Remove PostgreSQL subchart and require external database (v4.0.0)

.github/ci-postgres.yaml

@@ -0,0 +1,123 @@
+---
+# PostgreSQL deployment for CI testing
+# This creates a simple PostgreSQL instance in the default namespace
+# for testing the Pact Broker with external database configuration
+# We create:
+# `postgres-config` - a ConfigMap to configure the PostgreSQL instance
+# `postgres-pvc` - a PersistentVolumeClaim for the PostgreSQL data
+# `postgres` - a Deployment for the PostgreSQL instance
+# `postgres` - a Service for the PostgreSQL instance
+# `pact-broker-db-secret` - a Secret for the Pact Broker database password in order
+#                            to be used by the Pact Broker to connect to the database
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-config
+  namespace: default
+data:
+  POSTGRES_DB: "pactbroker"
+  POSTGRES_USER: "pactbroker"
+  POSTGRES_PASSWORD: "pactbroker-password"
+---
+# Create a secret that the Pact Broker will use
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pact-broker-db-secret
+  namespace: default
+type: Opaque
+stringData:
+  database-password: "pactbroker-password"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-pvc
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:15-alpine
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 5432
+          name: postgres
+        envFrom:
+        - configMapRef:
+            name: postgres-config
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgres-storage
+          subPath: postgres
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - pactbroker
+            - -d
+            - pactbroker
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - pactbroker
+            - -d
+            - pactbroker
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 3
+      volumes:
+      - name: postgres-storage
+        persistentVolumeClaim:
+          claimName: postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  type: ClusterIP
+  selector:
+    app: postgres
+  ports:
+  - port: 5432
+    targetPort: 5432
+    protocol: TCP
+    name: postgres

.github/workflows/release.yaml

@@ -30,6 +30,7 @@ jobs:
 
       - name: Add dependencies
         run: |
+          # Still need bitnami repo for the common chart dependency
           helm repo add bitnami https://charts.bitnami.com/bitnami
 
       - name: Run chart-releaser

.github/workflows/test.yaml

@@ -27,6 +27,10 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        postgres-version: ['13', '14', '15', '16', '17']
+    name: Test with PostgreSQL ${{ matrix.postgres-version }}
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -42,12 +46,37 @@ jobs:
 
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.7.0
-
+
+      - name: Add Helm repositories
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml
 
       - name: Create KIND Cluster
         uses: helm/kind-action@7cd7463a0995e35ab5d0f2c119f892514f3a3778 # pin@v1.12.0
 
+      - name: Deploy PostgreSQL for testing
+        run: |
+          # Replace the PostgreSQL image version in the manifest
+          sed "s/postgres:15-alpine/postgres:${{ matrix.postgres-version }}-alpine/g" .github/ci-postgres.yaml | kubectl apply -f -
+
+          echo "Waiting for PostgreSQL ${{ matrix.postgres-version }} to be ready..."
+          kubectl wait --for=condition=ready pod -l app=postgres --timeout=120s
+          echo "PostgreSQL deployment status:"
+          kubectl get pods -l app=postgres
+          kubectl get svc postgres
+
+          # Verify PostgreSQL is accepting connections
+          echo "Verifying PostgreSQL ${{ matrix.postgres-version }} connectivity..."
+          kubectl run postgres-test --image=postgres:${{ matrix.postgres-version }}-alpine --rm -i --restart=Never --env="PGPASSWORD=pactbroker-password" -- \
+            psql -h postgres -U pactbroker -d pactbroker -c "SELECT version();" || true
+
+          # Show the secrets created for the Pact Broker
+          echo "Available secrets:"
+          kubectl get secrets pact-broker-db-secret
+
       - name: Run chart-testing (install)
         run: ct install --config ct-install.yaml

README.md

@@ -10,11 +10,17 @@ We are always looking for maintainers, please let us know if you'd be interested
 
 ## TL;DR
 
-```console
-helm repo add bitnami https://charts.bitnami.com/bitnami
+> **⚠️ IMPORTANT:** As of v4.0.0, you must provide your own PostgreSQL database. The bundled PostgreSQL subchart has been removed. More info can be found [here](https://github.com/pact-foundation/pact-broker-chart/issues/194).
+
+```shell
 helm repo add pact-broker https://pact-foundation.github.io/pact-broker-chart/
 
-helm install pact-broker pact-broker/pact-broker
+# Install with external database configuration
+helm install pact-broker pact-broker/pact-broker \
+  --set database.host=your-postgres-host \
+  --set database.databaseName=pactbroker \
+  --set database.auth.username=pactbroker \
+  --set database.auth.password=your-password
 ```
 
 ## Usage
@@ -44,7 +50,11 @@ Charts are also available in OCI format. The list of available charts can be fou
 Install one of the available charts:
 
 ```shell
-helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/pact-broker --version=<version>
+helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/pact-broker --version=<version> \
+  --set database.host=your-postgres-host \
+  --set database.databaseName=pactbroker \
+  --set database.auth.username=pactbroker \
+  --set database.auth.password=your-password
 ```
 
 ## Contributing

charts/pact-broker/Chart.lock

@@ -1,9 +1,6 @@
 dependencies:
-- name: postgresql
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.7.24
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 2.31.4
-digest: sha256:682f1eaee08475822560e364fd7dc8e7240db0e60778e4f2237163cba9a4e10d
-generated: "2025-08-13T22:12:50.953543239Z"
+digest: sha256:4ae0a824a540bb50b58534cc15aa30a677c33334a45301a1772845a535cedf7b
+generated: "2025-10-26T16:58:26.486047Z"

charts/pact-broker/Chart.yaml

@@ -2,13 +2,9 @@ apiVersion: v2
 name: pact-broker
 description: The Pact Broker is an application for sharing for Pact contracts and verification results.
 type: application
-version: 3.3.6
+version: 4.0.0
 appVersion: 2.112.0
 dependencies:
-  - condition: postgresql.enabled
-    name: postgresql
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.7.24
   - name: common
     repository: oci://registry-1.docker.io/bitnamicharts
     tags:

charts/pact-broker/README.md

@@ -1,6 +1,6 @@
 # pact-broker
 
-![Version: 3.3.6](https://img.shields.io/badge/Version-3.3.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.112.0](https://img.shields.io/badge/AppVersion-2.112.0-informational?style=flat-square)
+![Version: 4.0.0](https://img.shields.io/badge/Version-4.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.112.0](https://img.shields.io/badge/AppVersion-2.112.0-informational?style=flat-square)
 
 The Pact Broker is an application for sharing for Pact contracts and verification results.
 
@@ -52,7 +52,6 @@ helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/p
 | Repository | Name | Version |
 |------------|------|---------|
 | oci://registry-1.docker.io/bitnamicharts | common | 2.31.4 |
-| oci://registry-1.docker.io/bitnamicharts | postgresql | 16.7.24 |
 
 ## Values
 
@@ -149,15 +148,14 @@ helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/p
 | broker.tolerations | Pact Broker [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) | list | `[]` |
 | broker.volumeMounts | Volume mounts | list | `[]` |
 | broker.volumes | Volumes to mount | list | `[]` |
-| externalDatabase.config.adapter | Database engine to use. Only allowed values are `postgres` or `sqlite`. More info [here](https://docs.pact.io/pact_broker/docker_images/pactfoundation#getting-started) | string | `""` |
-| externalDatabase.config.auth.existingSecret | Name of an existing Kubernetes secret containing the database credentials | string | `""` |
-| externalDatabase.config.auth.existingSecretPasswordKey | The key to which the password will be stored under within existing secret. | string | `"user-password"` |
-| externalDatabase.config.auth.password | Password for the non-root username for the Pact Broker | string | `""` |
-| externalDatabase.config.auth.username | Non-root username for the Pact Broker | string | `""` |
-| externalDatabase.config.databaseName | External database name | string | `""` |
-| externalDatabase.config.host | Database host | string | `""` |
-| externalDatabase.config.port | Database port number | string | `""` |
-| externalDatabase.enabled | Switch to enable or disable the externalDatabase connection | bool | `false` |
+| database.adapter | Database engine to use. Only allowed values are `postgres` or `sqlite`. More info [here](https://docs.pact.io/pact_broker/docker_images/pactfoundation#getting-started) | string | `""` |
+| database.auth.existingSecret | Name of an existing Kubernetes secret containing the database credentials | string | `""` |
+| database.auth.existingSecretPasswordKey | The key to which the password will be stored under within existing secret. | string | `"user-password"` |
+| database.auth.password | Password for the non-root username for the Pact Broker | string | `""` |
+| database.auth.username | Non-root username for the Pact Broker | string | `""` |
+| database.databaseName | External database name | string | `""` |
+| database.host | Database host | string | `""` |
+| database.port | Database port number | string | `""` |
 | image.pullPolicy | Specify a imagePullPolicy Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' more info [here](https://kubernetes.io/docs/user-guide/images/#pre-pulling-images)  | string | `"IfNotPresent"` |
 | image.pullSecrets | Array of imagePullSecrets to allow pulling the Pact Broker image from private registries. PS: Secret's must exist in the namespace to which you deploy the Pact Broker. more info [here](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)  Example:   pullSecrets:    - mySecretName  | list | `[]` |
 | image.registry | Pact Broker image registry | string | `"docker.io"` |
@@ -169,16 +167,6 @@ helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/p
 | ingress.host | host Hostname to be used to expose the route to access the Pact Broker | string | `""` |
 | ingress.tls.enabled | ingress.tls.enabled Enable TLS configuration for the host defined at `ingress.host` parameter | bool | `false` |
 | ingress.tls.secretName | ingress.tls.secretName The name to which the TLS Secret will be called | string | `""` |
-| postgresql.architecture | PostgreSQL architecture (`standalone` or `replication`) | string | `"standalone"` |
-| postgresql.auth.database | Name for a custom database to create | string | `"bitnami_broker"` |
-| postgresql.auth.existingSecret | Name of existing secret to use for PostgreSQL credentials | string | `""` |
-| postgresql.auth.password | Password for the custom user to create | string | `""` |
-| postgresql.auth.secretKeys.adminPasswordKey | The key in which Postgres well look for, for the admin password, in the existing Secret | string | `"admin-password"` |
-| postgresql.auth.secretKeys.replicationPasswordKey | The key in which Postgres well look for, for the replication password, in the existing Secret | string | `"replication-password"` |
-| postgresql.auth.secretKeys.userPasswordKey | The key in which Postgres well look for, for the user password, in the existing Secret | string | `"user-password"` |
-| postgresql.auth.username | Name for a custom user to create | string | `"bn_broker"` |
-| postgresql.enabled | Switch to enable or disable the PostgreSQL helm chart | bool | `true` |
-| postgresql.image | Change default PostgreSQL image location (workaround for https://github.com/bitnami/charts/issues/35164) | object | `{"registry":"docker.io","repository":"bitnamilegacy/postgresql"}` |
 | service.annotations | service.annotations Additional annotations for the Service resource | object | `{}` |
 | service.clusterIP | Pact Broker service clusterIP | string | `""` |
 | service.loadBalancerIP | Pact Broker Service [loadBalancerIP](https://kubernetes.io/docs/user-guide/services/#type-loadbalancer) | string | `""` |
@@ -196,38 +184,30 @@ helm upgrade -i <release_name> oci://ghcr.io/pact-foundation/pact-broker-chart/p
 
 ## Configuration and Installation Details
 
-### Configuring Chart PostgreSQL
+### Database Configuration
 
-With the Pact Broker Helm Chart, it bundles together the Pact Broker and a Bitnami PostgreSQL database - this can be enabled by switching `postgresql.enabled` to true (it is `true` by default). If switched on, the Helm Chart, on deployment, will automatically deploy a PostgreSQL instance and configure it with the credentials you specify. There are multiple ways of doing this that will be detailed below.
+> **⚠️ BREAKING CHANGE in v4.0.0:** The bundled PostgreSQL subchart has been removed due to licensing changes. You must now provide your own PostgreSQL instance.
 
-#### Automatic Database Credential Creation
-This is the easiest of the configuration options. Here, the credentials for both the Admin and Database user will be automatically generated and put into a Kubernetes secret. This then will be automatically used by the Pact Broker. For this, ensure the following happens:
-  - Keep `postgresql.auth.existingSecret` & `postgresql.auth.password` empty.
+Starting with version 4.0.0, this Helm chart requires an external PostgreSQL database. You can use:
+- Cloud-managed databases (AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL)
+- Self-hosted PostgreSQL instances
+- Kubernetes operators (CloudNativePG, Zalando PostgreSQL Operator)
+- Any PostgreSQL-compatible database
 
-#### Specifying Password for PostgreSQL to Use
-Here, you can specify the password that you want PostgreSQL to use for it's Database User (The user that the Pact Broker will use to connect to the database). For this, ensure the following happens:
-  - Keep the `postgresql.auth.existingSecret` empty.
-  - Set the `postgresql.auth.password` to the value that you want the User password to be.
-  > **_NOTE:_** Be careful and mindful that the value you provide here is done in a secure way.
+Configure the database connection by setting the following values:
+- `database.host` - Database hostname or IP address
+- `database.port` - Database port (defaults to 5432)
+- `database.adapter` - Database adapter (defaults to "postgres", can also be "sqlite")
+- `database.databaseName` - Name of the database
 
-#### Specifying Existing Secret for PostgreSQL to Use
-Here, you can specify an existing Kubernetes secret that you have created that contains the Password that you want PostgreSQL to use. The secret has to be in the same namespace as where you are deploying the Helm Chart. For this, ensure the following happens:
-  - Create the Kubernetes secret with the Password inside.
-  - Set `postgresql.auth.existingSecret` to the name of the Secret
-  - PostgreSQL by default will look for the relevant Password keys that are set by default here `postgresql.auth.secretKeys`. So make sure that the Keys in the Secret match the default `secretKeys` values. More information [here](https://artifacthub.io/packages/helm/bitnami/postgresql)
-  - For example, if you want PostgreSQL to use an existing Secret called `my-user-secret` that has the User password that you want to use inside it. Make sure that you create a Key inside that secret called `user-password` (this key can be found here `postgresql.auth.secretKeys.userPasswordKey`). i.e. `user-password=Password123`.
-
-### Configuring External Database
-If you want to use an external database with your Pact Broker, switch the `externalDatabase.enabled` flag to true and the `postgresql.enabled` to false.
-
-The configuring of the `externalDatabase.config.host`, `externalDatabase.config.port`, `externalDatabase.config.adapter` and `externalDatabase.config.databaseName` should be pretty straight forward. The credential configuration however has two methods of configuration.
+The credential configuration has two methods:
 
 #### Specify Credentials via Values
-Configure the Pact Broker by using the username credential that you configure via the `externalDatabase.config.auth.username` value and the password via the `externalDatabase.config.auth.password` value.
+Configure the Pact Broker by using the username credential that you configure via the `database.auth.username` value and the password via the `database.auth.password` value.
   > **_NOTE:_** Be careful and mindful that the values you provide here is done in a secure way.
 
 #### Specify Credentials via Secret
-Configure the Pact Broker to use an existing Secret to retrieve the user password as a means to connect to the database. Ensure that the Kubernetes Secret has the password in the `user-password` field and ensure that you have set `externalDatabase.config.auth.existingSecret` value to the name of the secret. To configure the username, you can use the `username` value.
+Configure the Pact Broker to use an existing Secret to retrieve the user password as a means to connect to the database. Ensure that the Kubernetes Secret has the password in the `user-password` field and ensure that you have set `database.auth.existingSecret` value to the name of the secret. To configure the username, you can use the `username` value.
 
 ### Database Clean Task
 Pact Broker [automatic data cleanup](https://docs.pact.io/pact_broker/docker_images/pactfoundation#automatic-data-clean-up) can be enabled by setting the property `broker.config.databaseClean.enabled` to `true`.