refactor: update PostgreSQL configuration to use CloudNativePG (#165)

- Removed PostgreSQL Helm dependency and updated documentation to reflect the use of CloudNativePG operator.
- Refactored values.yaml, values-dev.yaml, and values-prod.yaml to align with new PostgreSQL configuration structure.
- Updated helper functions in _helpers.tpl to accommodate changes in PostgreSQL settings.
- Adjusted secret.yaml to reflect the new configuration logic for PostgreSQL.

Author: nemerna

deploy/Makefile

@@ -96,8 +96,6 @@ deploy-prod: ## Deploy to production environment (sast-ai-prod namespace)
 
 .PHONY: _deploy
 _deploy: ## Internal deployment target
-	@helm repo add bitnami https://charts.bitnami.com/bitnami >/dev/null 2>&1 || true
-	@helm repo update >/dev/null 2>&1
 	@cd $(CHART_PATH) && helm dependency update
 	@helm install $(RELEASE_NAME) $(CHART_PATH) \
 		-f $(CHART_PATH)/values.yaml \
@@ -129,8 +127,6 @@ upgrade-prod: ## Upgrade production deployment
 
 .PHONY: _upgrade
 _upgrade: ## Internal upgrade target
-	@helm repo add bitnami https://charts.bitnami.com/bitnami >/dev/null 2>&1 || true
-	@helm repo update >/dev/null 2>&1
 	@cd $(CHART_PATH) && helm dependency update
 	@helm upgrade $(RELEASE_NAME) $(CHART_PATH) \
 		-f $(CHART_PATH)/values.yaml \
@@ -182,8 +178,9 @@ status: ## Show deployment status
 .PHONY: wait-pods
 wait-pods: ## Wait for pods to be ready
 	@echo "Waiting for SAST AI to be ready..."
-	@echo "Checking PostgreSQL database..."
-	@$(KUBECTL_CMD) wait --for=condition=ready pod -l app.kubernetes.io/name=postgresql -n $(NAMESPACE) --timeout=300s
+	@echo "Checking CloudNativePG PostgreSQL cluster..."
+	@$(KUBECTL_CMD) wait --for=condition=ready cluster $(RELEASE_NAME)-db -n $(NAMESPACE) --timeout=300s 2>/dev/null || \
+		$(KUBECTL_CMD) wait --for=condition=ready pod -l cnpg.io/cluster=$(RELEASE_NAME)-db -n $(NAMESPACE) --timeout=300s
 	@echo "Database is ready!"
 	@echo "Checking SAST AI application..."
 	@$(KUBECTL_CMD) wait --for=condition=ready pod -l app.kubernetes.io/name=sast-ai -n $(NAMESPACE) --timeout=300s

deploy/sast-ai-chart/Chart.yaml

@@ -17,11 +17,8 @@ sources:
 maintainers:
   - name: SAST AI Team
     email: sast-ai@redhat.com
-dependencies:
-  - name: postgresql
-    version: 15.5.38
-    repository: "https://charts.bitnami.com/bitnami"
-    condition: postgresql.enabled
+# CloudNativePG is deployed via operator CRD - no Helm dependency needed
+# The CloudNativePG operator must be installed in the cluster beforehand
 annotations:
   category: Developer Tools
   licenses: Apache-2.0 

deploy/sast-ai-chart/templates/_helpers.tpl

@@ -76,11 +76,29 @@ Create the name of the configmap to use
 {{- end }}
 
 {{/*
-PostgreSQL hostname
+PostgreSQL cluster name
+*/}}
+{{- define "sast-ai.postgres.clusterName" -}}
+{{- printf "%s-db" (include "sast-ai.fullname" .) }}
+{{- end }}
+
+{{/*
+PostgreSQL hostname - CloudNativePG creates a service with -rw suffix for read-write access
 */}}
 {{- define "sast-ai.postgresql.host" -}}
-{{- if .Values.postgresql.enabled }}
-{{- printf "%s-postgresql" .Release.Name }}
+{{- if .Values.postgres.enabled }}
+{{- printf "%s-rw" (include "sast-ai.postgres.clusterName" .) }}
+{{- else }}
+{{- .Values.externalDatabase.host }}
+{{- end }}
+{{- end }}
+
+{{/*
+PostgreSQL read-only hostname - CloudNativePG creates a service with -ro suffix for read-only access
+*/}}
+{{- define "sast-ai.postgresql.hostReadOnly" -}}
+{{- if .Values.postgres.enabled }}
+{{- printf "%s-ro" (include "sast-ai.postgres.clusterName" .) }}
 {{- else }}
 {{- .Values.externalDatabase.host }}
 {{- end }}
@@ -90,7 +108,7 @@ PostgreSQL hostname
 PostgreSQL port
 */}}
 {{- define "sast-ai.postgresql.port" -}}
-{{- if .Values.postgresql.enabled }}
+{{- if .Values.postgres.enabled }}
 {{- 5432 }}
 {{- else }}
 {{- .Values.externalDatabase.port }}
@@ -101,8 +119,8 @@ PostgreSQL port
 PostgreSQL database name
 */}}
 {{- define "sast-ai.postgresql.database" -}}
-{{- if .Values.postgresql.enabled }}
-{{- .Values.postgresql.auth.database }}
+{{- if .Values.postgres.enabled }}
+{{- .Values.postgres.database }}
 {{- else }}
 {{- .Values.externalDatabase.database }}
 {{- end }}
@@ -112,19 +130,20 @@ PostgreSQL database name
 PostgreSQL username
 */}}
 {{- define "sast-ai.postgresql.username" -}}
-{{- if .Values.postgresql.enabled }}
-{{- .Values.postgresql.auth.username }}
+{{- if .Values.postgres.enabled }}
+{{- .Values.postgres.username }}
 {{- else }}
 {{- .Values.externalDatabase.username }}
 {{- end }}
 {{- end }}
 
 {{/*
 PostgreSQL password secret name
+CloudNativePG creates a secret named {cluster-name}-app with all connection details
 */}}
 {{- define "sast-ai.postgresql.secretName" -}}
-{{- if .Values.postgresql.enabled }}
-{{- printf "%s-postgresql" .Release.Name }}
+{{- if .Values.postgres.enabled }}
+{{- printf "%s-app" (include "sast-ai.postgres.clusterName" .) }}
 {{- else }}
 {{- if .Values.externalDatabase.existingSecret }}
 {{- .Values.externalDatabase.existingSecret }}
@@ -136,9 +155,10 @@ PostgreSQL password secret name
 
 {{/*
 PostgreSQL password secret key
+CloudNativePG uses 'password' as the key in the app secret
 */}}
 {{- define "sast-ai.postgresql.secretKey" -}}
-{{- if .Values.postgresql.enabled }}
+{{- if .Values.postgres.enabled }}
 {{- "password" }}
 {{- else }}
 {{- if .Values.externalDatabase.existingSecretPasswordKey }}
@@ -157,10 +177,3 @@ Common annotations
 {{ toYaml . }}
 {{- end }}
 {{- end }}
-
-{{/*
-PostgreSQL service account name
-*/}}
-{{- define "sast-ai.postgresql.serviceAccountName" -}}
-{{- printf "%s-postgresql" (include "sast-ai.fullname" .) }}
-{{- end }} 

deploy/sast-ai-chart/templates/cnpg-cluster.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.postgres.enabled }}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "sast-ai.fullname" . }}-db
+  labels:
+    {{- include "sast-ai.labels" . | nindent 4 }}
+    app.kubernetes.io/component: database
+  {{- with (include "sast-ai.annotations" .) }}
+  annotations:
+    {{- . | nindent 4 }}
+  {{- end }}
+spec:
+  description: "PostgreSQL database for SAST AI Orchestrator"
+  imageName: ghcr.io/cloudnative-pg/postgresql:{{ .Values.postgres.version }}
+  instances: {{ .Values.postgres.instances }}
+  
+  # Primary update strategy
+  primaryUpdateStrategy: unsupervised
+  primaryUpdateMethod: switchover
+  
+  # Bootstrap configuration
+  bootstrap:
+    initdb:
+      database: {{ .Values.postgres.database }}
+      owner: {{ .Values.postgres.username }}
+  
+  # Storage configuration
+  storage:
+    size: {{ .Values.postgres.storage.size }}
+    {{- if .Values.postgres.storage.storageClass }}
+    storageClass: {{ .Values.postgres.storage.storageClass }}
+    {{- end }}
+  
+  # Resource configuration
+  resources:
+    {{- toYaml .Values.postgres.resources | nindent 4 }}
+  
+  # OpenShift specific: Let the operator handle security contexts
+  enableSuperuserAccess: false
+{{- end }}

deploy/sast-ai-chart/templates/postgresql-serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) -}}
+{{- if and (not .Values.postgres.enabled) (not .Values.externalDatabase.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

deploy/sast-ai-chart/templates/postgresql.yaml

@@ -39,24 +39,17 @@ route:
   annotations:
     haproxy.router.openshift.io/timeout: 60s
 
-## PostgreSQL configuration - smaller resources for dev
-postgresql:
-  auth:
-    postgresPassword: "postgres-dev"
-    username: "quarkus"
-    password: "quarkus"
-    database: "sast-ai"
-  primary:
-    persistence:
-      enabled: true
-      size: 4Gi  # Smaller storage for dev
-    resources:
-      limits:
-        cpu: 250m
-        memory: 256Mi
-      requests:
-        cpu: 100m
-        memory: 128Mi
+## PostgreSQL configuration - dev sizing
+postgres:
+  storage:
+    size: 4Gi
+  resources:
+    limits:
+      cpu: 250m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
 
 ## Horizontal Pod Autoscaler - disabled for dev
 hpa:

deploy/sast-ai-chart/templates/secret.yaml

@@ -40,23 +40,17 @@ route:
     haproxy.router.openshift.io/timeout: 300s
 
 ## PostgreSQL configuration - production sizing
-postgresql:
-  auth:
-    postgresPassword: "postgres-prod-secure"
-    username: "quarkus"
-    password: "quarkus-prod-secure"
-    database: "sast-ai-prod"
-  primary:
-    persistence:
-      enabled: true
-      size: 20Gi  # Larger storage for prod
-    resources:
-      limits:
-        cpu: 1000m
-        memory: 1Gi
-      requests:
-        cpu: 500m
-        memory: 512Mi
+postgres:
+  database: "sast-ai-prod"
+  storage:
+    size: 20Gi
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 500m
+      memory: 512Mi
 
 ## Horizontal Pod Autoscaler - enabled for prod
 hpa:

deploy/sast-ai-chart/values-dev.yaml

@@ -74,50 +74,38 @@ route:
     insecureEdgeTerminationPolicy: Redirect
   annotations: {}
 
-## PostgreSQL configuration (base settings)
-postgresql:
+## PostgreSQL configuration (CloudNativePG)
+## Requires CloudNativePG operator to be installed in the cluster
+## See: https://cloudnative-pg.io/
+postgres:
+  # Enable/disable PostgreSQL deployment
   enabled: true
-  # Pin PostgreSQL image version for stability and reproducibility
-  # Prevents unexpected version changes during deployments
-  image:
-    registry: docker.io
-    repository: bitnamilegacy/postgresql
-    tag: "16.4.0-debian-12-r14"
-  # Inherit labels from parent chart for proper cleanup
-  commonLabels:
-    app.kubernetes.io/name: "{{ include \"sast-ai.name\" . }}"
-    app.kubernetes.io/instance: "{{ .Release.Name }}"
-    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
-    app.kubernetes.io/managed-by: "{{ .Release.Service }}"
-  primary:
-    persistence:
-      enabled: true
-      size: 8Gi
-      storageClass: ""
-    resources:
-      limits:
-        cpu: 500m
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-    # OpenShift compatibility
-    podSecurityContext:
-      enabled: false
-    containerSecurityContext:
-      enabled: false
-  # Use dedicated service account for PostgreSQL with anyuid SCC
-  serviceAccount:
-    create: false
-    name: ""  # Will be overridden in the postgresql template
-  # OpenShift compatibility settings
-  volumePermissions:
-    enabled: false
-  shmVolume:
-    chmod:
-      enabled: false
-
-## External PostgreSQL configuration (when postgresql.enabled is false)
+  
+  # PostgreSQL version
+  version: "16.4"
+  
+  # Number of instances (1 = standalone, 2+ = HA with streaming replication)
+  instances: 1
+  
+  # Database and user configuration
+  database: "sast-ai"
+  username: "quarkus"
+  
+  # Storage size
+  storage:
+    size: 8Gi
+    storageClass: ""  # Use default storage class if empty
+  
+  # Resource configuration
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 250m
+      memory: 256Mi
+
+## External PostgreSQL configuration (when postgres.enabled is false)
 externalDatabase:
   host: ""
   port: 5432