docs: add production deployment guide for multi-replica Helm installs#313
docs: add production deployment guide for multi-replica Helm installs#313
Conversation
…ives Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)
|
Consolidating into 2 PRs: chart features + docs |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 11a9023c93
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| containers: | ||
| - name: db-init | ||
| image: {{ printf "%s/bitnami/postgresql:16" (.Values.global.imageRegistry | default "docker.io") }} | ||
| command: ["sh", "-ec"] |
There was a problem hiding this comment.
When dbInit.enabled=true, this hook creates a pod without any pod/container securityContext, so clusters enforcing the Restricted Pod Security Standard can reject the pre-install Job and fail the Helm install before app resources are created. The chart’s other workloads already set runAsNonRoot, dropped capabilities, and allowPrivilegeEscalation: false; this hook needs the same hardening to be deployable in restricted environments.
Useful? React with 👍 / 👎.
| {{- range .Values.dbInit.databases }} | ||
| DO $$ BEGIN | ||
| IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '{{ .user }}') THEN | ||
| CREATE ROLE {{ .user }} WITH LOGIN PASSWORD '{{ .password }}'; |
There was a problem hiding this comment.
The template injects dbInit.databases[*].password directly into a single-quoted SQL literal (PASSWORD '{{ .password }}'), so any password containing an apostrophe (e.g. pa'ss) produces invalid SQL and causes the init Job to fail, which in turn fails installation. This path needs proper SQL literal escaping (or psql variable binding) to handle valid password characters safely.
Useful? React with 👍 / 👎.
1 participant
Document production deployment patterns: multi-replica, session bridge ring, connection pool budget, graceful shutdown. Reference values-prod.yaml and explain key differences from defaults. Add scale-down caution for bridge session TTLs.