canonical
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 7 additions & 0 deletions b/‎.github/pull_request_template.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/tiobe_scan.yaml‎
Lines changed: 44 additions & 0 deletions b/‎.github/workflows/tiobe_scan.yaml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 20 additions & 4 deletions b/‎README.md‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 25 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎config.yaml‎
Lines changed: 6 additions & 0 deletions b/‎config.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/explanation.md‎
Lines changed: 14 additions & 4 deletions b/‎docs/explanation.md‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎docs/explanation/e-architecture.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/explanation/e-architecture.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/explanation/e-users.md‎
Lines changed: 11 additions & 4 deletions b/‎docs/explanation/e-users.md‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎docs/how-to.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/how-to.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/how-to/h-deploy.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/how-to/h-deploy.md‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,7 @@
+## Issue
+
+## Solution
+
+## Checklist
+- [ ] I have added or updated any relevant documentation.
+- [ ] I have cleaned any remaining cloud resources from my accounts.
@@ -0,0 +1,44 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+name: Weekly TICS scan
+
+on:
+  schedule:
+    - cron: "0 2 * * 6" # Every Saturday 2:00 AM UTC
+  workflow_dispatch:
+
+jobs:
+  TICS:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create and activate virtual environment
+        run: |
+          python3 -m venv .venv
+          . .venv/bin/activate
+          pip install flake8 poetry pylint pytest tox
+          poetry install --all-groups
+          echo PATH="$PATH" >> "$GITHUB_ENV"
+
+      - name: Run coverage tests
+        run: |
+          tox -e unit
+
+      - name: Move results to the necessary folder for TICS
+        run: |
+          mkdir -p .cover
+          mv coverage.xml .cover/cobertura.xml
+
+      - name: TICS GitHub Action
+        uses: tiobe/tics-github-action@v3
+        with:
+          mode: qserver
+          project: postgresql-operator
+          viewerUrl: https://canonical.tiobe.com/tiobeweb/TICS/api/cfg?name=default
+          branchdir: ${{ env.GITHUB_WORKSPACE }}
+          ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
+          installTics: true
+          calc: ALL
@@ -12,6 +12,7 @@ To deploy on Kubernetes, please use [Charmed PostgreSQL K8s Operator](https://ch
 This operator provides a PostgreSQL database with replication enabled: one primary instance and one (or more) hot standby replicas. The Operator in this repository is a Python script which wraps PostgreSQL versions distributed by Ubuntu Jammy series and adding [Patroni](https://github.com/zalando/patroni) on top of it, providing lifecycle management and handling events (install, configure, integrate, remove, etc).
 
 ## README contents
+
 * [Basic usage](#basic-usage): Deploy and scale Charmerd PostgreSQL
 * [Integrations](#integrations-relations): Supported interfaces for integrations
 * [Contributing](#contributing)
@@ -20,6 +21,7 @@ This operator provides a PostgreSQL database with replication enabled: one prima
 ## Basic usage
 
 ### Deployment
+
 Bootstrap a [lxd controller](https://juju.is/docs/olm/lxd#heading--create-a-controller) and create a new Juju model:
 
 ```shell
@@ -46,7 +48,9 @@ To add replicas to an existing deployment, see the [Add replicas](#add-replicas)
 >It is generally recommended to have an odd number of units to avoid a "[split-brain](https://en.wikipedia.org/wiki/Split-brain_(computing))" scenario
 
 ### Primary replica
+
 To retrieve the primary replica, use the action `get-primary` on any of the units running PostgreSQL.
+
 ```shell
 juju run postgresql/leader get-primary
 ```
@@ -58,27 +62,33 @@ Similarly, the primary replica is displayed as a status message in `juju status`
 #### Add replicas
 
 To add more replicas one can use the `juju add-unit` functionality i.e.
+
 ```shell
 juju add-unit postgresql -n <number_of_units_to_add>
 ```
+
 The implementation of `add-unit` allows the operator to add more than one unit, but functions internally by adding one replica at a time. This is done to avoid multiple replicas syncing from the primary at the same time.
 
 #### Remove replicas
 
 To scale down the number of replicas the `juju remove-unit` functionality may be used i.e.
+
 ```shell
 juju remove-unit postgresql <name_of_unit_1> <name_of_unit_2>
 ```
+
 The implementation of `remove-unit` allows the operator to remove more than one unit. The functionality of `remove-unit` functions by removing one replica at a time to avoid downtime.
 
 ### Password rotation
 
 #### Charm users
 
 To rotate the password of users internal to the Charmed PostgreSQL operator, use the `set-password` action as follows:
+
 ```shell
 juju run postgresql/leader set-password username=<user> password=<password>
 ```
+
 >[!NOTE]
 >Currently, internal users are `operator`, `replication`, `backup` and `rewind`. These users should not be used outside the operator.
 
@@ -90,7 +100,7 @@ To rotate the passwords of users created for integrated applications, the integr
 
 Supported [integrations](https://juju.is/docs/olm/relations):
 
-#### New `postgresql_client` interface:
+#### New `postgresql_client` interface
 
 Current charm relies on [Data Platform libraries](https://charmhub.io/data-platform-libs). Your
 application should define an interface in `metadata.yaml`:
@@ -125,14 +135,15 @@ To remove a relation:
 juju remove-relation postgresql <application_name>
 ```
 
-#### Legacy `pgsql` interface:
+#### Legacy `pgsql` interface
+
 We have also added support for the two database legacy relations from the [original version](https://launchpad.net/postgresql-charm) of the charm via the `pgsql` interface. Please note that these relations will be deprecated.
  ```shell
 juju relate postgresql:db mailman3-core
 juju relate postgresql:db-admin landscape-server
 ```
 
-#### `tls-certificates` interface:
+#### `tls-certificates` interface
 
 The Charmed PostgreSQL Operator also supports TLS encryption on internal and external connections. Below is an example of enabling TLS with the [self-signed certificates charm](https://charmhub.io/self-signed-certificates).
 
@@ -146,19 +157,24 @@ juju integrate postgresql self-signed-certificates
 # Disable TLS by removing relation.
 juju remove-relation postgresql self-signed-certificates
 ```
+
 >[!WARNING]
 >The TLS settings shown here are for self-signed-certificates, which are not recommended for production clusters. See the guide [Security with X.509 certificates](https://charmhub.io/topics/security-with-x-509-certificates) for an overview of available certificates charms.
 
 ## Security
-Security issues in the Charmed PostgreSQL Operator can be reported through [LaunchPad](https://wiki.ubuntu.com/DebuggingSecurity#How%20to%20File). Please do not use GitHub to submit security issues.
+
+Security issues in the Charmed PostgreSQL Operator can be reported through [private security reports](https://github.com/canonical/postgresql-operator/security/advisories/new) on GitHub.
+For more information, see the [Security policy](SECURITY.md).
 
 ## Contributing
+
 * For best practices on how to write and contribute to charms, see the [Juju SDK docs](https://juju.is/docs/sdk/how-to)
 * For more specific developer guidance for contributions to Charmed PostgreSQL, see the file [CONTRIBUTING.md](CONTRIBUTING.md)
 * Report security issues for the Charmed PostgreSQL Operator through [LaunchPad](https://wiki.ubuntu.com/DebuggingSecurity#How%20to%20File).
 * Report technical issues, bug reports and feature requests through the [GitHub Issues tab](https://github.com/canonical/postgresql-operator/issues).
 
 ## Licensing and trademark
+
 The Charmed PostgreSQL Operator is distributed under the [Apache Software License, version 2.0](https://github.com/canonical/postgresql-operator/blob/main/LICENSE). It installs, operates and depends on [PostgreSQL](https://www.postgresql.org/ftp/source/), which is licensed under the [PostgreSQL License](https://www.postgresql.org/about/licence/), a liberal Open Source license similar to the BSD or MIT licenses.
 
 PostgreSQL is a trademark or registered trademark of PostgreSQL Global Development Group. Other trademarks are property of their respective owners.
@@ -0,0 +1,25 @@
+# Security policy
+
+## What qualifies as a security issue
+
+Credentials leakage, outdated dependencies with known vulnerabilities, and
+other issues that could lead to unprivileged or unauthorized access to the
+database or the system.
+
+## Reporting a vulnerability
+
+The easiest way to report a security issue is through
+[GitHub](https://github.com/canonical/postgresql-operator/security/advisories/new). See
+[Privately reporting a security
+vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+for instructions.
+
+The repository admins will be notified of the issue and will work with you
+to determine whether the issue qualifies as a security issue and, if so, in
+which component. We will then handle figuring out a fix, getting a CVE
+assigned and coordinating the release of the fix.
+
+The [Ubuntu Security disclosure and embargo
+policy](https://ubuntu.com/security/disclosure-policy) contains more
+information about what you can expect when you contact us, and what we
+expect from you.
@@ -32,6 +32,12 @@ options:
       crashes and there are replicas.
     type: string
     default: "on"
+  durability_wal_keep_size:
+    description: |
+      Sets the minimum size of the WAL file to be kept for the replication.
+      Allowed values are: from 0 to 2147483647.
+    type: int
+    default: 4096
   experimental_max_connections:
     type: int
     description: |
 
@@ -1,14 +1,22 @@
 # Explanation
 
-This section contains pages with more detailed explanations that provide additional context about some of the key concepts behind the PostgreSQL charm:
+This section contains pages with more detailed explanations that provide additional context about key concepts behind the PostgreSQL charm.
 
+## Core concepts and design
 * [Architecture]
 * [Interfaces and endpoints]
+* [Juju]
+* [Legacy charm]
+
+## Operational concepts
 * [Connection pooling]
 * [Users]
 * [Logs]
-* [Juju]
-* [Legacy charm]
+
+## Security and hardening
+* [Security hardening guide][Security]
+  * [Cryptography]
+
 
 <!-- Links -->
 
@@ -18,4 +26,6 @@ This section contains pages with more detailed explanations that provide additio
 [Logs]: /t/12099
 [Juju]: /t/11985
 [Legacy charm]: /t/10690
-[Connection pooling]: /t/15777
+[Connection pooling]: /t/15777
+[Security]: /t/16852
+[Cryptography]: /t/16853
@@ -75,6 +75,10 @@ The snap "charmed-postgresql" also ships list of tools used by charm:
 
 The charm "[PostgreSQL Test App](https://charmhub.io/postgresql-test-app)" is a Canonical test application to validate the charm installation / functionality and perform the basic performance tests.
 
+### GLAuth
+
+GLAuth is a secure, easy-to-use and open-sourced LDAP server which provides capabilities to centrally manage accounts across infrastructures. The charm is only available for Kubernetes clouds, under the [GLAuth-K8s operator](https://charmhub.io/glauth-k8s) page, so a cross-controller relation is needed in order to integrate both charms.
+
 ### Grafana
 
 Grafana is an open-source visualization tools that allows to query, visualize, alert on, and visualize metrics from mixed datasources in configurable dashboards for observability. This charms is shipped with its own Grafana dashboard and supports integration with the [Grafana Operator](https://charmhub.io/grafana-k8s) to simplify observability. Please follow [COS Monitoring](/t/10600) setup.
 
@@ -1,9 +1,10 @@
 # Charm Users explanations
 
-There are two types of users in PostgreSQL:
+There are three types of users in PostgreSQL:
 * Internal users (used by charm operator)
-* Relation/integration users (used by related applications)
+* Relation users (used by related applications)
   * Extra user roles (if default permissions are not enough)
+* Identity users (used when LDAP is enabled)
 
 <a name="internal-users"></a>
 ## Internal users explanations:
@@ -72,7 +73,7 @@ unit-postgresql-1:
 **Note**: the action `set-password` must be executed on juju leader unit (to update peer relation data with new value).
 
 <a name="relation-users"></a>
-## Relation/integration users explanations:
+## Relation users explanations:
 
 The operator created a dedicated user for every application related/integrated with database. Those users are removed on the juju relation/integration removal request. However, DB data stays in place and can be reused on re-created relations (using new user credentials):
 
@@ -99,4 +100,10 @@ postgres=# \du
 
 When an application charm requests a new user through the relation/integration it can specify that the user should have the `admin` role in the `extra-user-roles` field. The `admin` role enables the new user to read and write to all databases (for the `postgres` system database it can only read data) and also to create and delete non-system databases.
 
-**Note**: `extra-user-roles` is supported by modern interface `postgresql_client` only and missing for legacy `pgsql` interface. Read more about the supported charm interfaces [here](/t/10251).
+**Note**: `extra-user-roles` is supported by modern interface `postgresql_client` only and missing for legacy `pgsql` interface. Read more about the supported charm interfaces [here](/t/10251).
+
+<a name="identity-users"></a>
+## Identity users explanations:
+The operator considers Identity users all those that are automatically created when the LDAP integration is enabled, or in other words, the [GLAuth](https://charmhub.io/glauth-k8s) charm is related/integrated.
+
+When synchronized from the LDAP server, these users do not have any permissions by default, so the LDAP group they belonged to must be mapped to a PostgreSQL pre-defined authorization role by using the `ldap_map` configuration option.
@@ -4,7 +4,7 @@ The following guides cover key processes and common tasks for managing and using
 
 ## Deployment and setup
 
-The following guides walk you through the details of how to install different cloud services and bootstrap them to Juju:
+Installation of different cloud services with Juju:
 * [Sunbeam]
 * [LXD]
 * [MAAS]
@@ -13,7 +13,7 @@ The following guides walk you through the details of how to install different cl
 * [Azure]
 * [Multi-availability zones (AZ)][Multi-AZ]
 
-The following guides cover some specific deployment scenarios and architectures:
+Specific deployment scenarios and architectures:
 * [Terraform]
 * [Air-gapped]
 * [TLS VIP access]
@@ -54,7 +54,7 @@ The following guides cover some specific deployment scenarios and architectures:
 
 ## Development
 
-This section is aimed at charm developers looking to support PostgreSQL integrations with their charm.
+This section is for charm developers looking to support PostgreSQL integrations with their charm.
 
 * [Integrate with your charm]
 * [Migrate data via pg_dump]
 
@@ -21,7 +21,7 @@ Then, either continue with the `juju` client **or** use the `terraform juju` cli
 
 To deploy with the `juju` client:
 ```shell
-juju deploy postgresql
+juju deploy postgresql -n <number_of_replicas>
 ```
 > See also: [`juju deploy` command](https://canonical-juju.readthedocs-hosted.com/en/latest/user/reference/juju-cli/list-of-juju-cli-commands/deploy/)