Rebuild images for March 2024 + small cleanup

example/images/ldap2pg/Dockerfile

@@ -12,7 +12,7 @@ RUN set -eux &&\
     chown root:root ldap2pg &&\
     chmod 755 ldap2pg
 
-FROM danielberteaud/alpine:24.2-1
+FROM danielberteaud/alpine:24.3-1
 MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
 
 ENV PGHOST=localhost \

example/images/patroni/Dockerfile

@@ -1,4 +1,4 @@
-FROM danielberteaud/postgres:15.24.2-4
+FROM danielberteaud/postgres:15.24.3-1
 MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
 
 ARG PATRONI_VERSION=3.2.2

example/images/pg-upgrade/Dockerfile

@@ -1,4 +1,4 @@
-FROM danielberteaud/alpine:24.2-1
+FROM danielberteaud/alpine:24.3-1
 MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
 
 ARG PG_FROM= \

example/images/postgres-major-upgrade/Dockerfile

@@ -1,4 +1,4 @@
-FROM danielberteaud/alma:9.24.2-1
+FROM danielberteaud/alma:9.24.3-1
 MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
 
 ENV PG_BASE_DATA=/data/db/

example/init/consul

@@ -1,4 +1,4 @@
 #!/bin/sh
 # vim: syntax=sh
 
-vault write /consul/roles/postgres ttl=720h max_ttl=720h consul_policies="postgres"
+vault write consul/roles/postgres ttl=720h max_ttl=720h consul_policies="postgres"

example/init/pki

@@ -17,33 +17,33 @@ fi
 
 if [ "${INITIAL_SETUP}" = "true" ]; then
   # Enable the secret engine
-  echo "Mounting new PKI secret engine at /pki/postgres"
-  vault secrets enable -path=/pki/postgres pki
+  echo "Mounting new PKI secret engine at pki/postgres"
+  vault secrets enable -path=pki/postgres pki
 else
-  echo "Secret engine already mounted at /pki/postgres"
+  echo "Secret engine already mounted at pki/postgres"
 fi
 
 # Configure max-lease-ttl
 echo "Tune PKI secret engine"
-vault secrets tune -max-lease-ttl=131400h /pki/postgres
+vault secrets tune -max-lease-ttl=131400h pki/postgres
 
 # Configure PKI URLs
 echo "Configure URL endpoints"
-vault write /pki/postgres/config/urls \
-  issuing_certificates="${VAULT_ADDR}/v1/pki/postgres/ca" \
-  crl_distribution_points="${VAULT_ADDR}/v1/pki/postgres/crl" \
-  ocsp_servers="${VAULT_ADDR}/v1/pki/postgres/ocsp"
+vault write pki/postgres/config/urls \
+  issuing_certificates="${VAULT_ADDR}/v1pki/postgres/ca" \
+  crl_distribution_points="${VAULT_ADDR}/v1pki/postgres/crl" \
+  ocsp_servers="${VAULT_ADDR}/v1pki/postgres/ocsp"
 
-vault write /pki/postgres/config/cluster \
-  path="${VAULT_ADDR}/v1/pki/postgres"
+vault write pki/postgres/config/cluster \
+  path="${VAULT_ADDR}/v1pki/postgres"
 
-vault write /pki/postgres/config/crl \
+vault write pki/postgres/config/crl \
   auto_rebuild=true \
   enable_delta=true
 
 # Configure tidy
 echo "Configure auto tidy for the PKI"
-vault write /pki/postgres/config/auto-tidy \
+vault write pki/postgres/config/auto-tidy \
   enabled=true \
   tidy_cert_store=true \
   tidy_expired_issuers=true \
@@ -58,7 +58,7 @@ vault write /pki/postgres/config/auto-tidy \
 if [ "${INITIAL_SETUP}" = "true" ]; then
   # Generate an internal CA
   echo "Generating an internal CA"
-  vault write -format=json /pki/postgres/intermediate/generate/internal \
+  vault write -format=json pki/postgres/intermediate/generate/internal \
     common_name="postgres Certificate Authority" \
     ttl="131400h" \
     organization="ACME Corp" \
@@ -71,8 +71,8 @@ if [ "${INITIAL_SETUP}" = "true" ]; then
 
 
   # Sign this PKI with a root PKI
-  echo "Signing the new CA with the authority from /pki/root"
-  vault write -format=json /pki/root/root/sign-intermediate \
+  echo "Signing the new CA with the authority from pki/root"
+  vault write -format=json pki/root/root/sign-intermediate \
       csr=@${TMP}/postgres.csr \
       format=pem_bundle \
       ttl="131400h" \
@@ -80,7 +80,7 @@ if [ "${INITIAL_SETUP}" = "true" ]; then
 
   # Update the intermediate CA with the signed one
   echo "Update the new CA with the signed version"
-  vault write /pki/postgres/intermediate/set-signed \
+  vault write pki/postgres/intermediate/set-signed \
     certificate=@${TMP}/postgres.crt
 
 
@@ -91,7 +91,7 @@ echo "Cleaning temp files"
 rm -rf ${TMP}
 
 
-vault write /pki/postgres/roles/postgres-server \
+vault write pki/postgres/roles/postgres-server \
   allowed_domains="postgres.service.consul" \
   allow_bare_domains=true \
   allow_subdomains=true \

example/init/vault-database

@@ -1,7 +1,7 @@
 #!/bin/sh
 echo "Required .pg.server.public_url is missing"
 
-echo "Creating dba role in vault"vault write /database/roles/postgres-admin \
+echo "Creating dba role in vault"vault write database/roles/postgres-admin \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"dba\" TO \"{{name}}\"; \

example/manage.nomad.hcl

@@ -63,7 +63,7 @@ job "postgres-manage" {
       user   = 1053
 
       config {
-        image           = "danielberteaud/wait-for:24.2-1"
+        image           = "danielberteaud/wait-for:24.3-1"
         readonly_rootfs = true
         pids_limit      = 20
       }
@@ -89,7 +89,7 @@ job "postgres-manage" {
       driver = "docker"
 
       config {
-        image           = "danielberteaud/ldap2pg:6.0-9"
+        image           = "danielberteaud/ldap2pg:6.0-10"
         readonly_rootfs = true
         pids_limit      = 20
       }
@@ -125,7 +125,7 @@ _EOT
 PGHOST=localhost
 PGPORT=5432
 PGUSER=postgres
-PGPASSWORD={{ with secret "/kv/service/postgres" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }}
+PGPASSWORD={{ with secret "kv/service/postgres" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }}
 _EOF
         destination = "secrets/pg-manage.env"
         uid         = 100000

example/postgres.nomad.hcl

@@ -142,7 +142,7 @@ job "postgres" {
       kill_timeout = "10m"
 
       config {
-        image = "danielberteaud/patroni:15.24.2-3"
+        image = "danielberteaud/patroni:15.24.3-1"
         # Set shm_size to half of the total size
         shm_size   = 536870912
         volumes    = ["local/mkdir-socket.sh:/entrypoint.d/70-mkdir-socket.sh"]
@@ -175,7 +175,7 @@ _EOT
       template {
         data        = <<_EOT
 # Get a Consul token from vault, so we're able to update the tags in Consul from the containers
-CONSUL_HTTP_TOKEN={{ with secret "/consul/creds/postgres" }}{{ .Data.token }}{{ end }}
+CONSUL_HTTP_TOKEN={{ with secret "consul/creds/postgres" }}{{ .Data.token }}{{ end }}
 PATRONICTL_CONFIG_FILE=/secrets/patroni.yml
 _EOT
         destination = "secrets/pg.env"
@@ -354,7 +354,7 @@ postgresql:
   authentication:
     superuser:
       username: postgres
-      password: '{{ with secret "/kv/service/postgres" }}{{ .Data.data.pg_pwd }}{{ end }}'
+      password: '{{ with secret "kv/service/postgres" }}{{ .Data.data.pg_pwd }}{{ end }}'
       sslmode: verify-ca
       sslrootcert: /local/postgres.ca.pem
 
@@ -381,7 +381,7 @@ restapi:
   verify_client: optional
   authentication:
     username: patroni
-    password: '{{ with secret "/kv/service/postgres" }}{{ .Data.data.api_pwd }}{{ end }}'
+    password: '{{ with secret "kv/service/postgres" }}{{ .Data.data.api_pwd }}{{ end }}'
 
 ctl:
   insecure: False
@@ -409,7 +409,7 @@ _EOT
 set -euo pipefail
 
 # Create roles needed for patroni
-{{ with secret "/kv/service/postgres" }}
+{{ with secret "kv/service/postgres" }}
 psql <<'_EOSQL'
   ALTER ROLE postgres WITH SUPERUSER LOGIN PASSWORD '{{ .Data.data.pg_pwd }}';
   CREATE ROLE replicator WITH LOGIN REPLICATION PASSWORD '{{ .Data.data.replicator_pwd }}';
@@ -446,7 +446,7 @@ _EOT
       template {
         data          = <<_EOT
 {{ with pkiCert
-  "/pki/postgres/issue/postgres-server"
+  "pki/postgres/issue/postgres-server"
   "common_name=postgres.service.consul"
   (printf "alt_name=%s.postgres.service.consul" (env "NOMAD_ALLOC_INDEX"))
   (printf "ip_sans=%s" (env "NOMAD_IP_patroni")) "ttl=72h" }}
@@ -465,7 +465,7 @@ _EOT
       # CA certificate chains
       template {
         data          = <<_EOT
-{{ with secret "/pki/postgres/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
+{{ with secret "pki/postgres/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
 _EOT
         destination   = "local/postgres.ca.pem"
         change_mode   = "signal"

example/prep.d/10-rand-pwd.sh

@@ -5,7 +5,7 @@ set -euo pipefail
 # vim: syntax=sh
 
 export LC_ALL=C
-VAULT_KV_PATH=/kv/service/postgres
+VAULT_KV_PATH=kv/service/postgres
 RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
 if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
   vault kv put ${VAULT_KV_PATH} \

example/vault/policies/postgres.hcl

@@ -1,14 +1,14 @@
 # Read secrets from vault KV
-path "/kv/data/service/postgres" {
+path "kv/data/service/postgres" {
   capabilities = ["read"]
 }
 
 # Get a consul token to access the kv store, where patroni will manage the leader lock
-path "/consul/creds/postgres" {
+path "consul/creds/postgres" {
   capabilities = ["read"]
 }
 
 # Get a certificate for patroni REST API and Postgres
-path "/pki/postgres/issue/postgres-server" {
+path "pki/postgres/issue/postgres-server" {
   capabilities = ["update"]
 }

manage.nomad.hcl

@@ -68,7 +68,7 @@ job "[[ .instance ]]-manage" {
 [[- end ]]
       }
 
-[[ template "common/file_env" $c.env ]]
+[[ template "common/file_env" $c ]]
 
       template {
         data =<<_EOF

upgrade.nomad.hcl

@@ -37,7 +37,7 @@ job "[[ .instance ]]-upgrade" {
         PG_DO_UPGRADE = [[ $c.do_upgrade | toJSON ]]
       }
 
-[[ template "common/file_env.tpl" $c.env ]]
+[[ template "common/file_env.tpl" $c ]]
 
       volume_mount {
         volume      = "data"

variables.yml

@@ -31,7 +31,7 @@ pg:
   # Postgres server settings
   server:
     # The image to use
-    image: '[[ .docker.repo ]]patroni:15.24.2-3'
+    image: '[[ .docker.repo ]]patroni:15.24.3-1'
 
     # Number of postgres instance. Patroni will handle leader election and replication
     count: 1
@@ -194,7 +194,7 @@ pg:
   # manage can create database, users and sync permissions from LDAP (using ldap2pg)
   manage:
     # Image to use
-    image: '[[ .docker.repo ]]ldap2pg:6.0-9'
+    image: '[[ .docker.repo ]]ldap2pg:6.0-10'
 
     # Resource allocation
     resources: