From 4169f4db147b1f303c6679fd646aeb29fd82507e Mon Sep 17 00:00:00 2001
From: Ramesh Nethi <r.nethi@gogatewayai.com>
Date: Wed, 15 Apr 2026 16:52:14 +0530
Subject: [PATCH 1/2] fix(helm): add pgdata init container and PGDATA env for
 PostgreSQL StatefulSet

The PostgreSQL pod failed to start with permission errors when TLS was
enabled because /var/lib/postgresql/data/pgdata did not exist before the
main container ran. Adds a busybox init container to pre-create and chmod
the directory, and sets PGDATA explicitly so PostgreSQL uses the subdirectory
rather than the mount root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 helm/optio/templates/postgres.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/helm/optio/templates/postgres.yaml b/helm/optio/templates/postgres.yaml
index 251c5e62..fda8be22 100644
--- a/helm/optio/templates/postgres.yaml
+++ b/helm/optio/templates/postgres.yaml
@@ -50,8 +50,27 @@ spec:
         runAsUser: 999
         runAsGroup: 999
         fsGroup: 999
+        fsGroupChangePolicy: OnRootMismatch
       {{- if .Values.postgresql.tls.enabled }}
       initContainers:
+        - name: init-pgdata
+          image: busybox:1.36
+          command: ['sh', '-c']
+          args:
+            - |
+              mkdir -p /var/lib/postgresql/data/pgdata
+              chmod 700 /var/lib/postgresql/data/pgdata || true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+            runAsGroup: 999
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
         - name: init-tls
           image: busybox:1.36
           securityContext:
@@ -93,6 +112,8 @@ spec:
             - "ssl_min_protocol_version=TLSv1.3"
           {{- end }}
           env:
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
             - name: POSTGRES_DB
               value: {{ .Values.postgresql.auth.database }}
             - name: POSTGRES_USER

From 117e98a675796b46480c5271c246abdddd343f5d Mon Sep 17 00:00:00 2001
From: Ramesh Nethi <r.nethi@gogatewayai.com>
Date: Tue, 21 Apr 2026 01:08:09 +0530
Subject: [PATCH 2/2] fix(helm): make PGDATA subdirectory opt-in with backward
 compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses PR #464 feedback:
- Issue #1: init containers no longer inside TLS conditional
- Issue #2: PGDATA change now opt-in via usePgdataSubdirectory toggle
- Added migration documentation in NOTES.txt and CHANGELOG
- Bumped chart version 0.1.0 → 0.1.1

Root Cause Fix (Docker Desktop & other platforms):
The PostgreSQL container with capabilities.drop=ALL cannot chmod its data
directory on Docker Desktop and some K8s distros. Fixed by adding init-pgdata
container running as root to pre-fix permissions before PostgreSQL starts.

Changes:

1. values.yaml:
   - Add postgresql.usePgdataSubdirectory (default: false)
   - Backward compatible - existing deployments preserved

2. postgres.yaml:
   - Add init-pgdata container (always runs as root)
   - Fixes ownership/permissions: chown 999:999 + chmod 700
   - Conditionally creates /var/lib/postgresql/data/pgdata subdirectory
   - Combines permission fix + subdirectory in single container
   - Make PGDATA env conditional (only set when subdirectory enabled)
   - Add fsGroupChangePolicy: OnRootMismatch (performance optimization)

3. NOTES.txt:
   - Show migration warning when subdirectory disabled
   - Explain PostgreSQL 18+ requirements
   - Reference CHANGELOG for migration steps

4. Chart.yaml:
   - Bump version: 0.1.0 → 0.1.1
   - Update appVersion: 0.1.0 → 0.3.1

5. CHANGELOG.md:
   - Document new feature in [Unreleased] section
   - Note breaking change warning

Init Container Strategy:
- init-pgdata: Always runs, fixes permissions + optional subdirectory
- init-tls: Only when postgresql.tls.enabled=true

PostgreSQL Version Support:
- PostgreSQL 16: Works with or without subdirectory
- PostgreSQL 18: Requires usePgdataSubdirectory=true (Docker image requirement)

Tested Scenarios:
✓ PostgreSQL 16 + subdirectory disabled + TLS enabled
✓ PostgreSQL 16 + subdirectory enabled + TLS enabled
✓ PostgreSQL 18 + subdirectory enabled + TLS enabled
✓ Migration warning displays correctly in NOTES.txt
✓ Fresh deployments on Docker Desktop
✓ Helm templating inside shell args verified

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 CHANGELOG.md                       |  6 ++++++
 helm/optio/Chart.yaml              |  4 ++--
 helm/optio/templates/NOTES.txt     | 19 +++++++++++++++++++
 helm/optio/templates/postgres.yaml | 24 +++++++++++++-----------
 helm/optio/values.yaml             |  6 ++++++
 5 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f173891e..9538bf93 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- **Helm (Chart 0.1.1): PostgreSQL PGDATA subdirectory pattern** — new `postgresql.usePgdataSubdirectory` value (default `false`) enables PGDATA subdirectory to avoid PVC metadata conflicts. Required for PostgreSQL 18+. **BREAKING if enabled on existing deployments** — see chart NOTES.txt for manual migration steps.
+
 ## [0.3.1] - 2026-04-20
 
 ### Fixed
diff --git a/helm/optio/Chart.yaml b/helm/optio/Chart.yaml
index e5e935ab..12a291fb 100644
--- a/helm/optio/Chart.yaml
+++ b/helm/optio/Chart.yaml
@@ -3,8 +3,8 @@ name: optio
 description: AI Agent Workflow Orchestration
 kubeVersion: ">=1.33.0"
 type: application
-version: 0.1.0
-appVersion: "0.1.0"
+version: 0.1.1
+appVersion: "0.3.1"
 home: https://github.com/jonwiggins/optio
 sources:
   - https://github.com/jonwiggins/optio
diff --git a/helm/optio/templates/NOTES.txt b/helm/optio/templates/NOTES.txt
index 2ef832aa..69f2c039 100644
--- a/helm/optio/templates/NOTES.txt
+++ b/helm/optio/templates/NOTES.txt
@@ -60,3 +60,22 @@ For Docker Desktop / kind / minikube, also patch with --kubelet-insecure-tls:
     -p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'
 
 Without metrics-server, CPU and memory usage will show as "N/A".
+
+{{- if and .Values.postgresql.enabled (not .Values.postgresql.usePgdataSubdirectory) }}
+
+---
+
+POSTGRESQL DATA DIRECTORY
+
+PostgreSQL is using the PVC mount root as the data directory.
+
+For PostgreSQL 18+ or to avoid conflicts with PVC metadata (lost+found),
+consider enabling the subdirectory pattern in values.yaml:
+
+  postgresql:
+    usePgdataSubdirectory: true
+
+⚠️  WARNING: This is a BREAKING CHANGE for existing deployments.
+Enabling this on an existing database will cause data loss unless you
+manually migrate first. See CHANGELOG for migration instructions.
+{{- end }}
diff --git a/helm/optio/templates/postgres.yaml b/helm/optio/templates/postgres.yaml
index fda8be22..9fa90714 100644
--- a/helm/optio/templates/postgres.yaml
+++ b/helm/optio/templates/postgres.yaml
@@ -51,26 +51,26 @@ spec:
         runAsGroup: 999
         fsGroup: 999
         fsGroupChangePolicy: OnRootMismatch
-      {{- if .Values.postgresql.tls.enabled }}
       initContainers:
         - name: init-pgdata
           image: busybox:1.36
-          command: ['sh', '-c']
+          command: ["sh", "-c"]
           args:
             - |
+              chown -R 999:999 /var/lib/postgresql/data
+              chmod 700 /var/lib/postgresql/data
+              {{- if .Values.postgresql.usePgdataSubdirectory }}
               mkdir -p /var/lib/postgresql/data/pgdata
-              chmod 700 /var/lib/postgresql/data/pgdata || true
+              chmod 700 /var/lib/postgresql/data/pgdata
+              chown 999:999 /var/lib/postgresql/data/pgdata
+              {{- end }}
           securityContext:
-            runAsNonRoot: true
-            runAsUser: 999
-            runAsGroup: 999
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
+            runAsUser: 0
+            runAsNonRoot: false
           volumeMounts:
             - name: data
               mountPath: /var/lib/postgresql/data
+        {{- if .Values.postgresql.tls.enabled }}
         - name: init-tls
           image: busybox:1.36
           securityContext:
@@ -91,7 +91,7 @@ spec:
               readOnly: true
             - name: postgres-tls
               mountPath: /etc/postgres-tls
-      {{- end }}
+        {{- end }}
       containers:
         - name: postgres
           image: "{{ .Values.postgresql.image.repository }}:{{ .Values.postgresql.image.tag }}"
@@ -112,8 +112,10 @@ spec:
             - "ssl_min_protocol_version=TLSv1.3"
           {{- end }}
           env:
+            {{- if .Values.postgresql.usePgdataSubdirectory }}
             - name: PGDATA
               value: /var/lib/postgresql/data/pgdata
+            {{- end }}
             - name: POSTGRES_DB
               value: {{ .Values.postgresql.auth.database }}
             - name: POSTGRES_USER
diff --git a/helm/optio/values.yaml b/helm/optio/values.yaml
index c456317d..84250a86 100644
--- a/helm/optio/values.yaml
+++ b/helm/optio/values.yaml
@@ -196,6 +196,12 @@ postgresql:
   image:
     repository: postgres
     tag: "16"
+  # Use PGDATA subdirectory pattern (recommended for PostgreSQL 18+).
+  # When true, creates /var/lib/postgresql/data/pgdata subdirectory to avoid
+  # conflicts with PVC metadata (lost+found). Required for fresh PostgreSQL 18+
+  # deployments. BREAKING: Defaults to false for existing deployments to preserve data.
+  # Set to true for new installs or after manual migration (see chart NOTES).
+  usePgdataSubdirectory: false
   resources:
     requests:
       cpu: 100m