chart: bump version to 0.4.3 and add Supabase Vault configuration options

darkliyznyanlin910 · darkliyznyanlin910 · commit a84c660f503b · 2026-02-03T15:26:34.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 /volumes/db/data
+
+.DS_Store
diff --git a/charts/cnpg-cluster/Chart.yaml b/charts/cnpg-cluster/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.4.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/cnpg-cluster/templates/cnpg-cluster.yaml b/charts/cnpg-cluster/templates/cnpg-cluster.yaml
@@ -56,6 +56,23 @@ spec:
       max_parallel_workers_per_gather: "2"
       max_parallel_workers: "4"
 
+      {{- if .Values.vault.enabled }}
+      # pgsodium configuration for Supabase Vault
+      # https://github.com/michelp/pgsodium
+      pgsodium.enable_event_trigger: "off"
+      pgsodium.getkey_script: {{ .Values.vault.getkeyScript | quote }}
+      {{- end }}
+    {{- $libs := .Values.sharedPreloadLibraries | default list }}
+    {{- if .Values.vault.enabled }}
+    {{- $libs = append $libs "supabase_vault" }}
+    {{- end }}
+    {{- if $libs }}
+    shared_preload_libraries:
+      {{- range $libs }}
+      - {{ . }}
+      {{- end }}
+    {{- end }}
+
     {{ if (gt (.Values.instances | int) 1) }}
     # Synchronous replication for data durability
     synchronous:
@@ -64,6 +81,22 @@ spec:
       number: 1
     {{- end }}
 
+  {{- if .Values.vault.enabled }}
+  # https://cloudnative-pg.io/documentation/current/cluster_conf/#environment-variables
+  env:
+    - name: EXTENSION_PGSODIUM_KEY_FILE
+      value: /projected/pgsodium_root.key
+
+  # https://cloudnative-pg.io/documentation/current/cluster_conf/#projected-volumes
+  projectedVolumeTemplate:
+    sources:
+      - secret:
+          name: {{ .Values.vault.secretName }}
+          items:
+            - key: {{ .Values.vault.secretKey }}
+              path: pgsodium_root.key
+  {{- end }}
+
   storage:
     storageClass: {{ .Values.storageClass }}
     size: {{ .Values.storageSize }}
diff --git a/charts/cnpg-cluster/values.yaml b/charts/cnpg-cluster/values.yaml
@@ -52,6 +52,10 @@ connections:
 storageClass: standard
 storageSize: 4Gi
 
+# Additional shared preload libraries
+# vault.enabled automatically adds supabase_vault
+sharedPreloadLibraries: []
+
 objectStore:
   endpoint: https://s3.ap-southeast-1.amazonaws.com
   bucketName: cnpg-backups
@@ -100,3 +104,14 @@ pooler:
     enabled: true
     instances: 1
     mode: transaction
+
+# Supabase Vault (pgsodium) configuration
+# https://supabase.com/docs/guides/database/vault
+vault:
+  enabled: false
+  # Secret containing the pgsodium root key
+  secretName: pgsodium-root-key
+  # Key name within the secret
+  secretKey: pgsodium_root.key
+  # Path to the getkey script in the container
+  getkeyScript: /usr/share/postgresql/extension/pgsodium_getkey

Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`/volumes/db/data`
	`2`	`+`
	`3`	`+.DS_Store`