From f6eaca384308400480a549867d644a36ccb1df7a Mon Sep 17 00:00:00 2001
From: Ahmad Murzahmatov <gwynbleidd2106@yandex.com>
Date: Tue, 8 Jul 2025 08:52:29 +0600
Subject: [PATCH] [postgres] do not allow change postgres pwd

Signed-off-by: Ahmad Murzahmatov <gwynbleidd2106@yandex.com>
---
 packages/apps/postgres/Chart.yaml                 | 2 +-
 packages/apps/postgres/templates/init-script.yaml | 4 +++-
 packages/apps/versions_map                        | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml
index f7564890..33f65a4e 100644
--- a/packages/apps/postgres/Chart.yaml
+++ b/packages/apps/postgres/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.16.0
+version: 0.17.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/postgres/templates/init-script.yaml b/packages/apps/postgres/templates/init-script.yaml
index bddd7dbe..80f7c4c7 100644
--- a/packages/apps/postgres/templates/init-script.yaml
+++ b/packages/apps/postgres/templates/init-script.yaml
@@ -38,7 +38,7 @@ stringData:
     until pg_isready ; do sleep 5; done
 
     echo "== create users"
-    {{- if .Values.users }}
+    {{- if and .Values.users (not (hasKey .Values.users "postgres")) }}
     psql -v ON_ERROR_STOP=1 <<\EOT
     {{- range $user, $u := .Values.users }}
     SELECT 'CREATE ROLE "{{ $user }}" LOGIN INHERIT;'
@@ -47,6 +47,8 @@ stringData:
     COMMENT ON ROLE "{{ $user }}" IS 'user managed by helm';
     {{- end }}
     EOT
+    {{- else if and .Values.users (hasKey .Values.users "postgres") }}
+    {{- fail "`users.postgres` is forbidden by policy. Use a different username." }}
     {{- end }}
 
     echo "== delete users"
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 6372e513..a77b088b 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -101,7 +101,8 @@ postgres 0.12.0 6130f43d
 postgres 0.12.1 632224a3
 postgres 0.14.0 62cb694d
 postgres 0.15.1 4369b031
-postgres 0.16.0 HEAD
+postgres 0.16.0 70f82667
+postgres 0.17.0 HEAD
 rabbitmq 0.1.0 263e47be
 rabbitmq 0.2.0 53f2365e
 rabbitmq 0.3.0 6c5cf5bf