From b84913903376fdace79214109bec5b0a7042bb6f Mon Sep 17 00:00:00 2001
From: Itay Grudev <itay@verito.digital>
Date: Sat, 7 Dec 2024 17:00:15 +0200
Subject: [PATCH 1/3] Adds serviceAccountTemplate to cluster configuration
 (#463)

Signed-off-by: Dariusch Ochlast <dariusch.ochlast@gmail.com>
Signed-off-by: Itay Grudev <itay@verito.digital>
Co-authored-by: Dariusch Ochlast <dariusch.ochlast@gmail.com>
---
 charts/cluster/README.md                                     | 1 +
 charts/cluster/templates/cluster.yaml                        | 5 +++++
 .../01-non_default_configuration_cluster-assert.yaml         | 4 ++++
 .../01-non_default_configuration_cluster.yaml                | 4 ++++
 charts/cluster/values.schema.json                            | 3 +++
 charts/cluster/values.yaml                                   | 3 +++
 6 files changed, 20 insertions(+)

diff --git a/charts/cluster/README.md b/charts/cluster/README.md
index 99cc8c378..749c945f1 100644
--- a/charts/cluster/README.md
+++ b/charts/cluster/README.md
@@ -180,6 +180,7 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | cluster.priorityClassName | string | `""` |  |
 | cluster.resources | object | `{}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
+| cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.storage.size | string | `"8Gi"` |  |
 | cluster.storage.storageClass | string | `""` |  |
 | cluster.superuserSecret | string | `""` |  |
diff --git a/charts/cluster/templates/cluster.yaml b/charts/cluster/templates/cluster.yaml
index 169683fef..1741ee25a 100644
--- a/charts/cluster/templates/cluster.yaml
+++ b/charts/cluster/templates/cluster.yaml
@@ -74,6 +74,11 @@ spec:
       {{- toYaml . | nindent 6 }}
     {{ end }}
 
+  {{- with .Values.cluster.serviceAccountTemplate }}
+  serviceAccountTemplate:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
   monitoring:
     enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
     disableDefaultQueries: {{ .Values.cluster.monitoring.disableDefaultQueries }}
diff --git a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
index 5f5c62a68..98e5f70fa 100644
--- a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
+++ b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
@@ -80,3 +80,7 @@ spec:
         inRoles:
           - pg_monitor
           - pg_signal_backend
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        my-annotation: my-service-account
diff --git a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
index 570ea8409..58c24b059 100644
--- a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
+++ b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
@@ -76,6 +76,10 @@ cluster:
     foo: bar
   annotations:
     foo: bar
+  serviceAccountTemplate:
+    metadata:
+      annotations:
+        my-annotation: my-service-account
 
 backups:
   enabled: false
diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json
index 81899f1cd..b6d099fdb 100644
--- a/charts/cluster/values.schema.json
+++ b/charts/cluster/values.schema.json
@@ -288,6 +288,9 @@
                 "roles": {
                     "type": "array"
                 },
+                "serviceAccountTemplate": {
+                    "type": "object"
+                },
                 "storage": {
                     "type": "object",
                     "properties": {
diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
index d45e5c1e9..f39c6b8b4 100644
--- a/charts/cluster/values.yaml
+++ b/charts/cluster/values.yaml
@@ -281,6 +281,9 @@ cluster:
     # postInitApplicationSQL: []
     # postInitTemplateSQL: []
 
+  # -- Configure the metadata of the generated service account
+  serviceAccountTemplate: {}
+
   additionalLabels: {}
   annotations: {}
 

From 742e46a01473a3c928cce86ac19caa8ea201c6cc Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 7 Dec 2024 17:46:35 +0200
Subject: [PATCH 2/3] chore(deps): update kyverno/action-install-chainsaw
 action to v0.2.12 (#459)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 .github/workflows/tests-cluster-chainsaw.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/tests-cluster-chainsaw.yaml b/.github/workflows/tests-cluster-chainsaw.yaml
index 2d619b24a..f3a2b338e 100644
--- a/.github/workflows/tests-cluster-chainsaw.yaml
+++ b/.github/workflows/tests-cluster-chainsaw.yaml
@@ -29,7 +29,7 @@ jobs:
           helm install prometheus-crds prometheus-community/prometheus-operator-crds
 
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
+        uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
         with:
           verify: true
 

From 665396d2674cdd3f970548f982dc858227601814 Mon Sep 17 00:00:00 2001
From: mbugeia <maxime.bugeia@gmail.com>
Date: Sat, 7 Dec 2024 16:59:06 +0100
Subject: [PATCH 3/3] feat(cluster): added support for enablePDB option (#431)

Signed-off-by: Maxime Bugeia <maxime.bugeia@gmail.com>

Co-authored-by: Itay Grudev <itay@verito.digital>
---
 charts/cluster/templates/cluster.yaml                         | 3 ++-
 .../01-non_default_configuration_cluster-assert.yaml          | 1 +
 .../01-non_default_configuration_cluster.yaml                 | 1 +
 charts/cluster/values.yaml                                    | 4 ++++
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/charts/cluster/templates/cluster.yaml b/charts/cluster/templates/cluster.yaml
index 1741ee25a..5d0a2edc9 100644
--- a/charts/cluster/templates/cluster.yaml
+++ b/charts/cluster/templates/cluster.yaml
@@ -28,7 +28,7 @@ spec:
   walStorage:
     size: {{ .Values.cluster.walStorage.size }}
     storageClass: {{ .Values.cluster.walStorage.storageClass }}
-{{- end }}  
+{{- end }}
   {{- with .Values.cluster.resources }}
   resources:
     {{- toYaml . | nindent 4 }}
@@ -51,6 +51,7 @@ spec:
   superuserSecret:
     name: {{ . }}
   {{ end }}
+  enablePDB: {{ .Values.cluster.enablePDB }}
   postgresql:
     shared_preload_libraries:
       {{- if eq .Values.type "timescaledb" }}
diff --git a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
index 98e5f70fa..604c07d51 100644
--- a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
+++ b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster-assert.yaml
@@ -36,6 +36,7 @@ spec:
   superuserSecret:
     name: supersecret-secret
   enableSuperuserAccess: true
+  enablePDB: false
   certificates:
     serverCASecret: ca-secret
     serverTLSSecret: tls-secret
diff --git a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
index 58c24b059..054a5cb4b 100644
--- a/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
+++ b/charts/cluster/test/postgresql-cluster-configuration/01-non_default_configuration_cluster.yaml
@@ -44,6 +44,7 @@ cluster:
     clientCASecret: client-ca-secret
   enableSuperuserAccess: true
   superuserSecret: supersecret-secret
+  enablePDB: false
   roles:
      - name: dante
        ensure: present
diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
index f39c6b8b4..32dd63dfd 100644
--- a/charts/cluster/values.yaml
+++ b/charts/cluster/values.yaml
@@ -201,6 +201,10 @@ cluster:
   enableSuperuserAccess: true
   superuserSecret: ""
 
+  # -- Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes
+  # See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets
+  enablePDB: true
+
   # -- This feature enables declarative management of existing roles, as well as the creation of new roles if they are not
   # already present in the database.
   # See: https://cloudnative-pg.io/documentation/current/declarative_role_management/