feat: remove wait-for-postgres init container from deployment (#583)

Author: mridang

charts/zitadel/Chart.yaml

@@ -3,7 +3,7 @@ name: zitadel
 description: A Helm chart for ZITADEL
 type: application
 appVersion: v4.13.0
-version: 9.29.0
+version: 9.30.0
 kubeVersion: '>= 1.30.0-0'
 home: https://zitadel.com
 sources:

charts/zitadel/README.md

@@ -2,7 +2,7 @@
 
 # Zitadel
 
-![Version: 9.29.0](https://img.shields.io/badge/Version-9.29.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.13.0](https://img.shields.io/badge/AppVersion-v4.13.0-informational?style=flat-square)
+![Version: 9.30.0](https://img.shields.io/badge/Version-9.30.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.13.0](https://img.shields.io/badge/AppVersion-v4.13.0-informational?style=flat-square)
 
 ## A Better Identity and Access Management Solution
 
@@ -391,7 +391,7 @@ Kubernetes: `>= 1.30.0-0`
 | tools.wait4x.image.pullPolicy | string | `""` | The pull policy for the wait4x image. If left empty, the chart defaults to the Kubernetes default pull policy for the given tag. |
 | tools.wait4x.image.repository | string | `"wait4x/wait4x"` | The name of the image repository that contains the wait4x image. The chart automatically prepends the registry (docker.io by default) for compatibility with CRI-O v1.34+ which enforces fully qualified names. |
 | tools.wait4x.image.tag | string | `"3.6"` | The image tag to use for the wait4x image. Leave empty to require the user to set a specific version explicitly. |
-| tools.wait4x.resources | ResourceRequirements | `{}` | CPU and memory resource requests and limits for wait4x init containers. These resources apply to all init containers using the wait4x tool, including wait-for-zitadel and wait-for-postgres. Setting equal requests and limits enables the "Guaranteed" QoS class when combined with resource settings on the main container. Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
+| tools.wait4x.resources | ResourceRequirements | `{}` | CPU and memory resource requests and limits for wait4x init containers. These resources apply to all init containers using the wait4x tool, such as wait-for-zitadel. Setting equal requests and limits enables the "Guaranteed" QoS class when combined with resource settings on the main container. Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
 | topologySpreadConstraints | []TopologySpreadConstraint | `[]` | Topology spread constraints control how pods are distributed across topology domains (e.g., zones, nodes, regions) for high availability. Unlike affinity, these constraints provide more granular control over pod distribution. Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ |
 | zitadel.autoscaling.annotations | map[string]string | `{}` | Annotations applied to the HPA object. |
 | zitadel.autoscaling.behavior | HorizontalPodAutoscalerBehavior | `{}` | Configures the scaling behavior for scaling up and down. See: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |

charts/zitadel/templates/_helpers.tpl

@@ -352,26 +352,6 @@ http://{{ include "zitadel.fullname" . }}:{{ .Values.service.port }}/debug/ready
 {{- end -}}
 
 
-{{/*
-Returns the PostgreSQL TCP endpoint for wait4x health checks.
-Extracts the database host and port from ZITADEL configuration.
-Format: tcp://<host>:<port>
-Example: tcp://db-postgresql:5432
-*/}}
-{{- define "zitadel.postgresEndpoint" -}}
-{{- if .Values.zitadel -}}
-  {{- if .Values.zitadel.configmapConfig -}}
-    {{- if .Values.zitadel.configmapConfig.Database -}}
-      {{- with .Values.zitadel.configmapConfig.Database.Postgres -}}
-        {{- if .Host }}
-          {{- .Host }}:{{ .Port | default 5432 }}
-        {{- end -}}
-      {{- end -}}
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 This helper template takes the Kubernetes cluster's version string, which
 can be complex (e.g., "v1.28.5+k3s1"), and returns a sanitized, clean

charts/zitadel/templates/deployment_zitadel.yaml

@@ -94,6 +94,8 @@ spec:
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
               value: /db-ssl-user-crt/tls.key
             {{- end }}
+            - name: ZITADEL_DATABASE_{{ $dbEnv }}_AWAITINITIALCONN
+              value: "5m"
             {{- if .Values.zitadel.serverSslCrtSecret }}
             - name: ZITADEL_TLS_CERTPATH
               value: /server-ssl-crt/tls.crt
@@ -213,38 +215,8 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 14 }}
-      initContainers:
-      # The following initContainer is conditional. It is only added if the
-      # PostgreSQL endpoint can be fully determined from the Helm values. This is
-      # necessary to gracefully handle configurations where database credentials are
-      # provided via external secrets (instead of the values file), which would
-      # otherwise cause a template rendering error during `helm install`.
-      {{- $pgEndpoint := include "zitadel.postgresEndpoint" . }}
-      {{- if $pgEndpoint }}
-        # This initContainer acts as a dependency check before the main application
-        # starts. It uses the `wait4x` tool to pause the pod's startup sequence
-        # until the PostgreSQL database is accepting TCP connections. This prevents
-        # the main ZITADEL container from starting and potentially crashing before its
-        # database is available, thus improving deployment reliability.
-        - name: wait-for-postgres
-          image: {{ include "wait4x.image" . }}
-          imagePullPolicy: '{{ default "IfNotPresent" .Values.tools.wait4x.image.pullPolicy }}'
-          command:
-            - wait4x
-            - tcp
-            - {{ $pgEndpoint }}
-            - --timeout
-            - "5m"
-            - --interval
-            - "5s"
-          securityContext:
-            {{- include "zitadel.securityContext" . | nindent 12 }}
-          {{- with .Values.tools.wait4x.resources }}
-          resources:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- end }}
       {{- with .Values.zitadel.initContainers }}
+      initContainers:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:

charts/zitadel/values.schema.json

@@ -1499,7 +1499,7 @@
                             }
                         },
                         "resources": {
-                            "description": "CPU and memory resource requests and limits for wait4x init containers. These resources apply to all init containers using the wait4x tool, including wait-for-zitadel and wait-for-postgres. Setting equal requests and limits enables the \"Guaranteed\" QoS class when combined with resource settings on the main container. Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
+                            "description": "CPU and memory resource requests and limits for wait4x init containers. These resources apply to all init containers using the wait4x tool, such as wait-for-zitadel. Setting equal requests and limits enables the \"Guaranteed\" QoS class when combined with resource settings on the main container. Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/",
                             "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements",
                             "type": "object"
                         }

charts/zitadel/values.yaml

@@ -1360,9 +1360,9 @@ extraManifests: []
   #       - Ingress
 
 # Configuration for helper tools used by init containers and jobs. These images
-# are used by components such as wait-for-zitadel, wait-for-postgres, and the
-# setup and cleanup jobs. Each tool follows the standard image configuration
-# pattern with registry, repository, tag, pull policy, and pull secrets.
+# are used by components such as wait-for-zitadel and the setup and cleanup
+# jobs. Each tool follows the standard image configuration pattern with
+# registry, repository, tag, pull policy, and pull secrets.
 tools:
   # Configuration for the wait4x image used for readiness and dependency checks
   # in init containers. Values are intentionally left empty and should be set by
@@ -1382,9 +1382,9 @@ tools:
     # @schema $ref: $k8s/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements
     # -- (ResourceRequirements) CPU and memory resource requests and limits for wait4x init containers.
     # These resources apply to all init containers using the wait4x tool,
-    # including wait-for-zitadel and wait-for-postgres. Setting equal requests
-    # and limits enables the "Guaranteed" QoS class when combined with resource
-    # settings on the main container.
+    # such as wait-for-zitadel. Setting equal requests and limits enables the
+    # "Guaranteed" QoS class when combined with resource settings on the main
+    # container.
     # Ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
     resources: {}
       # Example for Guaranteed QoS class:

test/smoke/deployment_test.go

@@ -60,21 +60,6 @@ func TestDeploymentMatrix(t *testing.T) {
 								RunAsUser:    assert.SomePtr(int64(1000)),
 								FSGroup:      assert.SomePtr(int64(1000)),
 							},
-							InitContainers: assert.Some([]assert.ContainerAssertion{
-								{
-									Name: assert.Some("wait-for-postgres"),
-									Resources: assert.ResourceRequirementsAssertion{
-										Requests: assert.Some(corev1.ResourceList{}),
-										Limits:   assert.Some(corev1.ResourceList{}),
-									},
-									SecurityContext: assert.SecurityContextAssertion{
-										RunAsNonRoot:           assert.SomePtr(true),
-										RunAsUser:              assert.SomePtr(int64(1000)),
-										ReadOnlyRootFilesystem: assert.SomePtr(true),
-										Privileged:             assert.SomePtr(false),
-									},
-								},
-							}),
 							Containers: assert.Some([]assert.ContainerAssertion{
 								{
 									Name: assert.Some("zitadel"),
@@ -161,29 +146,6 @@ func TestDeploymentMatrix(t *testing.T) {
 				"tools.wait4x.resources.limits.cpu":      "100m",
 				"tools.wait4x.resources.limits.memory":   "64Mi",
 			},
-			zitadel: &assert.DeploymentAssertion{
-				Spec: assert.DeploymentSpecAssertion{
-					Template: assert.PodTemplateSpecAssertion{
-						Spec: assert.PodSpecAssertion{
-							InitContainers: assert.Some([]assert.ContainerAssertion{
-								{
-									Name: assert.Some("wait-for-postgres"),
-									Resources: assert.ResourceRequirementsAssertion{
-										Requests: assert.Some(corev1.ResourceList{
-											corev1.ResourceCPU:    resource.MustParse("50m"),
-											corev1.ResourceMemory: resource.MustParse("32Mi"),
-										}),
-										Limits: assert.Some(corev1.ResourceList{
-											corev1.ResourceCPU:    resource.MustParse("100m"),
-											corev1.ResourceMemory: resource.MustParse("64Mi"),
-										}),
-									},
-								},
-							}),
-						},
-					},
-				},
-			},
 			login: &assert.DeploymentAssertion{
 				Spec: assert.DeploymentSpecAssertion{
 					Template: assert.PodTemplateSpecAssertion{
@@ -286,21 +248,6 @@ func TestDeploymentMatrix(t *testing.T) {
 									Type: assert.Some(corev1.SeccompProfileTypeRuntimeDefault),
 								},
 							},
-							InitContainers: assert.Some([]assert.ContainerAssertion{
-								{
-									Name: assert.Some("wait-for-postgres"),
-									SecurityContext: assert.SecurityContextAssertion{
-										RunAsNonRoot:             assert.SomePtr(true),
-										RunAsUser:                assert.SomePtr(int64(2000)),
-										ReadOnlyRootFilesystem:   assert.SomePtr(true),
-										Privileged:               assert.SomePtr(false),
-										AllowPrivilegeEscalation: assert.SomePtr(false),
-										Capabilities: assert.CapabilitiesAssertion{
-											Drop: assert.Some([]corev1.Capability{"ALL"}),
-										},
-									},
-								},
-							}),
 							Containers: assert.Some([]assert.ContainerAssertion{
 								{
 									Name: assert.Some("zitadel"),