack/helmfile.yaml.gotmpl | 74 +++++++++++++------ 3 files changed, 72 insertions(+), 33 deletions(-) diff --git a/hack/helm_vars/postgresql/values.yaml.gotmpl b/hack/helm_vars/postgresql/values.yaml.gotmpl index f6a9456280f..9dd4b7f7e89 100644 --- a/hack/helm_vars/postgresql/values.yaml.gotmpl +++ b/hack/helm_vars/postgresql/values.yaml.gotmpl @@ -1,12 +1,21 @@ -auth: - postgresPassword: "posty-the-gres" - username: wire-server - password: "posty-the-gres" -primary: +version: + postgresql: "17" +cluster: + instances: 1 + storage: + size: 8Gi + storageClass: {{ .Values.storageClass }} resources: requests: cpu: 1 memory: 2Gi - limits: {} - extendedConfiguration: | - max_connections = 1500 + monitoring: + enabled: false + postgresql: + parameters: + max_connections: "1500" + initdb: + database: wire-server + owner: postgres +backups: + enabled: false diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index d3922380f9d..17417de394f 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -63,7 +63,7 @@ brig: key: "ca.crt" {{- end }} postgresql: - host: "postgresql" + host: "postgresql-rw" port: "5432" user: wire-server dbname: wire-server @@ -288,7 +288,7 @@ galley: key: "ca.crt" {{- end }} postgresql: - host: postgresql + host: postgresql-rw port: "5432" user: wire-server dbname: wire-server @@ -641,7 +641,7 @@ background-worker: pushBackoffMaxWait: 500000 # 0.5s remotesRefreshInterval: 1000000 # 1s postgresql: - host: "postgresql" + host: "postgresql-rw" port: "5432" user: wire-server dbname: wire-server diff --git a/hack/helmfile.yaml.gotmpl b/hack/helmfile.yaml.gotmpl index bb1bedad9bc..f4fc0a2b795 100644 --- a/hack/helmfile.yaml.gotmpl +++ b/hack/helmfile.yaml.gotmpl @@ -95,6 +95,9 @@ repositories: - name: groundhog2k url: https://groundhog2k.github.io/helm-charts + - name: cnpg + url: https://cloudnative-pg.github.io/charts + releases: - name: 'fake-aws' namespace: '{{ .Values.namespace1 }}' @@ -160,39 +163,66 @@ releases: namespace: '{{ .Values.namespace2 }}' chart: '../.local/charts/cassandra-ephemeral' + - name: "cnpg-operator-1" + namespace: "{{ .Values.namespace1 }}" + chart: "cnpg/cloudnative-pg" + values: + - fullnameOverride: "cnpg-operator-1" + config: + clusterWide: false + data: + WATCH_NAMESPACE: "{{ .Values.namespace1 }}" + + - name: "cnpg-operator-2" + namespace: "{{ .Values.namespace2 }}" + chart: "cnpg/cloudnative-pg" + needs: + - "{{ .Values.namespace1 }}/cnpg-operator-1" + values: + - fullnameOverride: "cnpg-operator-2" + config: + clusterWide: false + data: + WATCH_NAMESPACE: "{{ .Values.namespace2 }}" + crds: + create: false + webhook: + mutating: + create: false + validating: + create: false + - name: "postgresql" namespace: "{{ .Values.namespace1 }}" - chart: "bitnami/postgresql" + chart: "cnpg/cluster" + needs: + - "{{ .Values.namespace1 }}/cnpg-operator-1" values: - - './helm_vars/bitnami.yaml' - './helm_vars/postgresql/values.yaml.gotmpl' - - primary: + - cluster: initdb: - scripts: - init.sql: | - CREATE DATABASE "wire-server"; - CREATE DATABASE "dyn-1"; - CREATE DATABASE "dyn-2"; - CREATE DATABASE "dyn-3"; - - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server"; - GRANT ALL PRIVILEGES ON DATABASE "dyn-1" TO "wire-server"; - GRANT ALL PRIVILEGES ON DATABASE "dyn-2" TO "wire-server"; - GRANT ALL PRIVILEGES ON DATABASE "dyn-3" TO "wire-server"; + postInitSQL: + - CREATE ROLE "wire-server" WITH LOGIN PASSWORD 'posty-the-gres' + - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" + - CREATE DATABASE "dyn-1" + - CREATE DATABASE "dyn-2" + - CREATE DATABASE "dyn-3" + - GRANT ALL PRIVILEGES ON DATABASE "dyn-1" TO "wire-server" + - GRANT ALL PRIVILEGES ON DATABASE "dyn-2" TO "wire-server" + - GRANT ALL PRIVILEGES ON DATABASE "dyn-3" TO "wire-server" - name: "postgresql" namespace: "{{ .Values.namespace2 }}" - chart: "bitnami/postgresql" + chart: "cnpg/cluster" + needs: + - "{{ .Values.namespace2 }}/cnpg-operator-2" values: - - './helm_vars/bitnami.yaml' - './helm_vars/postgresql/values.yaml.gotmpl' - - primary: + - cluster: initdb: - scripts: - init.sql: | - CREATE DATABASE "wire-server"; - - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server"; + postInitSQL: + - CREATE ROLE "wire-server" WITH LOGIN PASSWORD 'posty-the-gres' + - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" - name: 'opensearch-ephemeral' namespace: '{{ .Values.namespace1 }}' From effa66e023d4afea1182bc94db949d97e9cd3a65 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Fri, 12 Jun 2026 13:31:56 +0000 Subject: [PATCH 2/4] Use existing cluster-wide CloudNativePG operator Drop the per-namespace cnpg operator releases. The cluster already has a cluster-wide operator installed in the cnpg-system namespace owning the cnpg CRDs, so attempting to install another operator collides on CRD ownership. The cnpg/cluster releases work directly against the existing operator. --- hack/helmfile.yaml.gotmpl | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/hack/helmfile.yaml.gotmpl b/hack/helmfile.yaml.gotmpl index f4fc0a2b795..7f1020f0447 100644 --- a/hack/helmfile.yaml.gotmpl +++ b/hack/helmfile.yaml.gotmpl @@ -163,40 +163,9 @@ releases: namespace: '{{ .Values.namespace2 }}' chart: '../.local/charts/cassandra-ephemeral' - - name: "cnpg-operator-1" - namespace: "{{ .Values.namespace1 }}" - chart: "cnpg/cloudnative-pg" - values: - - fullnameOverride: "cnpg-operator-1" - config: - clusterWide: false - data: - WATCH_NAMESPACE: "{{ .Values.namespace1 }}" - - - name: "cnpg-operator-2" - namespace: "{{ .Values.namespace2 }}" - chart: "cnpg/cloudnative-pg" - needs: - - "{{ .Values.namespace1 }}/cnpg-operator-1" - values: - - fullnameOverride: "cnpg-operator-2" - config: - clusterWide: false - data: - WATCH_NAMESPACE: "{{ .Values.namespace2 }}" - crds: - create: false - webhook: - mutating: - create: false - validating: - create: false - - name: "postgresql" namespace: "{{ .Values.namespace1 }}" chart: "cnpg/cluster" - needs: - - "{{ .Values.namespace1 }}/cnpg-operator-1" values: - './helm_vars/postgresql/values.yaml.gotmpl' - cluster: @@ -214,8 +183,6 @@ releases: - name: "postgresql" namespace: "{{ .Values.namespace2 }}" chart: "cnpg/cluster" - needs: - - "{{ .Values.namespace2 }}/cnpg-operator-2" values: - './helm_vars/postgresql/values.yaml.gotmpl' - cluster: From 574cb711d867dc48c3ab8e3751f72619ed4726ee Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Fri, 12 Jun 2026 15:20:35 +0000 Subject: [PATCH 3/4] Use dedicated dbadmin owner for postgresql databases initdb.owner: postgres caused CNPG to short-circuit and skip creating the wire-server application database, leading to a bootstrap failure. Switch the owner to a dedicated dbadmin role so CNPG creates the database normally. The wire-server role is created in postInitSQL as a grantee, and postInitApplicationSQL adds the PG15+ public schema grant that the role needs to create tables during migrations. --- hack/helm_vars/postgresql/values.yaml.gotmpl | 2 +- hack/helmfile.yaml.gotmpl | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/hack/helm_vars/postgresql/values.yaml.gotmpl b/hack/helm_vars/postgresql/values.yaml.gotmpl index 9dd4b7f7e89..80c4f34a8b1 100644 --- a/hack/helm_vars/postgresql/values.yaml.gotmpl +++ b/hack/helm_vars/postgresql/values.yaml.gotmpl @@ -16,6 +16,6 @@ cluster: max_connections: "1500" initdb: database: wire-server - owner: postgres + owner: dbadmin backups: enabled: false diff --git a/hack/helmfile.yaml.gotmpl b/hack/helmfile.yaml.gotmpl index 7f1020f0447..e6a3cb8ef30 100644 --- a/hack/helmfile.yaml.gotmpl +++ b/hack/helmfile.yaml.gotmpl @@ -179,6 +179,8 @@ releases: - GRANT ALL PRIVILEGES ON DATABASE "dyn-1" TO "wire-server" - GRANT ALL PRIVILEGES ON DATABASE "dyn-2" TO "wire-server" - GRANT ALL PRIVILEGES ON DATABASE "dyn-3" TO "wire-server" + postInitApplicationSQL: + - GRANT ALL ON SCHEMA public TO "wire-server" - name: "postgresql" namespace: "{{ .Values.namespace2 }}" @@ -190,6 +192,8 @@ releases: postInitSQL: - CREATE ROLE "wire-server" WITH LOGIN PASSWORD 'posty-the-gres' - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" + postInitApplicationSQL: + - GRANT ALL ON SCHEMA public TO "wire-server" - name: 'opensearch-ephemeral' namespace: '{{ .Values.namespace1 }}' From e16fb5c109aec49c5e1685da1bf0eede96467388 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Fri, 12 Jun 2026 15:45:34 +0000 Subject: [PATCH 4/4] Move database GRANT to postInitApplicationSQL postInitSQL runs against the postgres system database before CNPG creates the application database, so GRANT ON DATABASE wire-server failed with database does not exist. Move the wire-server database grant to postInitApplicationSQL, which runs in the application database after it has been created. --- hack/helmfile.yaml.gotmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hack/helmfile.yaml.gotmpl b/hack/helmfile.yaml.gotmpl index e6a3cb8ef30..210f42d94a8 100644 --- a/hack/helmfile.yaml.gotmpl +++ b/hack/helmfile.yaml.gotmpl @@ -172,7 +172,6 @@ releases: initdb: postInitSQL: - CREATE ROLE "wire-server" WITH LOGIN PASSWORD 'posty-the-gres' - - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" - CREATE DATABASE "dyn-1" - CREATE DATABASE "dyn-2" - CREATE DATABASE "dyn-3" @@ -180,6 +179,7 @@ releases: - GRANT ALL PRIVILEGES ON DATABASE "dyn-2" TO "wire-server" - GRANT ALL PRIVILEGES ON DATABASE "dyn-3" TO "wire-server" postInitApplicationSQL: + - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" - GRANT ALL ON SCHEMA public TO "wire-server" - name: "postgresql" @@ -191,8 +191,8 @@ releases: initdb: postInitSQL: - CREATE ROLE "wire-server" WITH LOGIN PASSWORD 'posty-the-gres' - - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" postInitApplicationSQL: + - GRANT ALL PRIVILEGES ON DATABASE "wire-server" TO "wire-server" - GRANT ALL ON SCHEMA public TO "wire-server" - name: 'opensearch-ephemeral'