[Postgres] support custom pg_hba.conf (CloudPirates-io#157)

* [postgres] add support for custom pg_hba config

* [postgres] bump chart version

* Update CHANGELOG.md

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: dloewen2

charts/postgres/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
-## 0.5.2 (2025-09-24)
+## 0.5.3 (2025-09-25)
 
-* [postgres] fix: Change default name for CUSTOM_PASSWORD ([#144](https://github.com/CloudPirates-io/helm-charts/pull/144))
+* [Postgres] support custom pg_hba.conf ([#157](https://github.com/CloudPirates-io/helm-charts/pull/157))
+
+## <small>0.2.1 (2025-08-26)</small>
+
+* add first draft of postgres helm-chart ([ac297fa](https://github.com/CloudPirates-io/helm-charts/commit/ac297fa))
+* add postgres-secret lookup ([e628c3f](https://github.com/CloudPirates-io/helm-charts/commit/e628c3f))
+* added support for service account configuration (#15) ([541a9df](https://github.com/CloudPirates-io/helm-charts/commit/541a9df)), closes [#15](https://github.com/CloudPirates-io/helm-charts/issues/15)
+* fix common-parameter-test image tag ([5773314](https://github.com/CloudPirates-io/helm-charts/commit/5773314))
+* fix statefulset annotations ([b6cd6b8](https://github.com/CloudPirates-io/helm-charts/commit/b6cd6b8))
+* update chart to statefulset ([5a5b6ea](https://github.com/CloudPirates-io/helm-charts/commit/5a5b6ea))
+* Add ArtifactHub Badges to all Charts ([08b855b](https://github.com/CloudPirates-io/helm-charts/commit/08b855b))
+* Add ArtifactHub repo config ([15180a8](https://github.com/CloudPirates-io/helm-charts/commit/15180a8))
+* Add cosign signature READMEs ([5f82e7f](https://github.com/CloudPirates-io/helm-charts/commit/5f82e7f))
+* Add extensive chart testing ([a46efac](https://github.com/CloudPirates-io/helm-charts/commit/a46efac))
+* Add generated values.schema.json files from values.yaml ([aa79ac3](https://github.com/CloudPirates-io/helm-charts/commit/aa79ac3))
+* add logos to helm-charts ([fc70cdc](https://github.com/CloudPirates-io/helm-charts/commit/fc70cdc))
+* Fix image tag/digest handling ([a5c982b](https://github.com/CloudPirates-io/helm-charts/commit/a5c982b))
+* Fix imagePullSecrets format and pull always ([ce0d301](https://github.com/CloudPirates-io/helm-charts/commit/ce0d301))
+* fix readme.md install text, update chart.yaml home-website ([3511582](https://github.com/CloudPirates-io/helm-charts/commit/3511582))
+* Format README files ([04aacab](https://github.com/CloudPirates-io/helm-charts/commit/04aacab))
+* Release new chart versions / update sources ([dbb0e45](https://github.com/CloudPirates-io/helm-charts/commit/dbb0e45))
+* Remove leading $ from code blocks ([836b2e3](https://github.com/CloudPirates-io/helm-charts/commit/836b2e3))
+* Update docker.io/postgres Docker tag to v17.6 ([68b8e32](https://github.com/CloudPirates-io/helm-charts/commit/68b8e32))
+* Update postgres to 17.6 ([52b6e17](https://github.com/CloudPirates-io/helm-charts/commit/52b6e17))
+* update readme, chart.yaml texts and descriptions ([0179046](https://github.com/CloudPirates-io/helm-charts/commit/0179046))
+* Use existing secret ([024bd0f](https://github.com/CloudPirates-io/helm-charts/commit/024bd0f))
+* fix: chart icon urls ([cc38c0d](https://github.com/CloudPirates-io/helm-charts/commit/cc38c0d))

charts/postgres/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: postgres
 description: The World's Most Advanced Open Source Relational Database
 type: application
-version: 0.5.2
+version: 0.5.3
 appVersion: "17.6"
 keywords:
   - postgres

charts/postgres/README.md

@@ -70,12 +70,12 @@ The following table lists the configurable parameters of the PostgreSQL chart an
 
 ### PostgreSQL image configuration
 
-| Parameter            | Description                                  | Default                                                                        |
-| -------------------- | -------------------------------------------- | ------------------------------------------------------------------------------ |
-| `image.registry`     | PostgreSQL image registry                    | `docker.io`                                                                    |
-| `image.repository`   | PostgreSQL image repository                  | `postgres`                                                                     |
-| `image.tag`          | PostgreSQL image tag (immutable tags are recommended) | `"17.6@sha256:feff5b24fedd610975a1f5e743c51a4b360437f4dc3a11acf740dcd708f413f6"` |
-| `image.imagePullPolicy` | PostgreSQL image pull policy              | `Always`                                                                       |
+| Parameter               | Description                                           | Default                                                                          |
+| ----------------------- | ----------------------------------------------------- | -------------------------------------------------------------------------------- |
+| `image.registry`        | PostgreSQL image registry                             | `docker.io`                                                                      |
+| `image.repository`      | PostgreSQL image repository                           | `postgres`                                                                       |
+| `image.tag`             | PostgreSQL image tag (immutable tags are recommended) | `"17.6@sha256:feff5b24fedd610975a1f5e743c51a4b360437f4dc3a11acf740dcd708f413f6"` |
+| `image.imagePullPolicy` | PostgreSQL image pull policy                          | `Always`                                                                         |
 
 ### Deployment configuration
 
@@ -108,13 +108,13 @@ The following table lists the configurable parameters of the PostgreSQL chart an
 
 ### PostgreSQL Authentication
 
-| Parameter                                | Description                                                                           | Default                  |
-| ---------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------ |
-| `auth.username`                          | Name for a custom superuser to create at initialisation. (This will also create a database with the same name)                                                      | `"openfga"`             |
-| `auth.password`                          | Password for the custom user to create                                                | `""`                     |
-| `auth.database`                          | Alternative name for the default database to be created at initialisation                                                  | `""`                     |
-| `auth.existingSecret`                    | Name of existing secret to use for PostgreSQL credentials                             | `""`                     |
-| `auth.secretKeys.passwordKey`       | Name of key in existing secret to use for PostgreSQL credentials                      | `"postgres-password"`    |
+| Parameter                     | Description                                                                                                    | Default               |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `auth.username`               | Name for a custom superuser to create at initialisation. (This will also create a database with the same name) | `"openfga"`           |
+| `auth.password`               | Password for the custom user to create                                                                         | `""`                  |
+| `auth.database`               | Alternative name for the default database to be created at initialisation                                      | `""`                  |
+| `auth.existingSecret`         | Name of existing secret to use for PostgreSQL credentials                                                      | `""`                  |
+| `auth.secretKeys.passwordKey` | Name of key in existing secret to use for PostgreSQL credentials                                               | `"postgres-password"` |
 
 ### PostgreSQL Configuration
 
@@ -133,24 +133,25 @@ The following table lists the configurable parameters of the PostgreSQL chart an
 | `config.postgresqlLogMinDurationStatement`    | Sets the minimum execution time above which statements will be logged                   | `""`    |
 | `config.extraConfig`                          | Additional PostgreSQL configuration parameters                                          | `[]`    |
 | `config.existingConfigmap`                    | Name of existing ConfigMap with PostgreSQL configuration                                | `""`    |
+| `config.pgHbaConfig`                          | Content of a custom pg_hba.conf file to be used instead of the default config           | `""`    |
 
 ### Custom User Configuration
-| Parameter                                     | Description                                                                             | Default |
-| --------------------------------------------- | --------------------------------------------------------------------------------------- | ------- |
-| `customUser`     | Optional user to be created at initialisation with a custom password and database                                         | `{}`    |
-| `customUser.name`     | Name of the custom user to be created                                        | `""`    |
-| `customUser.database`     | Name of the database to be created                                        | `""`    |
-| `customUser.password`     | Password to be used for the custom user                                        | `""`    |
-| `customUser.existingSecret`     | Existing secret, in which username, password and database name are saved           | `""`    |
-| `customUser.secretKeys`     | Name of keys in existing secret to use the custom user name, password and database           | `{name: "", database: "", password: ""}`    |
+| Parameter                   | Description                                                                        | Default                                  |
+| --------------------------- | ---------------------------------------------------------------------------------- | ---------------------------------------- |
+| `customUser`                | Optional user to be created at initialisation with a custom password and database  | `{}`                                     |
+| `customUser.name`           | Name of the custom user to be created                                              | `""`                                     |
+| `customUser.database`       | Name of the database to be created                                                 | `""`                                     |
+| `customUser.password`       | Password to be used for the custom user                                            | `""`                                     |
+| `customUser.existingSecret` | Existing secret, in which username, password and database name are saved           | `""`                                     |
+| `customUser.secretKeys`     | Name of keys in existing secret to use the custom user name, password and database | `{name: "", database: "", password: ""}` |
 
 ### PostgreSQL Initdb Configuration
 
-| Parameter                 | Description                                                                   | Default |
-| ------------------------- | ----------------------------------------------------------------------------- | ------- |
+| Parameter                 | Description                                                                      | Default |
+| ------------------------- | -------------------------------------------------------------------------------- | ------- |
 | `initdb.args`             | Send arguments to postgres initdb. This is a space separated string of arguments | `""`    |
-| `initdb.scripts`          | Dictionary of initdb scripts                                                   | `{}`    |
-| `initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot                                | `""`    |
+| `initdb.scripts`          | Dictionary of initdb scripts                                                     | `{}`    |
+| `initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot                                   | `""`    |
 
 ### Service configuration
 
@@ -193,7 +194,7 @@ The following table lists the configurable parameters of the PostgreSQL chart an
 ### Persistent Volume Claim Retention Policy
 
 | Parameter                                          | Description                                                                    | Default    |
-| -------------------------------------------------- | ------------------------------------------------------------------------------ | -----------|
+| -------------------------------------------------- | ------------------------------------------------------------------------------ | ---------- |
 | `persistentVolumeClaimRetentionPolicy.enabled`     | Enable Persistent volume retention policy for the Statefulset                  | `false`    |
 | `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted         | `"Retain"` |
 | `persistentVolumeClaimRetentionPolicy.whenScaled`  | Volume retention behavior when the replica count of the StatefulSet is reduced | `"Retain"` |
@@ -246,10 +247,10 @@ The following table lists the configurable parameters of the PostgreSQL chart an
 
 ### Extra Configuration Parameters
 
-| Parameter            | Description                                                            | Default   |
-|----------------------|------------------------------------------------------------------------|-----------|
-| `extraObjects`       | Array of extra objects to deploy with the release                      | `[]`      |
-| `extraEnvVarsSecret` | Name of an existing Secret containing additional environment variables | ``        |
+| Parameter            | Description                                                            | Default |
+| -------------------- | ---------------------------------------------------------------------- | ------- |
+| `extraObjects`       | Array of extra objects to deploy with the release                      | `[]`    |
+| `extraEnvVarsSecret` | Name of an existing Secret containing additional environment variables | ``      |
 
 #### Extra Objects
 

charts/postgres/templates/configmap.yaml

@@ -11,6 +11,10 @@ metadata:
     {{- include "postgres.annotations" . | nindent 4 }}
   {{- end }}
 data:
+  {{- if .Values.config.pgHbaConfig }}
+  pg_hba.conf: |
+{{ .Values.config.pgHbaConfig | indent 4 }}
+  {{- end }}
   postgresql.conf: |
     # PostgreSQL configuration file
     
@@ -99,6 +103,11 @@ data:
     lc_time = 'en_US.utf8'
     default_text_search_config = 'pg_catalog.english'
     
+    {{ if .Values.config.pgHbaConfig }}
+    # Set custom pg_hba.conf file to use
+    hba_file = '{{ include "postgres.configDir" . }}/pg_hba.conf'
+    {{- end }}
+
     # Additional Configuration
     {{- range .Values.config.extraConfig }}
     {{ . }}

charts/postgres/templates/statefulset.yaml

@@ -42,6 +42,9 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: {{ include "postgres.image" . }}
           imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+          args:
+            - -c
+            - 'config_file={{ include "postgres.configDir" . }}/postgresql.conf'
           env:
             - name: PGDATA
               value: {{ include "postgres.dataDir" . }}/pgdata

charts/postgres/values.yaml

@@ -99,6 +99,8 @@ config:
   extraConfig: []
   ## @param config.existingConfigmap Name of existing ConfigMap with PostgreSQL configuration
   existingConfigmap: ""
+  ## @param config.pgHbaConfig Content of a custom pg_hba.conf file to be used instead of the default config
+  pgHbaConfig: ""
 
 ## @section customUser Optional user to be created at initialisation with a custom password and database
 customUser: {}