From 289cffc55a536ec8cfcbc09cf8bf600611614fe5 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 9 Apr 2024 05:17:44 -0500 Subject: [PATCH] Stand up crunchy-postgres-chonk server --- .../cluster/externalsecret.yaml | 38 +++++ .../cluster/kustomization.yaml | 7 + .../cluster/postgrescluster.yaml | 130 ++++++++++++++++++ .../clustersecretstore.yaml | 20 +++ .../clustersecretstore/kustomization.yaml | 7 + .../clustersecretstore/rbac.yaml | 31 +++++ .../crunchy-postgres-operator/ks.yaml | 64 +++++++++ .../userinit-controller/helmrelease.yaml | 17 +++ .../userinit-controller/helmrepository.yaml | 10 ++ .../userinit-controller/kustomization.yaml | 7 + 10 files changed, 331 insertions(+) create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/postgrescluster.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml new file mode 100644 index 0000000..8276a20 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml @@ -0,0 +1,38 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name crunchy-postgres +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: crunchy-postgres-secret + template: + engineVersion: v2 + data: + s3.conf: | + [global] + repo1-s3-key={{ .minio_crunchy_postgres_access_key }} + repo1-s3-key-secret={{ .minio_crunchy_postgres_secret_key }} + encryption.conf: | + [global] + repo1-cipher-pass={{ .crunchy_postgres_backup_encryption_cipher }} + dataFrom: + - extract: + key: crunchy-postgres + rewrite: + - regexp: + source: "(.*)" + target: "crunchy_postgres_$1" + - extract: + key: minio + rewrite: + - regexp: + source: "[-]" + target: "_" + - regexp: + source: "(.*)" + target: "minio_$1" \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml new file mode 100644 index 0000000..94e4d00 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./postgrescluster.yaml \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/postgrescluster.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/postgrescluster.yaml new file mode 100644 index 0000000..abe907f --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/postgrescluster.yaml @@ -0,0 +1,130 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: &name postgres +spec: + postgresVersion: 16 + + metadata: + labels: + crunchy-userinit.ramblurr.github.com/enabled: "true" + crunchy-userinit.ramblurr.github.com/superuser: "postgres" + + service: + type: LoadBalancer + metadata: + annotations: + external-dns.alpha.kubernetes.io/hostname: postgres.jahanson.tech + io.cilium/lb-ipam-ips: 10.45.0.4 + + patroni: # turn on sync writes to at least 1 other replica + dynamicConfiguration: + synchronous_mode: true + postgresql: + synchronous_commit: "on" + pg_hba: + - hostnossl all all 10.244.0.0/16 md5 # Needed because dbman does not support SSL yet + - hostssl all all all md5 + + instances: + - name: postgres + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres + replicas: &replica 3 + dataVolumeClaimSpec: + storageClassName: openebs-hostpath + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: *name + postgres-operator.crunchydata.com/data: postgres + + users: + # Superuser + - name: postgres + databases: + - postgres + options: "SUPERUSER" + password: + type: AlphaNumeric + # Applications + - name: atuin + databases: + - atuin + password: + type: AlphaNumeric + + + backups: + pgbackrest: + configuration: &backupConfig + - secret: + name: crunchy-postgres-secret + global: &backupFlag + archive-timeout: "60" + compress-type: "bz2" + compress-level: "9" + delta: "y" + repo1-retention-full-type: "time" + repo1-retention-full: "14" + repo1-retention-diff: "30" + repo1-path: "/crunchy-pgo" + repo1-s3-uri-style: path + archive-push-queue-max: 4GiB + manual: + repoName: repo1 + options: + - --type=full + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres-backup + repos: + - name: repo1 # Minio + s3: &minio + bucket: "crunchy-main" + endpoint: "s3.hsn.dev" + region: "us-east-1" + schedules: + full: "0 1 * * 0" # Sunday at 01:00 + differential: "0 1 * * 1-6" # Mon-Sat at 01:00 + incremental: "0 2-23 * * *" # Every hour except 01:00 + + dataSource: + pgbackrest: + stanza: "db" + configuration: *backupConfig + global: *backupFlag + repo: + name: "repo1" + s3: *minio + + proxy: + pgBouncer: + port: 5432 + replicas: *replica + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres-pgbouncer + config: + global: + pool_mode: "transaction" # pgBouncer is set to transaction for Authentik. Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction + client_tls_sslmode: prefer + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: *name + postgres-operator.crunchydata.com/role: "pgbouncer" \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml new file mode 100644 index 0000000..2d64631 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml @@ -0,0 +1,20 @@ +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clustersecretstore_v1beta1.json +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: crunchy-pgo-secrets +spec: + provider: + kubernetes: + remoteNamespace: database + server: + caProvider: + type: "ConfigMap" + name: "kube-root-ca.crt" + namespace: database + key: "ca.crt" + auth: + serviceAccount: + name: external-secrets-pg + namespace: database \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml new file mode 100644 index 0000000..ff9dee7 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./rbac.yaml + - ./clustersecretstore.yaml \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml new file mode 100644 index 0000000..4f0177e --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-pg +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authorization.k8s.io"] + resources: ["selfsubjectrulesreviews"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &name external-secrets-pg +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *name +subjects: + - kind: ServiceAccount + name: *name + namespace: database +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets-pg + namespace: database \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml b/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml index c5030ec..7ba4332 100644 --- a/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml +++ b/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml @@ -17,3 +17,67 @@ spec: kind: GitRepository name: homelab wait: true +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &appname crunchy-postgres-operator-cluster + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *appname + interval: 10m + path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: true + dependsOn: + - name: crunchy-postgres-operator +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &appname crunchy-postgres-operator-secretstore + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *appname + interval: 10m + path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: true + dependsOn: + - name: crunchy-postgres-operator-cluster + - name: external-secrets +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &appname crunchy-postgres-userinit-controller + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *appname + interval: 10m + path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: true + dependsOn: + - name: crunchy-postgres-operator-cluster \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml new file mode 100644 index 0000000..6b078e2 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: userinit-controller +spec: + interval: 30m + chart: + spec: + chart: crunchy-userinit-controller + version: 0.0.4 + sourceRef: + kind: HelmRepository + name: crunchy-userinit + values: + fullnameOverride: crunchy-userinit-controller \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml new file mode 100644 index 0000000..4bb1f92 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: crunchy-userinit +spec: + interval: 30m + url: https://ramblurr.github.io/crunchy-userinit-controller + timeout: 3m \ No newline at end of file diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml new file mode 100644 index 0000000..3057118 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrepository.yaml + - ./helmrelease.yaml \ No newline at end of file