Stand up crunchy-postgres-chonk server

This commit is contained in:
Joseph Hanson 2024-04-09 05:17:44 -05:00
parent d8c6750ff7
commit 289cffc55a
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
10 changed files with 331 additions and 0 deletions

View file

@ -0,0 +1,38 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: &name crunchy-postgres
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: crunchy-postgres-secret
template:
engineVersion: v2
data:
s3.conf: |
[global]
repo1-s3-key={{ .minio_crunchy_postgres_access_key }}
repo1-s3-key-secret={{ .minio_crunchy_postgres_secret_key }}
encryption.conf: |
[global]
repo1-cipher-pass={{ .crunchy_postgres_backup_encryption_cipher }}
dataFrom:
- extract:
key: crunchy-postgres
rewrite:
- regexp:
source: "(.*)"
target: "crunchy_postgres_$1"
- extract:
key: minio
rewrite:
- regexp:
source: "[-]"
target: "_"
- regexp:
source: "(.*)"
target: "minio_$1"

View file

@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./postgrescluster.yaml

View file

@ -0,0 +1,130 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: &name postgres
spec:
postgresVersion: 16
metadata:
labels:
crunchy-userinit.ramblurr.github.com/enabled: "true"
crunchy-userinit.ramblurr.github.com/superuser: "postgres"
service:
type: LoadBalancer
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: postgres.jahanson.tech
io.cilium/lb-ipam-ips: 10.45.0.4
patroni: # turn on sync writes to at least 1 other replica
dynamicConfiguration:
synchronous_mode: true
postgresql:
synchronous_commit: "on"
pg_hba:
- hostnossl all all 10.244.0.0/16 md5 # Needed because dbman does not support SSL yet
- hostssl all all all md5
instances:
- name: postgres
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres
replicas: &replica 3
dataVolumeClaimSpec:
storageClassName: openebs-hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: "DoNotSchedule"
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/data: postgres
users:
# Superuser
- name: postgres
databases:
- postgres
options: "SUPERUSER"
password:
type: AlphaNumeric
# Applications
- name: atuin
databases:
- atuin
password:
type: AlphaNumeric
backups:
pgbackrest:
configuration: &backupConfig
- secret:
name: crunchy-postgres-secret
global: &backupFlag
archive-timeout: "60"
compress-type: "bz2"
compress-level: "9"
delta: "y"
repo1-retention-full-type: "time"
repo1-retention-full: "14"
repo1-retention-diff: "30"
repo1-path: "/crunchy-pgo"
repo1-s3-uri-style: path
archive-push-queue-max: 4GiB
manual:
repoName: repo1
options:
- --type=full
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-backup
repos:
- name: repo1 # Minio
s3: &minio
bucket: "crunchy-main"
endpoint: "s3.hsn.dev"
region: "us-east-1"
schedules:
full: "0 1 * * 0" # Sunday at 01:00
differential: "0 1 * * 1-6" # Mon-Sat at 01:00
incremental: "0 2-23 * * *" # Every hour except 01:00
dataSource:
pgbackrest:
stanza: "db"
configuration: *backupConfig
global: *backupFlag
repo:
name: "repo1"
s3: *minio
proxy:
pgBouncer:
port: 5432
replicas: *replica
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-pgbouncer
config:
global:
pool_mode: "transaction" # pgBouncer is set to transaction for Authentik. Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction
client_tls_sslmode: prefer
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: "DoNotSchedule"
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/role: "pgbouncer"

View file

@ -0,0 +1,20 @@
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clustersecretstore_v1beta1.json
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: crunchy-pgo-secrets
spec:
provider:
kubernetes:
remoteNamespace: database
server:
caProvider:
type: "ConfigMap"
name: "kube-root-ca.crt"
namespace: database
key: "ca.crt"
auth:
serviceAccount:
name: external-secrets-pg
namespace: database

View file

@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./rbac.yaml
- ./clustersecretstore.yaml

View file

@ -0,0 +1,31 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-pg
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["selfsubjectrulesreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: &name external-secrets-pg
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: *name
subjects:
- kind: ServiceAccount
name: *name
namespace: database
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-pg
namespace: database

View file

@ -17,3 +17,67 @@ spec:
kind: GitRepository
name: homelab
wait: true
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &appname crunchy-postgres-operator-cluster
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *appname
interval: 10m
path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster
prune: true
sourceRef:
kind: GitRepository
name: homelab
wait: true
dependsOn:
- name: crunchy-postgres-operator
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &appname crunchy-postgres-operator-secretstore
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *appname
interval: 10m
path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore
prune: true
sourceRef:
kind: GitRepository
name: homelab
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster
- name: external-secrets
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &appname crunchy-postgres-userinit-controller
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *appname
interval: 10m
path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller
prune: true
sourceRef:
kind: GitRepository
name: homelab
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster

View file

@ -0,0 +1,17 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: userinit-controller
spec:
interval: 30m
chart:
spec:
chart: crunchy-userinit-controller
version: 0.0.4
sourceRef:
kind: HelmRepository
name: crunchy-userinit
values:
fullnameOverride: crunchy-userinit-controller

View file

@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: crunchy-userinit
spec:
interval: 30m
url: https://ramblurr.github.io/crunchy-userinit-controller
timeout: 3m

View file

@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrepository.yaml
- ./helmrelease.yaml