Replace Bitnami PostgreSQL with CloudNative-PG (CNPG)

.github/workflows/preview-helm-charts.yml

@@ -160,8 +160,6 @@ jobs:
           RUNTIME_API_PREVIEW="${RUNTIME_API_VERSION}-alpha.${{ github.event.pull_request.number }}"
 
           yq -i "(.dependencies[] | select(.name == \"runtime-api\")).version = \"${RUNTIME_API_PREVIEW}\"" charts/openhands/Chart.yaml
-
-          helm dependency update charts/openhands
 
       - name: Update automation dependency version
         if: steps.check.outputs.should_publish == 'true' && matrix.chart.name == 'openhands' && needs.detect-changes.outputs.automation == 'true'

charts/automation/Chart.lock

@@ -1,9 +1,6 @@
 dependencies:
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 15.5.38
 - name: minio
   repository: https://charts.min.io/
   version: 5.0.10
-digest: sha256:bb32f5ad11adfc7b0563aeba08a608cfaaa57343152b6439794722dcd02be4ac
-generated: "2026-03-26T15:24:25.529071776Z"
+digest: sha256:58db3f82aecc29448840f9e5349645bc682bb4575ce2d493a9651a7a99f54935
+generated: "2026-04-03T15:12:16.155332-04:00"

charts/automation/Chart.yaml

@@ -2,13 +2,9 @@ apiVersion: v2
 name: automation
 description: OpenHands Automations Service — scheduled and event-driven automation execution
 type: application
-version: 0.1.0
+version: 0.2.0
 appVersion: "0.1.0"
 dependencies:
-  - name: postgresql
-    version: 15.x.x
-    repository: https://charts.bitnami.com/bitnami
-    condition: postgresql.enabled
   - name: minio
     version: 5.0.10
     repository: https://charts.min.io/

charts/automation/templates/deployment.yaml

@@ -24,75 +24,42 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       initContainers:
-      {{- if .Values.database.createDatabaseUser }}
-      # Create automation database and user in an existing PostgreSQL instance
-      - name: create-db-user
-        image: postgres:14
-        env:
-          - name: PGPASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.database.superuserSecretName }}
-                key: {{ .Values.database.superuserSecretKey }}
-          - name: DB_HOST
-            value: {{ .Values.database.host | quote }}
-          - name: DB_PORT
-            value: {{ .Values.database.port | quote }}
-          - name: DB_NAME
-            value: {{ .Values.database.name | quote }}
-          - name: DB_USER
-            value: {{ .Values.database.user | quote }}
-          - name: DB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.database.secretName }}
-                key: {{ .Values.database.secretKey }}
-        command:
-          - sh
-          - -c
-          - |
-            echo "Waiting for PostgreSQL at $DB_HOST to be available..."
-            for i in $(seq 1 60); do
-              if psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -c "SELECT 1;" > /dev/null 2>&1; then
-                echo "PostgreSQL is up!"
-
-                echo "Creating the database $DB_NAME if it doesn't exist..."
-                psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='$DB_NAME'" | grep -q 1 || \
-                psql -h $DB_HOST -p $DB_PORT -U postgres -d postgres -c "CREATE DATABASE $DB_NAME;"
-
-                echo "Creating the user $DB_USER if it doesn't exist..."
-                psql -h $DB_HOST -p $DB_PORT -U postgres -d $DB_NAME -tc "SELECT 1 FROM pg_roles WHERE rolname='$DB_USER'" | grep -q 1 || \
-                (psql -h $DB_HOST -p $DB_PORT -U postgres -d $DB_NAME -c "CREATE USER $DB_USER WITH PASSWORD '$DB_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $DB_USER; GRANT USAGE ON SCHEMA public TO $DB_USER; GRANT CREATE ON SCHEMA public TO $DB_USER; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $DB_USER;")
-
-                exit 0
-              fi
-              echo "Waiting for PostgreSQL... ($i/60)"
-              sleep 5
-            done
-            echo "PostgreSQL did not become available in time."
-            exit 1
-      {{- else if .Values.postgresql.enabled }}
-      # Wait for the automation's own PostgreSQL subchart to be ready
-      - name: wait-for-postgres
-        image: bitnamilegacy/postgresql:latest
+      {{- if .Values.database.waitForDatabase }}
+      - name: wait-for-db
+        image: postgres:16
         command: ['sh', '-c']
         args:
           - |
-            DB_HOST="{{ .Values.database.host }}"
-            echo "Waiting for PostgreSQL at $DB_HOST to be ready..."
-            until PGPASSWORD=$AUTOMATION_DB_PASS psql -h $DB_HOST -p {{ .Values.database.port }} -U {{ .Values.database.user }} -c '\q' > /dev/null 2>&1; do
+            echo "Waiting for PostgreSQL at $AUTOMATION_DB_HOST to be ready..."
+            until PGPASSWORD=$AUTOMATION_DB_PASS pg_isready -h $AUTOMATION_DB_HOST -p $AUTOMATION_DB_PORT -U $AUTOMATION_DB_USER > /dev/null 2>&1; do
               echo "PostgreSQL is unavailable - sleeping for 2 seconds"
               sleep 2
             done
             echo "PostgreSQL is up and running!"
         env:
         {{- include "automation.env" . | nindent 8 }}
       {{- end }}
+      {{- if .Values.database.createDatabases }}
+      - name: create-db
+        image: postgres:16
+        command: ['sh', '-c']
+        args:
+          - |
+            export PGPASSWORD=$AUTOMATION_DB_PASS
+            PSQL="psql -h $AUTOMATION_DB_HOST -p $AUTOMATION_DB_PORT -U $AUTOMATION_DB_USER"
+            echo "Ensuring database \"$AUTOMATION_DB_NAME\" exists..."
+            $PSQL -d postgres -tc "SELECT 1 FROM pg_database WHERE datname='$AUTOMATION_DB_NAME'" | grep -q 1 || \
+            $PSQL -d postgres -c "CREATE DATABASE $AUTOMATION_DB_NAME;"
+        env:
+        {{- include "automation.env" . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.database.migrate }}
       - name: migrate
         image: '{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}'
         command: ["alembic", "upgrade", "head"]
         env:
         {{- include "automation.env" . | nindent 8 }}
+      {{- end }}
       containers:
       - name: automation
         imagePullPolicy: Always

charts/automation/values.yaml

@@ -45,26 +45,24 @@ automationBaseUrl: ""
 
 # PostgreSQL database configuration
 database:
-  # Full hostname of the PostgreSQL server
-  # Examples:
-  #   - Cloud SQL: "my-project:us-central1:my-instance"
-  #   - In-cluster: "openhands-main-postgresql"
-  #   - Feature env: "openhands-feature-branch-postgresql"
+  # Hostname of the PostgreSQL server
   host: ""
+  # Port of the PostgreSQL server
   port: "5432"
+  # Database user
   user: "automation_user"
+  # Database name
   name: "automations"
-  # Secret containing the automation database password
+  # Name of the Kubernetes secret containing the database password
   secretName: "automation-db-secret"
+  # Key within the secret that holds the password
   secretKey: "db-password"
-  # Create database and user in an existing PostgreSQL instance
-  # When true, runs an init container to create the database and user
-  # Useful when sharing a PostgreSQL instance with other services
-  createDatabaseUser: false
-  # Secret containing the postgres superuser password (for creating the automation user)
-  # Only used when createDatabaseUser=true
-  superuserSecretName: "postgres-password"
-  superuserSecretKey: "password"
+  # Wait for the database to be ready before starting the application
+  waitForDatabase: true
+  # Create the database if it does not exist
+  createDatabases: false
+  # Run database migrations on startup
+  migrate: true
 
 # GCP Cloud SQL (leave empty for non-GCP)
 gcp:
@@ -137,25 +135,6 @@ datadog:
 # Env vars passed directly to the container
 env: {}
 
-# PostgreSQL subchart configuration (for ephemeral/feature environments)
-# When enabled, deploys an in-cluster PostgreSQL instance
-# Service name will be "{release-name}-postgresql", secret name also "{release-name}-postgresql"
-postgresql:
-  enabled: false
-  auth:
-    username: postgres
-    database: automations
-  primary:
-    persistence:
-      enabled: false
-    initdb:
-      scriptsConfigMap: ""
-  service:
-    ports:
-      postgresql: 5432
-  image:
-    repository: bitnamilegacy/postgresql
-
 global:
   security:
     # This allows using the bitnamilegacy image repo

charts/infra/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cloudnative-pg
+  repository: https://cloudnative-pg.github.io/charts
+  version: 0.23.2
+digest: sha256:db9f0efc07f208bcd280bc9c19e7c1c5983a36b45ac9b2976e16503a8dea45ab
+generated: "2026-04-03T15:12:06.037216-04:00"

charts/infra/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: infra
+description: Infrastructure components for OpenHands (CNPG operator)
+type: application
+version: 0.1.0
+appVersion: "1.0"
+dependencies:
+  - name: cloudnative-pg
+    repository: https://cloudnative-pg.github.io/charts
+    version: 0.23.x
+    condition: cloudnative-pg.enabled

charts/infra/values.yaml

@@ -0,0 +1,2 @@
+cloudnative-pg:
+  enabled: true

charts/openhands/Chart.lock

@@ -14,9 +14,6 @@ dependencies:
 - name: minio
   repository: https://charts.min.io/
   version: 5.0.10
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 15.5.38
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 20.3.0
@@ -25,6 +22,9 @@ dependencies:
   version: 1.9.0
 - name: runtime-api
   repository: oci://ghcr.io/all-hands-ai/helm-charts
-  version: 0.1.24
-digest: sha256:bca3722cdd4840a4557955ea2b80e38991cc2d0a0211855a791cf98e37410e45
-generated: "2026-03-18T00:28:58.972983917-04:00"
+  version: 0.2.6
+- name: automation
+  repository: oci://ghcr.io/all-hands-ai/helm-charts
+  version: 0.1.0
+digest: sha256:bf943198f5990e2b0e752f9d35cd984dc3863f8b4321f40c08a0c8d440d951df
+generated: "2026-04-03T15:12:20.635728-04:00"

charts/openhands/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: cloud-1.19.0
-version: 0.3.12
+version: 0.4.0
 maintainers:
   - name: rbren
   - name: xingyao
@@ -28,10 +28,6 @@ dependencies:
     version: 5.0.10
     condition: filestore.ephemeral
     repository: https://charts.min.io/
-  - name: postgresql
-    version: 15.x.x
-    repository: https://charts.bitnami.com/bitnami
-    condition: postgresql.enabled
   - name: redis
     version: 20.3.0
     repository: oci://registry-1.docker.io/bitnamicharts
@@ -42,9 +38,9 @@ dependencies:
     condition: replicated.enabled
   - name: runtime-api
     repository: oci://ghcr.io/all-hands-ai/helm-charts
-    version: 0.2.7
+    version: 0.3.0
     condition: runtime-api.enabled
   - name: automation
     repository: oci://ghcr.io/all-hands-ai/helm-charts
-    version: 0.1.0
+    version: 0.2.0
     condition: automation.enabled

charts/openhands/templates/_env.yaml

@@ -305,21 +305,14 @@
   value: "1"
 {{- end }}
 
-{{- if .Values.postgresql.enabled }}
 - name: DB_HOST
-  value: "{{ .Release.Name }}-postgresql"
+  value: {{ .Values.database.host | quote }}
+- name: DB_PORT
+  value: {{ .Values.database.port | quote }}
 - name: DB_USER
-  value: "{{ .Values.postgresql.auth.username }}"
+  value: {{ .Values.database.user | quote }}
 - name: DB_NAME
-  value: "{{ .Values.postgresql.auth.database }}"
-{{- else }}
-- name: DB_HOST
-  value: "{{ .Values.externalDatabase.host }}"
-- name: DB_USER
-  value: "{{ .Values.externalDatabase.username }}"
-- name: DB_NAME
-  value: "{{ .Values.externalDatabase.database }}"
-{{- end }}
+  value: {{ .Values.database.name | quote }}
 {{- if .Values.datadog.enabled }}
 # Datadog configuration
 - name: DD_AGENT_HOST
@@ -342,8 +335,8 @@
 - name: DB_PASS
   valueFrom:
     secretKeyRef:
-      name: {{ .Values.postgresql.auth.existingSecret }}
-      key: password
+      name: {{ .Values.database.secretName }}
+      key: {{ .Values.database.secretKey }}
 {{- if .Values.jira.enabled }}
 - name: ENABLE_JIRA
   value: "true"

charts/openhands/templates/_init-containers.yaml

@@ -1,7 +1,7 @@
 {{- define "openhands.dbInitContainers" }}
-{{- if .Values.databaseMigrations.waitForDatabase }}
+{{- if .Values.database.waitForDatabase }}
 - name: wait-for-db
-  image: "bitnamilegacy/postgresql:latest"
+  image: "postgres:16"
   command: ['sh', '-c']
   args:
     - |
@@ -16,9 +16,9 @@
   env:
     {{- include "openhands.env" . | nindent 4 }}
 {{- end }}
-{{- if .Values.databaseMigrations.createDatabases }}
+{{- if .Values.database.createDatabases }}
 - name: create-db
-  image: "bitnamilegacy/postgresql:latest"
+  image: "postgres:16"
   command: ['sh', '-c']
   args:
     - |
@@ -35,7 +35,7 @@
       value: "{{ .Values.keycloak.externalDatabase.database }}{{- if (index .Values "litellm-helm").enabled }} {{ (index .Values "litellm-helm").db.database }}{{- end }}{{- if .Values.langfuse.enabled }} {{ .Values.langfuse.postgresql.auth.database }}{{- end }}"
     {{- include "openhands.env" . | nindent 4 }}
 {{- end }}
-{{- if .Values.databaseMigrations.migrate }}
+{{- if .Values.database.migrate }}
 - name: migrate-db
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
   command: ["/bin/sh", "-c"]

charts/openhands/templates/cnpg-cluster.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.cnpg.enabled }}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: oh-main-postgresql
+  namespace: {{ .Release.Namespace }}
+spec:
+  instances: {{ .Values.cnpg.instances | default 1 }}
+
+  enableSuperuserAccess: true
+  superuserSecret:
+    name: {{ .Values.database.secretName }}
+
+  bootstrap:
+    initdb:
+      database: postgres
+      owner: {{ .Values.database.user }}
+
+  storage:
+    size: {{ .Values.cnpg.storage.size | default "10Gi" }}
+    {{- if .Values.cnpg.storage.storageClass }}
+    storageClass: {{ .Values.cnpg.storage.storageClass }}
+    {{- end }}
+
+  {{- if .Values.cnpg.imageName }}
+  imageName: {{ .Values.cnpg.imageName }}
+  {{- end }}
+
+  {{- with .Values.imagePullSecrets }}
+  imagePullSecrets:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}