update Bitnami Postgres subchart (#102)

wojcik91 · web-flow · commit 7c1511568895 · 2025-10-15T13:48:44.000+02:00
* add nix setup

* update postgres chart

* specify postgres image

* add chart readme with warning

* bump core version

* add chart validation workflow

* don't pin helm versions

* update component names
diff --git a/.github/workflows/lint_charts.yml b/.github/workflows/lint_charts.yml
@@ -0,0 +1,47 @@
+name: Lint Helm Charts
+
+on:
+  pull_request:
+    paths:
+      - 'charts/**'
+
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: [self-hosted, Linux, X64]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Lint Helm charts
+        run: |
+          for chart in charts/*/; do
+            if [ -f "$chart/Chart.yaml" ]; then
+              echo "Validating $chart"
+              helm lint "$chart"
+              helm template "$chart" --debug
+            fi
+          done
+
+      - name: Setup kubeconform
+        uses: alexellis/arkade-get@master
+        with:
+          kubeconform: latest
+
+      - name: Validate Kubernetes manifests
+        run: |
+          for chart in charts/*/; do
+            if [ -f "$chart/Chart.yaml" ]; then
+              echo "Validating Kubernetes manifests for $chart"
+              helm template "$chart" | kubeconform -strict -ignore-missing-schemas
+            fi
+          done
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -21,9 +21,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.14.0
+        uses: azure/setup-helm@v4
 
       # https://github.com/helm/chart-releaser-action/issues/74
       - name: Add repositories
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,5 @@ terraform/**/terraform.tfstate
 terraform/**/terraform.tfstate.backup
 terraform/**/.*
 terraform/**/*.tfvars
+.direnv/
+.envrc
diff --git a/charts/defguard/Chart.lock b/charts/defguard/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 12.12.10
+  version: 18.0.8
 - name: defguard-proxy
   repository: https://defguard.github.io/deployment
   version: 0.7.1
 - name: defguard-gateway
   repository: https://defguard.github.io/deployment
   version: 0.4.1
-digest: sha256:7bb441a6a7ccae95df1f9647054809361a3d76b27a49633f3b6407b297780fc2
-generated: "2025-10-02T13:49:57.788416548+02:00"
+digest: sha256:f36d1a1caf0c7cc8305a9e50501e507b1bab8adeac8770b7873ea8359f6a35f6
+generated: "2025-10-09T12:08:15.737758702+02:00"
diff --git a/charts/defguard/Chart.yaml b/charts/defguard/Chart.yaml
@@ -3,13 +3,13 @@ name: defguard
 description: Defguard is an open-source enterprise WireGuard VPN with MFA and SSO
 
 type: application
-version: 0.12.4
-appVersion: 1.5.1
+version: 0.13.0
+appVersion: 1.5.2
 
 dependencies:
   - name: postgresql
     condition: postgresql.enabled
-    version: 12.12.10
+    version: 18.0.8
     repository: https://charts.bitnami.com/bitnami
   - name: defguard-proxy
     condition: defguard-proxy.enabled
diff --git a/charts/defguard/README.md b/charts/defguard/README.md
@@ -0,0 +1,20 @@
+ <p align="center">
+    <img src="docs/header.png" alt="defguard">
+ </p>
+
+# Defguard Helm chart
+
+This Helm chart can be used to deploy the whole [Defguard](https://defguard.net/) stack:
+
+- Defguard Core service
+- Postgres database
+- Defguard Gateway service 
+- public Defguard Proxy service
+
+Check our [documentation](https://docs.defguard.net/deployment-strategies/kubernetes) for deployment
+instructions.
+
+## ⚠️ Important: Postgres image tags 
+
+Due to changes in Bitnami policy the Postgres subchart now uses the `latest` tag by default.
+Remember to set a specific tag in your `values.yaml` to avoid issues with major version upgrades in production environments.
diff --git a/charts/defguard/charts/postgresql-12.12.10.tgz b/charts/defguard/charts/postgresql-12.12.10.tgz
diff --git a/charts/defguard/charts/postgresql-18.0.8.tgz b/charts/defguard/charts/postgresql-18.0.8.tgz
diff --git a/charts/defguard/values.yaml b/charts/defguard/values.yaml
@@ -93,6 +93,9 @@ postgresql:
     existingSecret: postgres-password
     existingSecretPasswordKey: "" # set if using external postgresql ~ enabled: false
     username: defguard
+  image:
+    repository: bitnami/postgresql
+    tag: latest # IMPORTANT: set to a specific tag to avoid issues with major version upgrades
 
 #
 # sub-chart defguard-proxy
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,27 @@
+{
+  description = "Simple devshell flake";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = {
+    nixpkgs,
+    flake-utils,
+    ...
+  }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = import nixpkgs {
+        inherit system;
+      };
+    in {
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          kubectl
+          kubernetes-helm
+          kubeconform
+        ];
+      };
+    });
+}

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,9 @@ postgresql:`
`93`	`93`	`existingSecret: postgres-password`
`94`	`94`	`existingSecretPasswordKey: "" # set if using external postgresql ~ enabled: false`
`95`	`95`	`username: defguard`
	`96`	`+ image:`
	`97`	`+ repository: bitnami/postgresql`
	`98`	`+ tag: latest # IMPORTANT: set to a specific tag to avoid issues with major version upgrades`
`96`	`99`
`97`	`100`	`#`
`98`	`101`	`# sub-chart defguard-proxy`