InformaticsMatters · achristie-im · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -21,9 +21,9 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v6
       with:
         python-version: '3.12'
     - name: Install dependencies

diff --git a/roles/postgresql/defaults/main.yaml b/roles/postgresql/defaults/main.yaml
@@ -17,7 +17,7 @@ pg_vol_size_g: 50
 # The StorageClass of the postgres persistent volume.
 # A blank class implied the cluster default.
 # Unused if 'pg_vol_size_g' is '0'
-pg_vol_storageclass: " "
+pg_vol_storageclass: ' '
 
 # The volume size (Gi) of a separate 'pgcopy' volume.
 # The volume is mounted into the database container
@@ -29,11 +29,11 @@ pg_vol_storageclass: " "
 pg_copy_vol_size_g: 0
 # The StorageClass of the persistent volume.
 # A blank class implied the cluster default.
-pg_copy_vol_storageclass: " "
+pg_copy_vol_storageclass: ' '
 
 # Root-user variables
 pg_user: postgres
-pg_user_password: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters,digits') }}"
+pg_user_password: "{{ lookup('password', '/dev/null length=14 chars=ascii_letters,digits') }}"
 pg_database: postgres
 
 # An auxiliary user.

diff --git a/roles/postgresql/tasks/deploy.yaml b/roles/postgresql/tasks/deploy.yaml
@@ -5,9 +5,9 @@
 - name: Assert control variables (aux user)
   assert:
     that:
-    - pg_aux_user_password|string|length > 0
-    - pg_aux_database|string|length > 0
-  when: pg_aux_user|string|length > 0
+    - pg_aux_user_password | string | length > 0
+    - pg_aux_database | string | length > 0
+  when: pg_aux_user | string | length > 0
 
 # Create namespace
 
@@ -23,16 +23,14 @@
   vars:
     pull_namespace: "{{ pg_namespace }}"
     pull_secret: "{{ pg_dockerhub_pullsecret }}"
-  when: pg_dockerhub_pullsecret|string|length > 0
+  when: pg_dockerhub_pullsecret | string | length > 0
 
 - name: Creating namespace material
   k8s:
-    definition: "{{ lookup('template', '{{ item }}.yaml.j2') }}"
+    definition: "{{ lookup('template', item) }}"
     wait: yes
   loop:
-  - serviceaccount
-  - role-im-psp-unrestricted
-  - rolebinding-pg-sa
+  - serviceaccount.yaml.j2
 
 # Secrets (database) ----------------------------------------------------------
 
@@ -52,23 +50,23 @@
     pg_aux_user_fact: "{{ pg_aux_user }}"
     pg_aux_user_password_fact: "{{ pg_aux_user_password }}"
     pg_aux_database_fact: "{{ pg_aux_database }}"
-  when: pg_s_result.resources|length == 0
+  when: pg_s_result.resources | length == 0
 
 - name: Set database secret facts (pre-deployed secrets)
   set_fact:
-    pg_user_fact: "{{ pg_s_result.resources[0].data.database_admin_user|b64decode }}"
-    pg_user_password_fact: "{{ pg_s_result.resources[0].data.database_admin_user_password|b64decode }}"
-    pg_database_fact: "{{ pg_s_result.resources[0].data.database_name|b64decode }}"
-    pg_aux_user_fact: "{{ pg_s_result.resources[0].data.database_aux_user|b64decode }}"
-    pg_aux_user_password_fact: "{{ pg_s_result.resources[0].data.database_aux_user_password|b64decode }}"
-    pg_aux_database_fact: "{{ pg_s_result.resources[0].data.database_aux_database|b64decode }}"
-  when: pg_s_result.resources|length == 1
+    pg_user_fact: "{{ pg_s_result.resources[0].data.database_admin_user | b64decode }}"
+    pg_user_password_fact: "{{ pg_s_result.resources[0].data.database_admin_user_password | b64decode }}"
+    pg_database_fact: "{{ pg_s_result.resources[0].data.database_name | b64decode }}"
+    pg_aux_user_fact: "{{ pg_s_result.resources[0].data.database_aux_user | b64decode }}"
+    pg_aux_user_password_fact: "{{ pg_s_result.resources[0].data.database_aux_user_password | b64decode }}"
+    pg_aux_database_fact: "{{ pg_s_result.resources[0].data.database_aux_database | b64decode }}"
+  when: pg_s_result.resources | length == 1
 
 - name: Write Database secrets
   k8s:
     definition: "{{ lookup('template', 'secret.yaml.j2') }}"
     wait: yes
-  when: pg_s_result.resources|length == 0
+  when: pg_s_result.resources | length == 0
 
 - name: Display Database admin password
   debug:
@@ -85,7 +83,7 @@
 
 - name: Assert {{ pg_vol_storageclass }} StorageClass
   assert:
-    that: sc_result.resources|length == 1
+    that: sc_result.resources | length == 1
     fail_msg: The {{ pg_vol_storageclass }} StorageClass must be available on the cluster
   when: pg_vol_storageclass != " "
 
@@ -94,7 +92,7 @@
     definition: "{{ lookup('template', 'pvc-pg.yaml.j2') }}"
     wait: yes
     wait_timeout: "{{ wait_timeout }}"
-  when: pg_vol_size_g|int > 0
+  when: pg_vol_size_g | int > 0
 
 # Best practice ... wait for the PVC to bind.
 # e.g. wait until resources[0].status.phase == Bound (initially Pending)
@@ -106,15 +104,15 @@
     namespace: "{{ pg_namespace }}"
   register: pg_pvc_result
   until: >-
-    pg_pvc_result.resources|length > 0
+    pg_pvc_result.resources | length > 0
     and pg_pvc_result.resources[0].status is defined
     and pg_pvc_result.resources[0].status.phase is defined
     and pg_pvc_result.resources[0].status.phase == 'Bound'
   delay: 5
-  retries: "{{ (bind_timeout|int / 5)|int }}"
+  retries: "{{ (bind_timeout | int / 5) | int }}"
   when:
-  - pg_vol_size_g|int > 0
-  - wait_for_bind|bool
+  - pg_vol_size_g | int > 0
+  - wait_for_bind | bool
 
 # Database volume (pg-copy) ---------------------------------------------------
 
@@ -130,7 +128,7 @@
 
   - name: Assert {{ pg_copy_vol_storageclass }} StorageClass
     assert:
-      that: sc_result.resources|length == 1
+      that: sc_result.resources | length == 1
       fail_msg: The {{ pg_copy_vol_storageclass }} StorageClass must be available on the cluster
     when: pg_copy_vol_storageclass != " "
 
@@ -150,28 +148,28 @@
       namespace: "{{ pg_namespace }}"
     register: pg_copy_pvc_result
     until: >-
-      pg_copy_pvc_result.resources|length > 0
+      pg_copy_pvc_result.resources | length > 0
       and pg_copy_pvc_result.resources[0].status is defined
       and pg_copy_pvc_result.resources[0].status.phase is defined
       and pg_copy_pvc_result.resources[0].status.phase == 'Bound'
     delay: 5
-    retries: "{{ (bind_timeout|int / 5)|int }}"
-    when: wait_for_bind|bool
+    retries: "{{ (bind_timeout | int / 5) | int }}"
+    when: wait_for_bind | bool
 
-  when: pg_copy_vol_size_g|int > 0
+  when: pg_copy_vol_size_g | int > 0
 
 # Database (postgres) ---------------------------------------------------------
 
 - name: Postgres
   k8s:
-    definition: "{{ lookup('template', '{{ item }}.yaml.j2') }}"
+    definition: "{{ lookup('template', item) }}"
     wait: yes
     wait_timeout: "{{ wait_timeout }}"
   loop:
-  - configmap-postgres-conf
-  - configmap-postgres-init
-  - service
-  - statefulset
+  - configmap-postgres-conf.yaml.j2
+  - configmap-postgres-init.yaml.j2
+  - service.yaml.j2
+  - statefulset.yaml.j2
 
 - name: Wait for Postgres
   k8s_info:
@@ -181,10 +179,10 @@
     - app=postgres
   register: result
   until: >-
-    result.resources|length > 0
+    result.resources | length > 0
     and result.resources[0].status.containerStatuses is defined
-    and result.resources[0].status.containerStatuses|length == 1
+    and result.resources[0].status.containerStatuses | length == 1
     and result.resources[0].status.containerStatuses[0].ready is defined
     and result.resources[0].status.containerStatuses[0].ready
   delay: 20
-  retries: "{{ (wait_timeout|int / 20)|int }}"
+  retries: "{{ (wait_timeout | int / 20) | int }}"
diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml
@@ -11,17 +11,17 @@
 - name: Assert authentication
   assert:
     that:
-    - k8s_auth_host|length > 0
-    - k8s_auth_api_key|length > 0
+    - k8s_auth_host | length > 0
+    - k8s_auth_api_key | length > 0
 
 # Go...
 
 - block:
 
   - include_tasks: deploy.yaml
-    when: pg_state|string == 'present'
+    when: pg_state | string == 'present'
   - include_tasks: undeploy.yaml
-    when: pg_state|string == 'absent'
+    when: pg_state | string == 'absent'
 
   module_defaults:
     group/k8s:

diff --git a/roles/postgresql/templates/configmap-postgres-conf.yaml.j2 b/roles/postgresql/templates/configmap-postgres-conf.yaml.j2
@@ -5,4 +5,4 @@ metadata:
   name: postgres-conf
   namespace: {{ pg_namespace }}
 data:
-  postgresql.conf: "{{ pg_configuration|replace('\n', '\\n') }}"
+  postgresql.conf: "{{ pg_configuration | replace('\n', '\\n') }}"
diff --git a/roles/postgresql/templates/role-im-psp-unrestricted.yaml.j2 b/roles/postgresql/templates/role-im-psp-unrestricted.yaml.j2
diff --git a/roles/postgresql/templates/rolebinding-pg-sa.yaml.j2 b/roles/postgresql/templates/rolebinding-pg-sa.yaml.j2
diff --git a/roles/postgresql/templates/statefulset.yaml.j2 b/roles/postgresql/templates/statefulset.yaml.j2
@@ -25,13 +25,11 @@ spec:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:
-              - key: informaticsmatters.com/purpose
-                operator: In
-                values:
-                - core
+              - key: informaticsmatters.com/purpose-core
+                operator: Exists
 {% endif %}
 
-{% if all_image_preset_pullsecret_name|string|length > 0 %}
+{% if all_image_preset_pullsecret_name | string | length > 0 %}
       imagePullSecrets:
       - name: {{ all_image_preset_pullsecret_name }}
 {% endif %}